Wiley CPAexcel’ TnesmeWecaneeaneontet er) Preliminary Evaluation of Intemal Control + If "effective" — consider the possibility of assessing control risk at less than the maximum level (which means “reliance”); consider “cost-benefit” issues “Inherent Limitations” The design and implementation of internal control is a management responsibility! “Reasonable assurance” recognizes “cost- benefit” considerations, The costs of a control policy/procedure should not outweigh the benefits from it + Mistakes may occur due to misunderstandings, misjudgments, or fatigue (the human element) + Breakdowns can occur due to collusion or management “override” of internal control Preliminary Evaluation of Intemal Control + Based on the auditor’s understanding of the “design” of internal control — make a preliminary evaluation of its effectiveness (and document the auditor's basis for conclusions) + If “ineffective” — assess control risk at the maximum level (which means “no reliance”); perform a wholly substantive audit approach Evaluating “Operating Effectiveness” + When assessing control risk at less than the maximum level, perform “tests of control” to evaluate the operating effectiveness of controls + Re-evaluate the expectation of operating effectiveness based on the results of those tests of control + Prepare the required written “audit plan” (also called “audit program") designed to achieve an appropriate level of detection risk Auditor's Consideration of I/CReview Question The ultimate purpose of assessing control riskis to contribute to the auditor's evaluation of the: A, Factors that raise doubts about the auditability of the financial statements Internal Control Concepts 2 1. Preliminary Evaluation of Internal Control The auditor may initially consider whether "reliance" on certain specific internal control strengths is appropriate. The auditor may consider "assessing control risk at less than the maximum level." ‘A. Consider the apparent adequacy of controls (regarding “design” effectiveness) -- If internal control is perceived to be “ineffective,” the auditor would assess control risk at the maximum level Consider the possible types of errors or problems that could occur. 1 2. Consider the kinds of procedures that would prevent and/or detect such errors or problems. 3. Determine whether such controls are in place, 4. Evaluate the implications of any identified weaknesses, B. Consider cost-benefit tradeoffs -- Reliance on internal controls "buys" a reduction of substantive audit work to some degree, but it "costs" additional effort to perform tests of control (and this may or may not be cost beneficial, even if the design of internal control is perceived to be effective). C. The auditor should document the basis for conclusions about internal control -- either way, whether Internal control is perceived to be effective or ineffective. II, Perform ‘ests of Controls” If reliance is planned (regarding “operating effectiveness") ~- "reliance" means the same thing as "to assess control risk at less than the maximum level" for purposes of accepting a somewhat higher level of detection risk. A. Perform "tests of controls" -- but only for those specific control policies and procedures (strengths that Justify accepting a somewhat higher level of detection risk) on which reliance is planned. B. The purpose of performing tests of control is to verify that the controls that looked good "on paper” (design effectiveness) were actually working as intended throughout the period (operating effectiveness), C. Circumstances that warrant performing tests of control (associated with a "reliance" strategy): (1) when the auditor's risk assessment includes an expectation regarding the operating effectiveness of controls; or (2) when the performance of substantive procedures alone do not limit audit risk to an acceptably low level. D. When performing “tests of controls” -- Select a sample of transactions and verify that the control procedures of interest were, in fact, performed on the transactions in the sample which usually requires that the control procedure be documented as it is performed. Undocumented controls may be tested by the auditor's "observation" of the entity's performance of such controls. II], Reevaluate Planned Reli nce Based on the Results of These Tests of Controls Determine whether the results of the tests of controls are consistent with the planned reliance on internalcontrols. (What looked good on paper may not be working satisfactorily in reality.) IV. Develop a Detailed Audit Plan (Also referred to as an “audit program") The auditor should prepare a written audit plan that specifies the nature, timing, and extent of further audit procedures to be performed, and the auditor should document the conclusions about control risk in planning the audit ‘A. Awholly substantive audit approach means "no reliance” on internal control (which means the same thing as "assessing control risk at the maximum level"). In other words, the auditor plans to meet the audit risk objectives by performing only substantive audit procedures without any expectation about the operating effectiveness of internal control, Tests of control would not be performed. B. Auditors may base their audit conclusions on both tests of controls and substantive audit procedures, although the auditor must always perform