Standards of Fieldwork (“PIE”)
Intemal Control
The auditor must obtain a sufficient
+ = understanding of the entity and its environment,
sf [eA CPAexcel including its internal control, to assess the risk of
material misstatement of the financial
statements whether due to fraud or error, and to
[ete design the nature, timing, and extent of further
audit procedures.
Tales gr Reelin
Clarified Standards: Performance Clarified Standards: Performance
Principle Principle
To obtain reasonable assurance, which is a + Identifies and assesses risks of material
high, but not absolute, level of assurance, the misstatement, whether due to fraud or
auditor: error, based on an understanding the entity
+ Plans the work and properly supervises any and its environment, including the entity's
assistants internal control
+ Determines and applies appropriate + Obtains sufficient appropriate audit
materiality level(s) evidence about whether material
misstatements exist
Obtain an Understanding of I/C “Transaction Cycles”
Basic responsibility — the auditor must Definition — “a group of fairly homogeneous
obtain a “sufficient understanding” of internal transactions”
control to properly plan the audit (specifically,
fe Specific transaction cycles (thisis the focus of
a separate section of the course materials):
+ Revenue/receipts
+ Expenditure/disbursements.
+ Payroll
+ Others: manufacturing inventory, f
assets, and financing/investing activitiesDocumenting the Auditor’s Review Question
Understanding of Internal Control
Basic Responsibility — auditors must
document their understanding of internal
control relevant to audit planning,
There are 3 ways to document that:
1. Flowcharts of major transaction cycles
2. Internal control questionnaires (ICQs)
3. Narrative write-ups (memos)
“Walk through” — feedback, not evidence
creas
Internal Control Concepts 1
I, Review Phase
‘The auditor should obtain an initial understanding of internal controls and document that understanding,
‘A. The auditor obtains an understanding of internal control and the flow of documents related to the
entity's transactions primarily through:
1, Inquiry of appropriate personnel;
2. Observation of client activities;
3. Review of documentation -- The auditor reviews relevant documentation, including the client's
accounting manuals, prior-year's audit documentation (working papers), etc.
B. The auditor's internal control analysis tends to focus on the entity's major transaction cycles.
C. "Transaction cycle" -- Defined to be a group of essentially homogeneous transactions, that is,
transactions of the same type.
D. Implication -- A specific transaction cycle is the highest level of aggregation about which meaningful
generalizations of control risk can be made, since control risk is constant within that transaction cycle. Each
transaction within a specific transaction cycle is captured, processed, and recorded subject to the same set
of internal control policies and procedures.
E. Examples of typical transaction cycles -- Typical examples, include the following
Revenue/receipts;
Expenditures/disbursements;
Payroll;
RwUNe
Financing/investing activities; and
5. Inventory, especially if inventory is manufactured, rather than purchased,
F, Document the auditor's understanding -- The auditor should document that understanding of internal
control, The extensiveness of the review and documentation varies with the circumstances (e.9., the
emphasis on understanding internal controls increases if reliance on internal control is planned):
1, Flow charts of transaction cycles — A graphical depiction of the client's accounting systems for
major categories of transactions with emphasis on the origination, processing, and distribution of
important underlying accounting documents.
a. Advantages -- A fairly systematic approach that is unlikely to overlook important
considerations; tailored to client-specific circumstances; fairly easy for others to review and
understand; and fairly easy to update from year to year.b. Disadvantages -- Can be rather tedious and time consuming to prepare initially although
available commercial software today may eliminate much of that difficulty; the auditor might
fail to recognize relevant internal control deficiencies by getting too absorbed in the details of
documenting the client's system.
To indicate a computer operation/process —>
To indicate a document >
DB
To indicate off-line storage (e.g., filing) —> \s/
2, Internal control questionnaires (ICQs) -- Questionnaires consisting of a listing of questions
about client's control procedures and activities; a "no" answer is usually designed to indicate a
control weakness,
a, Advantages -- Generic questionnaires can be prepared in advance for clients in various
industry categories with every conceivable question, so that no important question related to
controls is likely to be omitted; deficiencies are easily identified by a client's "no" response to
any question.