substantive procedures to some extent (i.e., the auditor cannot rely entirely on the operating effectiveness of internal control as a sole basis for conclusions), related to “detection risk" in the audit risk model. Auditor’s Consideration of I/C 4 Main -Pase” ‘Richer Lominn 2 Miles. Perermtbe Reta a tndvandiget peney ——appplinetntiol mance bacden vanes! Vclonddoament Crakeorabout Seer Vedas rndsefthteas | AODrate [—P] tare on ye iy relianceon VC planned of contol tests of mie (emir edey contro on civcendt tnt) Yes ermine Effective, neem the vt 2 titre Ting 4. initia ‘tier of Review of Preliminary sonore 7 evaluation an of VC roca Inettective [No Disclaim an Donat rey] [ Bonet raiven Piverste on W/C(usea — required wholly atten written aus substantive ial enariac program (the from the audit eee audit audit approach) strategy) 4. Re-evaluste clanned opinion or withdraw V. Inherent Limitations The design and implementation of internal control is a management function (not the auditor's responsibility!) and management must evaluate the applicable costs and benefits in the design and implementation of their internal control policies and procedures. ‘A. The costs of internal controls should not outweigh the benefits attributable to those controls -- as a result, controls provide reasonable (not absolute) assurance. B. Mistakes may occur as a result of employees’ misunderstandings, misjudgments, carelessness, fatigue, etc, C. Segregation of duties may break down due to collusion (a conspiracy among employees or management to circumvent internal controls) or management's "override" of controls -- override refers to management imposing controls downward on subordinates without intending to be affected by those controls themselves.engagement? Answer substantive procedures). Question: ?)) Why must auditors consider an entity's internal control in planning the audit In order to plan an effective and efficient audit, auditors must assess control risk as a basis for setting the appropriate level of "detection risk” related to their substantive auditing procedures (specifically, to determine the nature, timing, and extent of those Flashcards Flashcard #1 (Fc6799) When should the auditor assess the design effectiveness of internal control? In planning every audit under GAAS, as a basis for determining the nature, timing, and extent of further audit procedures. Flashcard #2 (Fc6800) When should the auditor assess the operat effectiveness of internal control? Whenever the auditor contemplates a reliance strategy (which means the same thing as "assessing control risk at less than the maximum level") and only after performing the appropriate tests of control Flashcard #3 (Fc6798) Identify 2 reasons for assessing control risk at the maximum level. 1. The auditor believes that the design of internal control is ineffective; or 2. The auditor believes that reliance on internal control (and performing applicable tests of control) is not an efficient audit strategy compared to a wholly substantive audit approach. Flashcard #4 (Fco491) Identify 3 inherent limitations of internal controls? 1. Cost of controls should not exceed expected benefits 2. Mistakes may occur due to carelessness, fatigue, misjudgments, etc. 3. Segregation of duties may break down due to collusion or management override of internal controls. Proficiency Questions Question #1 (298275) The auditor should perform tests of control whenever the auditor concludes that the design of internal control appears to be effective. True False Question #2 (ras117) The probability that mistakes are more likely as employees become fatigued is not an inherent limitation of internal control. True FalseQuestion #3 _(eqos13) Tests of control should be performed whenever the auditor assesses control risk at the maximum level. True False Question #4 (290915) Internal control should provide "reasonable assurance" that the entity's control obje achieved, meaning that the costs associated with internal control should not outweigh the benefits. True False Question #5 (290903) Auditors must obtain a sufficient understanding of internal control in planning the audit primarily because control risk affects the level of detection risk that is appropriate in the circumstances. True False Question #6 (290904) Detection risk is effectively set by the auditor when decisions about the nature, timing, and extent of substantive audit procedures are made. True False Past Exam Questions Question #1 (aicea.s70515auD-Av) Which of the following procedures would an auditor most likely perform to test controls relating to management's assertion about the completeness of cash receipts for cash sales at a retail outlet? Observe the consistency of the employees’ use of cash registers and tapes. A, B. Inquire about employees’ access to recorded but undeposited cash. C. Trace the deposits in the cash receipts journal to the cash balance in the general ledger. D. Compare the cash balance in the general ledger with the bank confirmation request. Question #2 (aicea.951126au0-av) In addition to evaluating the frequency of deviations in tests of controls, an auditor should also consider certain qualitative aspects of the deviations. The auditor most likely would give broader consideration to the implications of a devi was The only deviation discovered in the sample. A B, Identical to a deviation discovered during the prior year’s audit. C. Caused by an employee's misunderstanding of instructions. D. Initially concealed by a forged document, Question #3 (aicra.ss1124au0-Av) When assessing control risk below the maximum level, an auditor is required to document the auditor'sUnderstanding of the entity's control Basis for concluding that control risk is below the environment um level Yes No No Yes Yes Yes No No Question #4 aicpa.s511234u0-Au) After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether It would be efficient to obtain an understanding of the entity's accounting system, The entity's internal control structure polices and procedures have been placed in operation. The entity's internal control structure polices and procedures pertain to any financial statement assertions. Additional evidential matter sufficient to support a further reduction is likely to be available. jon #5 _(aicea.9511220UD-AU) Assessing control risk at below the maximum level most likely would involve A. Performing more extensive substantive tests with larger sample sizes than originally planned. B, Reducing inherent risk for most of the assertions relevant to significant account balances. C. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year end, D. Identifying specific internal control structure policies and procedures relevant to specific assertions. Question #6 (aicea.951121AU0-av) An auditor assesses control risk because it Is relevant to the auditor's understanding of the control environment. A B. Provides assurance that the auditor's materiality levels are appropriate. C. Indicates to the auditor where inherent risk may be the greatest. D. Affects the level of detection risk that the auditor may accept, Question #7 (aicps.ss1120au0-Au) Which of the following statements is correct concerning an auditor's assessment of control risk? ‘A. Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity's internal control structure. B. Evidence about the operation of control procedures in prior audits may not be considered during the current year's assessment of control risk. C. The basis for an auditor's conclusions about the assessed level of control risk need not be documented unless control risk is assessed at the maximum level. D. The lower the assessed level of control risk, the less assurance the evidence must provide that the control procedures are operating effectively. Question #8 arcpa.ss1118au0-Av) In assess 19 control risk, an auditor ordinarily selects from a variety of techniques, inclu A. Inquiry and analytical procedures. B, Reperformance and observation:C. Comparison and confirmation D. Inspection and verification. Question #9 (aices.9s1104au0-av) Which of the following auditor concerns could most likely be so serious that the auditor concludes that a financial statement audit cannot be conducted? The entity has no formal written code of conduct. The integrity of the entity's management is suspect. Procedures requiring segregation of duties are subject to management override gogp Management fails to modify prescribed controls for changes in conditions. Question #10 (aicea.950533AuD-Au) After obtaining an understanding of the internal control structure and asses: decided to perform tests of controls. The auditor most likely decided that 19 control risk, an auditor ‘A. It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests. B. Additional evidence to support a further reduction in control risk is not available. . An increase in the assessed level of control risk is justified for certain financial statement assertions D. There were many internal control structure weaknesses that could allow errors to enter the accounting system. Question #11 aicra.ssoszsAun-Av) When an auditor assesses control auditor's ‘ed to document the k at the maximum level, the auditor is req Understanding of the entity's accounting Basis for concluding that control risk is at the system maximum level No No No Yes Yes No Yes Yes Question #12 caicra.ssos27AUD-AU) Control risk should be assessed terms of Specific control procedures. Types of potential irregularities. Financial statement assertions. gogP Control environment factors. Question #13 (aica.ss1132Au0-Au) Which of the following is a step in an auditor's decision to assess control risk at below the maximum? ‘A. Apply analytical procedures to both financial data and nonfinancial information to detect conditions that may indicate weak controls. B. Perform tests of details of transactions and account balances to identify potential errors and irregularities, C. Identify specific internal control policies and procedures that are likely to detect or prevent material misstatements. D. Document that the additional audit effort to perform tests of controls exceeds the potential reduction in‘substantive testing. Question #14 (aicpa.se11300u0-Au) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that Tests of controls may fail to identify procedures relevant to assertions. Material misstatements may exist in the financial statements. Specified controls requiring segregation of duties may be circumvented by collusion. gogp Entity policies may be overridden by senior management. Question #15 (aicea.41113AuD-au) Which of the following circumstances most likely would cause an auditor to consider whether material