b. Disadvantages -- Generic questionnaires are not tallored to client-specific circumstances
and irrelevant questions are annoying to client personnel; the client personnel responding to
the checklist of questions may conceal deficiencies by inaccurate answers without the
auditor's knowledge,
3. Narrative write-ups -- A written memo describing the important control-related activities in the
transaction cycles under consideration.
a, Advantages -- Memos can be tailored to a client's unique circumstances, can be as detailed
or general as desired, and are relatively easy to prepare (and easy for reviewers to read it)
b. Disadvantages - It is relatively easy to overlook relevant internal control issues (strengths
or weaknesses) because the analysis Is fairly unstructured,
G. Perform a “walkthrough” -- The auditor may select a few transactions to trace them through the
dlient's accounting system. The purpose is merely to get some feedback as to whether the auditor has
accurately understood (and documented) the way the client entity is processing transactions. The
walkthrough is not considered “evidence” or a form of documentation and should not be confused with
"tests of control.”
Flashcards
Flashcard #1 (F¢7250)
What is the purpose of performing a walkthrough? Obtain some feedback as to whether the way the auditor
has understood (and documented) the entity's internal
controls is consistent with the way the entity is actually
processing such transactions.
Flashcard #2 (Fc0490)Define transaction cycle.
A group of essentially homogeneous transactions, that is,
transactions of the same basic type.
Flashcard #3 (Fco4s9)
List the disadvantages of narratives (memos) to document
the auditor's understanding of internal controls.
1. Writing such a memo is rather unstructured,
lacking a systematic approach;
2. It may be rather easy to overlook relevant internal
control issues.
Flashcard #4 (Fcoass)
List the advantages of narratives (memos) to document
the auditor's understanding of internal controls.
Tailored to client;
Can be as detailed or as general as desired;
Easy to prepare;
Easy to read,
Flashcard #5 (Fc0487)
List the disadvantages of Internal Control Questionnaires
(ICQs) to document the auditor's understanding of internal
controls.
1. These are generic and not tailored to any client
specificall
2. Irrelevant questions may annoy clients;
3. Client might conceal deficiencies by incorrect
answers.
Flashcard #6 (Fco486)
List the advantages of Internal Control Questionnaires
(ICQs) to document the auditor's understanding of internal
controls.
1. Can have a standard form for many clients;
2. Deficiencies are easily indicated by "no" answers.
Flashcard #7 (Fcoas5)
List the disadvantages of flowcharts to document the
auditor's understanding of internal controls.
1. Tedious and time consuming to initially prepare;
2, Might fail to recognize deficiencies by getting overly
absorbed in details.
Flashcard #8 (Fcoas4)
List the advantages of using flowcharts to document the
auditor's understanding of internal controls.
1, Systematic approach with emphasis on important
accounting records
2. Tailored to client
3. Fairly easy for others to review and understand
4, Easy to update from year to year,
Flashcard #9 (Fco4s3)
Identify 3 ways auditors might document their 1. Flowcharts of transaction cycles;
understanding of internal controls? 2. Internal control questionnaires;
3. Narrative write-ups (memos).
Flashcard #10 (Fco4s2)
Identify 3 procedures an auditor might perform to obtain 1. Inquiry of appropriate personnel
an understanding of internal controls? 2. Observation of client's activities
3. Review entity's documentation of internal controls,
Proficiency Questions
Question #1 (290209)
An advantage of preparing flow charts of transaction cycles relative to preparing written memoranda
that flow charts by nature are less likely to permit overlooking important internal control considerations.
True
FalseQuestion #2 (90910)
A disadvantage of preparing written memoranda relative to using flow charts to document the auditor's
understanding of internal control is that such memoranda may be more difficult for supervisors to
rey
True
False
Question #3 (ra0911)
The primary purpose for obtaining an understanding of internal control is to determine the nature,
timing, and extent of further audit procedures, including tests of control and substantive procedures.
True
False
Question #4 (200910)
Management is responsible for designing and implementing the system of internal control.
True
False
Question #5 (200905)
The auditor primarily obtains the required understanding of internal control by performing tests of
control.
True
False
Question #6 (200907)
The audi
transai
F can appropriately document the understanding of internal control by using flow charts of
n cycles, completing internal control questionnaires, or by preparing written memoranda.
True
False
Question #7 (290%)
‘An advantage of preparing flow charts of transaction cycles relative to using internal control
questionnaires is that the flow charts are tailored to client-specific circumstances.
True
False
Past Exam Questions
Question #1 (aicpa.ss110sau0-Av)
Which of the following is a management control method that most likely could improve management's
ability to supervise company activities effectively?
‘A. Monitoring compliance with internal control requirements imposed by regulatory bodies.
B. Limiting direct access to assets by physical segregation and protective devices,C. Establishing budgets and forecasts to identify variances from expectations.
D. Supporting employees with the resources necessary to discharge their responsibilities.
Question #2 (aicea.950s24auo-au)
‘The primary objective of procedures performed to obt
structure is to provide an auditor with
an understanding of the internal control
Knowledge necessary for audit planning.
Evidential matter to use in assessing inherent risk.
A basis for modifying tests of controls.
oogeP
An evaluation of the consistency of application of management's policies.
Question #3 (aicea.s41115auD-AU)
h of the following documentation is not required for an audi
auditing standards?
accordance with generally accepted
A. Awritten audit plan setting forth the evidence gathering procedures necessary to accomplish the audit's
objectives.
B. An indication that the accounting records agree or reconcile with the financial statements.
C. A flowchart of each major transaction cycle documenting the origination and processing of important
accounting records.
D. Aclient engagement letter that summarizes the timing of the auditor's planned field work and identifies
the respective responsibilities of the auditor and the entity's management, among other matters.
Question #4 aicra.s40s21auo-av)
‘When obtaining an understanding of an entity's internal control procedures, an auditor should
concentrate on the substance of the procedures, rather than their form, because
‘The procedures may be operating effectively but may not be documented.
Management may establish appropriate procedures but not enforce compliance with them.
‘The procedures may be so inappropriate that no reliance is contemplated by the auditor.
gogeP
Management may implement procedures whose costs exceed their benefits.
Question #5 _aicra.s40518au0-au)
An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the
auditor's
Assessment of control risk.
Identification of weaknesses in the system.
Assessment of the control environment's effectiveness.
gogP
Understanding of the system.
Question #6 (aicra.sa1116au0-Av)
An advantage of using systems flowcharts to document information about internal control, instead of
using internal control questionnaires, is that systems flowcharts
Identify internal control weaknesses more prominently.
A
B. Provide a visual depiction of clients’ activities.
C. Indicate whether control procedures are operating effectively.
D.
Reduce the need to observe clients' employees performing routine tasks.Question #7 (aicra.s20555AUD-AU)
Decision tables differ from program flowcharts in that decision tables emphasize
Ease of manageability for complex programs.
Logical relationships among conditions and actions.
Cost benefit factors justifying the program
A
B.
c.
D.
‘The sequence in which operations are performed.
Question #8 (aicpa.so114sau0-Av)
In planning an audit of certain accounts, an auditor may conclude that specific procedures used to obtain
an understanding of an entity's internal control structure need not be included because of the auditor's
judgments about materiality and assessments of
Control risk.
Detection risk.
‘Sampling risk.
gog>
Inherent risk.
Question #9 (aicea.s011430u0-Av)
An auditor's primary consi
procedures is whether they
leration regarding an entity's internal control structure polici
Prevent management override.
Relate to the control environment.
Reflect management's philosophy and operating style.
gogP
Affect the financial statement assertions.
Question #10 (aicra.:207070U0)
Obtaining an understanding of an internal control involves evaluating the design of the control and
determining whether the control has been
Authorized,
Implemented
Tested,
gop
Monitored.
Proficiency Question Answers
Question #1: True
Question #2: False
Question #3 : True
Question #4: True
Question #5 : False
Question #6 : True
Question #7 : True
Past Exam Question AnswersQuestion #1 (aicea.s51106AuD-AU)
A. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more
effectively than the other controls listed. It provides a means for management to establish expectations, to compare
them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with
regulatory requirements, limiting access to assets, and providing adequate support are important to the successful
operation of the business but they do not necessarily help management to supervise more effectively,
B. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more
effectively than the other controls listed. It provides a means for management to establish expectations, to compare
them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with
regulatory requirements, limiting access to assets, and providing adequate support are important to the successful
operation of the business but they do not necessarily help management to supervise more effectively.