misstatements exist in an entity's financial statements? Management places little emphasis on meeting earnings projections. The board of directors makes all major financing decisions. Significant deficiencies previously communicated to management are not corrected, SogP Transactions selected for testing are not supported by proper documentation. Question #16 (aicpa.ser110au0-au) On the basis of audit evidence gathered and evaluated, an auditor decides to increase the assessed level of control risk from that originally planned. To achieve an overall audit risk level that is substantially the same as the planned audit risk level, the auditor would Decrease substantive testing. A B, Decrease detection risk. C. Increase inherent risk, D. Increase materiality levels. Question #17 a1cra.ssos2sauo-au) After obtaining an understanding of the internal control structure and assessing control risk, an auditor decided not to perform additional tests of controls. The auditor most likely concluded that the Additional evidence to support a further reduction in control risk was not cost beneficial to obtain. Assessed level of inherent risk exceeded the assessed level of control risk. Internal control structure was properly designed and justifiably may be relied on. gog> Evidence obtainable through tests of controls would not support an increased level of control risk. Question #18 (aicra.s40524au0-Av) An auditor uses the assessed level of control risk to Evaluate the effectiveness of the entity's internal control policies and procedures. A B. Identify transactions and account balances where inherent risk is at the maximum C. Indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high D. Determine the acceptable level of detection risk for financial statement assertions, Question #19 (aicra.s405220U0-AU) ich of the following most likely would not be consi effectiveness of an entity's internal control structure?Incompatible duties. Management override, Mistakes in judgment, gagp Collusion among employees. Question #20 aicra.gs11224u0-au) Which of the following statements concerning control risk is correct? ‘A. Assessing control risk and obtaining an understanding of an entity's internal control structure may be performed concurrently. B. When control risk is at the maximum level, an auditor is not required to document the basis for that assessment, C. Control risk may be assessed sufficiently low to eliminate substantive testing for significant transaction classes. D. When assessing control risk, an auditor should not consider evidence obtained in prior audits about the ‘operation of control procedures. Question #21 aicea.s30s12Au0-Au) In obtaining an understanding of an entity's ‘ternal control structure, an auditor is required to obtain knowledge about the Operating effectiveness of policies and procedures Design of policies and procedures Yes Yes No Yes Yes No No No Question #22 (aicea.930507AuD-Au) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the Factors that raise doubts about the auditability of the financial statements, Operating effectiveness of internal control policies and procedures. Risk that material misstatements exist in the financial statements. gog> Possibility that the nature and extent of substantive tests may be reduced, Question #23 (aicra.s205420U0-AU) h of the following is not a step in an auditor's decision to assess control risk at below the maximum? Evaluate the effectiveness of the internal control procedures with tests of controls. Obtain an understanding of the entity's accounting system and control environment. Perform tests of details of transactions to detect material misstatements in the financial statements. gogp> Consider whether control procedures can have a pervasive effect on financial statement assertions. Question #24 (aicra.s20540au0-AU) As part of understanding the internal control structure, an audi ris not required to Consider factors that affect the risk of material misstatement. A B. Ascertain whether internal control structure policies and procedures have been placed in operation. C. Identify the types of potential misstatements that can occur. D Obtain knowledge about the operating effectiveness of the internal control structure.Question #25 (aicea.11134au0-au) After obtaining an understanding of the internal control structure and assessing control risk of an entity, an auditor decided not to perform tests of controls. The auditor most likely decided that A. The available evidential matter obtained through tests of controls would not support an increased level of control risk, B. A reduction in the assessed level of control risk is justified for certain financial statement assertions. C. It would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests, D. The assessed level of inherent risk exceeded the assessed level of control risk Question #26 aicra.si0s27Au0-AU) An auditor may des auditor believes je to assess control risk at the maximum level for cert assertions because the Sufficient evidential matter to support the assertions is likely to be available. Evaluating the effectiveness of policies and procedures is inefficient. More emphasis on tests of controls than substantive tests is warranted, gog> Considering the relationship of assertions to specific account balances is more efficient. Question #27 (aicra.s105220U0-Av) An