C. (Correct!) The use of budgets and forecasts to compare planned and actual results will enable management to
supervise more effectively than the other controls listed. It provides a means for management to establish expectations,
to compare them to actual results, and then to follow up in areas where significant differences appeared. Monitoring
compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the
successful operation of the business but they do not necessarily help management to supervise more effectively
D. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more
effectively than the other controls listed. It provides a means for management to establish expectations, to compare
them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with
regulatory requirements, limiting access to assets, and providing adequate support are important to the successful
operation of the business but they do not necessarily help management to supervise more effectively.
Question #2 (aicea.s50sz4auo-av)
‘A. (Correct!) The auditor is required to gain a sufficient understanding of the entity and its environment, including the
internal control structure in order to determine the nature, timing, and extent of the tests to be performed. In reviewing
internal control, the auditor first considers the design of controls relevant to a financial statement audit and whether such
controls are in operation, Control risk is then assessed for the various financial statement assertions. Based upon the
understanding of the internal control and the assessed control risk, the auditor can determine the auditing procedures to
be performed.
B. Obtaining an understanding of internal control provides an auditor with information relevant to assessing control risk,
not inherent risk. Inherent risk is the susceptibility of an assertion to a material misstatement, without considering
internal controls. It would be assessed by examining such factors as the nature of the account, technological
developments, and the state of the industry.
C. Tests of controls are performed in order to support a reduction in assessed control risk. While the specific tests of
controls to be performed would be based at least in part upon an initial understanding of the internal control structure,
the primary objective of performing procedures to gain an understanding would not be to provide a basis for modifying
tests of controls.
D. The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor
with the knowledge necessary for audit planning. They would not provide an evaluation of the consistency of application
of management's policies. Such an evaluation would be obtained via the performance of tests of controls. Further, the
auditor would only be concerned with those management policies (internal controls) that were relevant to a financial
statement audit.
Question #3 aicpa.ss1115av0-Au)
A. Awritten audit program (referred to as the audit plan) is required by GAAS.
B, The auditor must document the reconciliation or agreement of the accounting records with the financial statements,
C. (Correct!) Auditors are required to document their understanding of the entity's internal control. However, there are
several ways that understanding might be documented and the auditor is not limited to the preparation of flowcharts.
D. The auditor is required to establish a written understanding with the client regarding the services to be performed for
the audit engagement.
Question #4 (aicpr.ssosz1avo-Av)
A. The auditor is concerned about the effectiveness of the control and its ability to prevent or detect material
misstatements in the financial statements. If the procedures are operating effectively, even though they are not
documented, the auditor's objectives are served. Note, however, that if the controls are not documented, the auditor may
be unaware of them.
B. (Correct!) Internal controls may have been placed in operation, yet may not be effective because they are not
properly acted upon. The auditor is concerned about the effectiveness of the control and its ability to prevent or detectmaterial misstatements in the financial statements. As a result, the auditor must focus on the substance of the control
rather than the form,
C. The auditor needs to obtain an understanding of the internal control system in order to plan the audit. In gaining the
understanding, the auditor will determine which procedures are relevant to specific financial statement assertions (i.e.,
are appropriate) and will consider whether to rely on such procedures. The auditor does not gain an understanding
because some procedures are inappropriate but in order to determine whether they are appropriate.
D. The auditor is not specifically concerned as to whether the costs of implemented procedures exceed their benefits.
Rather the auditor is required to gain an understanding of the internal controls in order to plan the audit. If the auditor
believes that the costs of certain controls exceed their benefits, recommendations pertaining to those controls may be
made in the management letter.
Question #5 (aicpa.ssosisauo-av)
‘A. The auditor's assessment of control risk is a judgment call that would not customarily be pictorially presented in a
flowchart. The auditor must document the basis for his/her conclusions about the assessed level of control risk. The
nature and extent of such documentation are dependent upon the entity, its control structure, and the control
assessment.
B. A flowchart is a pictorial representation that utilizes a standard set of symbols to demonstrate the transaction
processing procedures and accompanying data flow in an information system. It enables the auditor to summarize his/her
understanding of the system in a clear, concise, and logical manner. While it allows the auditor to identify weaknesses in
the system, such identification would not be the primary purpose of the flowchart.
C. The auditor's assessment of the control environment’s effectiveness is a judgment call that would not customarily be
pictorially presented in a flowchart, The auditor must document the basis for his/her conclusions about the effectiveness
of the control environment and the related assessment of control risk, The nature and extent of such documentation are
dependent upon the entity, its control structure, and the control assessment.