auditor assesses control risk because it Indicates where inherent risk may be the greatest. Affects the level of detection risk the auditor may accept. Determines whether sampling risk is sufficiently low. gog> Includes the aspects of nonsampling risk that are controllable. Question #28 (aicra.so1145AU0-Av) To obtain evidential matter about control risk, an auditor ordinarily selects tests from a variety of techniques, including Analysis. Confirmation. Reperformance. gog> Comparison. Question #29 (aicra.so0530au0-Av) h of the following statements about internal control structure is correct? ‘A. A properly maintained internal control structure reasonably ensures that collusion among employees cannot occur. B. The establishment and maintenance of the internal control structure are important responsibilities of the internal auditor. C. An exceptionally strong internal control structure is enough for the auditor to eliminate substantive tests on a significant account balance D. The cost-benefit relationship is a primary criterion that should be considered in designing an internal control structure. Question #30 (aica.:30710au0)An auditor is evaluating a client's internal controls. Which of the following situations would be the most difficult internal control issue for an auditor to detect? ‘A. The accounting staff neglects the control, due to increased transactions to be processed. B. The technology department writes a program that does not properly implement the control, due to a lack of understanding, C. Two employees, who work in different departments, are circumventing an internal control. D, Someone erroneously disables edit checks in a software program designed to identify control exceptions. Question #31 (aicea.s207340u0) Which of the following statements best describes why an auditor would use only substantive procedures to evaluate specific relevant assertions and risks? The relevant internal control components are NOT well dacumented, The internal auditor already has tested the relevant controls and found them effective. Testing the operating effectiveness of the relevant controls would NOT be efficient. GogP The cost of substantive procedures will exceed the cost of testing the relevant controls. Question #32 (1icea.:11167u0) wi h of the following statements is correct regarding internal control? A. A well-designed internal control environment ensures the achievement of an entity's control objectives. B. An inherent limitation to internal control is the fact that controls can be circumvented by management override, C. Awell-designed and operated internal control environment should detect collusion perpetrated by two people. D. Internal control is a necessary business function and should be designed and operated to detect all errors and fraud Question #33 (arcra.ov0786.Au0-Av) Which of the following represents an inherent limitation of internal controls? Bank reconciliations are not performed on a timely basis. The CEO can request a check with no purchase order, Customer credit checks are not performed. gop Shipping documents are not matched to sales invoices, Question #34 caices.c7osa2au0) As a result of tests of controls, an auditor assesses control risk too high. Thi likely occurred because correct assessment most ‘A. Control risk based on the auditor's sample is less than the true operating effectiveness of the client's control activity. B. The auditor believes that the control activity relates to the client's assertions when, in fact, it does not C. The auditor believes that the control activity will reduce the extent of substantive testing when, in fact, it will not. D. Control risk based on the auditor's sample is greater than the true operating effectiveness of the client's control activity. Question #35 aica.cz0si1Auo-au) An auditor observed that a client mails monthly statements to customers. Subsequently, the auditor reviewed evidence of follow-up on the errors reported by the customers. This test of controls most likelywas performed to support management's financial statement assertion(s) of Presentation and disclosure Rights and obligation Yes Yes Yes No No Yes No No Question #36 (aicra.c20s06au0-Av) When assessing control risk at below the maximum level, an auditor is required to document the auditor's understanding of the I. Entity's control activities that help ensure management directives are carried out. II. Entity's control environment factors that help the auditor plan the engagement. A, Tonly, B. Ionly. C. Both I and II. D. Neither I nor I Proficiency Question Answers Question #1: False Question #2: False Question #3: False Question #4: True Question #5: True Question #6 : True Past Exam Question Answers Question #1 aicra.s7osisauo-av) A. (Correct!) The cardinal rule regarding cash receipts is to ensure that they are recorded. By requiring employees to record all sales in the cash register and to give customers the cash register tape evidencing the sale, companies can ensure that all cash sales are recorded (the completeness of cash receipts for cash sales). The auditor can test controls by ‘observing employees’ use of cash registers and tapes, B. Relates to controls over recorded cash, not unrecorded cash. Completeness in this question refers to the recording of all cash sales. If cash has been recorded and then is subsequently stolen, the problem becomes existence, rather than completeness. (Recorded cash that has been stolen no longer exists.) C. This relates to controls over recording accuracy or valuation, Tracing deposits in the cash receipts journal to the general ledger ensures that such deposits are accurately recorded. This is a control related to valuation, not completeness. (Note: This procedure could also be considered a substantive test of transactions.) D, Relates to a substantive auditing procedure. Confirming the bank balance is a required substantive procedure for auditing cash. It is not a test of controls. In addition, confirming the bank balance provides evidence of existence, rather than completeness Question #2 (aices.9511268u0-av) ‘A. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that a single deviation was found would impact only the computation of the upper error limit. B. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that an identical error was found last year would not by itself provide a reason for giving broader consideration to the error.C. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that the error was caused by an employee's misunderstanding is a reflection of the inherent limitations of internal control and would not by itself be a reason to give broader consideration to the error. D. (Correct!) A deviation will receive more consideration if itis initially concealed by a forged document. The forgery indicates a planned and intentional effort to conceal an irregularity as opposed to a deviation resulting from an error. The auditor must consider both the qualitative and quantitative aspects of deviations noted. Qualitative aspects, in particular, are important because of the potential impact on other areas of the audit. Question #3 (aicpa.ss1124qu0-Av) A. This answer is incorrect because of the "No" in the second column. The auditor is required to document his/her understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at below the maximum level, the auditor is required to document his/her basis for that conclusion. B. This answer is incorrect because of the "No" in the first column, The auditor is required to document his/her understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at below the maximum level, the auditor is required to document his/her basis for that conclusion. C. (Correct!) The auditor is required to document his/her understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at below the maximum level, the auditor is required to document his/her basis for that conclusion. D. This answer is incorrect because of the "No's" in the first and second columns. The auditor is required to document his/her understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at below the maximum level, the auditor is required to document his/her basis for that conclusion. Question #4 (aicen.9511230UD-AU) ‘A. An auditor is required by GAAS to obtain an understanding of the entity's information system relevant to financial reporting. This step would be performed before assessing control risk. The issue of "efficiency" is not relevant in this instance. B. In obtaining an understanding of the internal control structure, the auditor must determine which internal controls are relevant to any financial statement assertions and whether such controls have been placed in operation. This step is performed first, before an assessment of control risk is made. C.In obtaining an understanding of the internal control structure, the auditor must determine which internal controls are relevant to any financial statement assertions and whether such controls have been placed in operation. This step is performed first, before an assessment of control risk is made. D, (Correct!) If the auditor desires to further reduce the assessed level of control risk, he/she must first consider whether additional evidence will be available to support such a reduction. The auditor must also consider whether it would be efficient (cost-effective) to collect such evidence. Question #5 aicpa.os112200-Au) A. The extent of substantive testing is based on the assessment of control risk. Assessing control risk below maximum means that there are controls in place which are believed to lessen the risk of a material misstatement occurring undetected in the financial statements. As a result, less extensive rather than more extensive substantive testing would be performed with smaller rather than larger sample sizes. B. Control risk pertains to the risk of a material misstatement occurring which is not prevented or detected by the internal control system. Inherent risk relates to the risk of a material misstatement occurring in an account or a transaction without regard to the related internal controls. The two risks are assessed independently; it does not make sense for the assessment of inherent risk to be reduced as a result of a control risk assessment below maximum. C. Assessing control risk below maximum means that there are controls in place which are believed to lessen the risk of a material misstatement occurring undetected in the financial statements, As a result, the timing of substantive tests could be moved TO interim rather than at year end. Evidence collected at an interim date is less competent than evidence collected at year end because of the additional risk that the year