D, (Correct!) A flowchart is a pictorial representation that utilizes a standard set of symbols to demonstrate the
transaction processing procedures and accompanying data flow in an information system. It enables the auditor to
summarize his/her understanding of the system in a clear, concise, and logical manner,
Question #6 (aicra.931116auD-Au)
A. Both internal control questionnaires and systems flowcharts may be used to identify internal control weaknesses.
Internal control questionnaires probably display such weaknesses more prominently in that every "No" answer is a
weakness.
B. (Correct!) Systems flowcharts are "pictures" of processing activities. They provide a visual depiction of clients!
activities. Internal control questionnaires provide responses to specific questions about internal control activities. They do
not necessarily provide a description about the full scope of the processing activities.
C. Neither internal control questionnaires nor systems flowcharts can tell the auditor whether controls are operating
effectively. The auditor would have to observe or test such controls to obtain this information.
D. Neither internal control questionnaires nor systems flowcharts would reduce the need to observe client employees
Performing routine tasks. This is a test performed to help ascertain whether effective internal controls are in place.
Question #7 aicra.s20sssauo-Av)
‘A. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision.
It emphasizes logical relationships (decision rules) among the conditions and actions. It does not make managing complex
programs easier.
B. (Correct!) A decision table presents in tabular form the conditions and alternative actions related to making a
particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions.
C. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision.
It emphasizes logical relationships (decision rules) among the conditions and actions. It does not emphasize cost-benefit,
factors.
D. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision.
It emphasizes logical relationships (decision rules) among the conditions and actions. Program flowcharts emphasize the
sequence in which operations are performed
Question #8 (aicpa.so1s44au0-Av)
A. The control risk assessment occurs after an understanding of internal controls is obtained. It could not be used,
therefore, to justify skipping the procedures used to obtain an understanding of internal control.
B. Detection risk is the risk that the auditor will not detect a material misstatement. The auditor does not assessdetection risk; the auditor controls detection risk through the selection of the auditing procedures to be performed.
C. Sampling risk is the risk that the sample drawn is not representative of the population. Sampling is performed to obtain
samples for tests of controls and substantive tests. Both would be performed after obtaining an understanding of internal
control. Sampling risk, therefore, would not be used to justify skipping the procedures used to obtain an understanding of
internal control.
D, (Correct!) If the auditor has concluded that an account is immaterial and that inherent risk is low, the auditor might
decide to skip the procedures used to obtain an understanding of the related internal controls because the risk of a
material misstatement occurring is low.
This is really a rather tricky question because GAAS require the auditor to obtain an understanding of the internal control
structure sufficient to plan the audit. In the case of immateriality combined with low inherent risk, the auditor does not
need to understand the internal controls specifically related to the account in order to plan the audit.
Question #9 (aices.s011434u0-av)
‘A. The ability of management to override the existing internal control system is an inherent limitation of every internal
control structure, The auditor's primary consideration, therefore, of an internal control structure's policies and procedures
would not be whether they prevent management override. The primary concern is whether the controls affect the
financial statement assertions.
B. The auditor does consider the effectiveness of the control environment but it is not the primary consideration
pertaining to internal control. The auditor's objective is to issue an opinion on the financial statements, As a result, the
auditor is primarily concerned about controls that impact the financial statement assertions.
C. Although the auditor will consider management's philosophy and operating style and their potential impact on the
internal control structure, that would not be the primary consideration related to internal controls. The auditor's objective
is to issue an opinion on the financial statements. As a result, the auditor is primarily concerned about controls that
impact the financial statement assertions.
D. (Correct!) The auditor is primarily interested in whether an entity's internal controls affect the financial statement
assertions. Specifically, the auditor is interested in the policies and procedures that pertain to an entity's ability to record,
process, summarize, and report financial data consistent with the assertions embodied in the financial statements.
Question #10 (icea.:207070u0)
A. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control
procedures have been properly "authorized."
B, (Correct!) Obtaining an understanding of an entity's internal controls over financial reporting Involves evaluating the
design of relevant controls and determining whether they have been implemented (sometimes referred to as "placed into
operation").
C. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control
procedures have been "tested."
D. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control
procedures have been properly "monitored."