end balances may be materially misstated caused by collecting evidence early. D. (Correct!) In order to assess control risk below maximum the auditor must collect evidence to support the reduction. Collecting such evidence involves identifying specific internal controls relevant to specific assertions and then performing tests of controls to evaluate the effectiveness of the controls.Question #6 (aicra.951121AUD-Av) ‘A. The auditor must obtain an understanding of the control environment BEFORE determining the assessed level of, control risk, That understanding is then used to assess control risk B. An assessment of control risk does NOT provide assurance that the auditor's materiality levels are appropriate. Assessed control risk and assessed inherent risk enable the auditor to set detection risk and to determine the nature, timing, and extent of the auditing procedures to be performed. C. Control risk and inherent risk are independently assessed risks. Inherent risk pertains to the risk that a material misstatement will occur in an account or a transaction without considering related internal controls. Control risk relates to the risk that the internal controls will not prevent or detect a material misstatement in an account or a transaction. It does not make sense, therefore, for the control risk assessment to indicate where inherent risk may be the greatest, D. (Correct!) An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that the auditor may accept. Question #7 (aicpa.951120nu0-Av) A. (Correct!) Understanding internal control and assessing control risk are steps which may be performed concurrently in an audit. The evidence collected to achieve one objective may also be used for the other objective. For example, inquiries and information gathered about management's use of budgets in order to understand the control environment may also be used as a test of control over the effectiveness and operation of the budgeting control. B, Evidence about the operation of controls in prior audits IS a factor impacting an auditor's current year assessment of control risk. C. The basis for an auditor's conclusions about the assessed level of control risk needs to be documented regardless of the level of control risk assessed. D. The lower the assessed level of control risk, the MORE assurance evidence must provide that the controls are operating effectively. An assessment of control risk below maximum must be supported by the collection of evidence indicating the controls are operating effectively. An assessment of control risk at maximum does not require the collection of evidence about the operation of the controls; however, it does require documentation of the basis for the assessment at maximum: Question #8 (aicra.ssi11e,u0-AV A. While inquiry is a procedure used in testing controls, analytical procedures are not. Analytical procedures are performed during planning, as substantive procedures, and during the final review B. (Correct!) Tests of controls directed toward effectiveness or operation of a control would ordinarily include inquiries, inspections of documents, observation, and reperformance of the application of a control. Thus, both reperformance and ‘observation are used by an auditor to assess control risk, C. Comparison and confirmation are substantive auditing procedures. They are not tests of controls used in assessing control risk. D. Although inspection can be used as a test of control to assess control risk, verification is a substantive auditing procedure. Question #9 (aicea.9s1104au0-av) ‘A. The lack of a formal written code of conduct is a weakness in the control environment which would be taken into consideration in planning and conducting the audit. It would not normally, however, be considered so serious that the auditor would immediately withdraw from the engagement. B, (Correct!) The auditor would decide that an audit could not be conducted if management integrity were questioned, Management integrity is such a critical component of an effective internal control environment that the suspected lack thereof would be cause for the auditor to withdraw from the engagement, C. Management override is always a possibility and is an inherent limitation of an internal control structure. It would not normally be considered serious enough to warrant withdrawal from the audit. D. Management's failure to modify prescribed controls for changes in conditions has potential ramifications for the conduct of the audit. For example, additional or more extensive audit procedures might have to be performed if the failure has resulted in an increased risk of material misstatement. The failure, however, would not normally be considered so serious that the auditor would immediately withdraw from the engagement. Question #10 arcpa.ss0s33aun-Au) A. (Correct!) After obtaining an understanding of internal control and assessing control risk, an auditor will perform tests of controls, if it is believed that such performance will result in a reduction in planned substantive tests. If theperformance of tests of controls would not result in @ reduction in substantive testing, completing tests of controls would be inefficient and therefore should not be performed. B. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of controls if additional evidence to support a further reduction in control risk were not considered to be available. Tests of controls could only be performed if such evidence were available. C. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of controls if an increase in the assessed level of control risk were considered to be justified for certain financial statement assertions. Tests of controls are performed to support reductions, not increases, in control risk. D. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of controls if the auditor believed that there were many internal control weaknesses that could allow errors to enter the accounting system. Such a belief would warrant assessment of control risk at maximum eliminating any need for the performance of tests of controls. Question #11 (aicra.s505290U0-Av) ‘A. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also required to document the basis for the assessment of control risk, including when control risk is assessed at maximum. B. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also required to document the basis for the assessment of control risk, including when control risk is assessed at maximum: C. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also required to document the basis for the assessment of control risk, including when control risk is assessed at maximum. D. (Correct!) The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also required to document the basis for the assessment of control risk, including when control risk is assessed at maximum! Question #12 (aicra.sso527AU0-AU) ‘A. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components. Control risk is not assessed for specific controls. Rather, individual controls are important only in so far as they relate to a specific assertion. The auditor may decide that a reduction in control risk for an assertion may be supported through the testing of a specific control or controls. B. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components. Contral risk is not assessed for the types of potential irregularities which may be present in the financial statements. Identification of the types of potential irregularities aids the auditor in identifying the assertions which are subject to greater inherent risk and thus require stronger controls to prevent material misstatements. C. (Correct!) The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components, Based upon the understanding of internal control and the control risk assessments, the auditor determines the nature, timing, and extent of the auditing procedures to be performed. D. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found in the account balance, transaction class, or disclosure components. Control risk is not assessed for control environment factors. Rather, the control environment factors are considered when assessing control risk. Question #13 arcea.ss11320u0-au) A. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that are likely to detect or prevent material misstatements and the testing of those controls. It does not involve the performance of analytical procedures. Analytical procedures are performed during planning, as substantive procedures, and during the overall review. They are not used to test controls. B. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that are likely to detect or prevent material misstatements and the testing of those controls. It does not involve the performance of tests of details of transactions and account balances. Such tests are performed as substantive procedures. ‘They are not used to test controls. C. (Correct!) An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that are likely to detect or prevent material misstatements and the testing of those controls, D. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that are likely to detect or prevent material misstatements and the testing of those controls, If the cost of performing the tests of controls exceeds the benefit derived; i.e. the reduction in substantive testing, the tests of controls would not be performed and the assessment of control risk would not be reduced below the maximum,Question #14 (aicra.s41130AUD-au) ‘A. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that tests of controls may fall to identify procedures relevant to the assertions, Tests of controls are performed AFTER procedures relevant to the financial statement assertions have been identified. The primary purpose of such tests is to determine the operating effectiveness of tested controls, B. (Correct!) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements may exist in the financial statements. The assessment of control risk combined with the assessment of inherent risk aids the auditor in identifying where material misstatements might exist in the financial statements. The auditor must then select and perform the auditing procedures necessary to detect material misstatements, if they exist. C. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that specified controls requiring segregation of duties may be circumvented by collusion. The risk of collusion is an inherent limitation of any system of internal control. D. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that entity policies may be overridden by senior management. The risk of management override of controls is an inherent limitation of any system of internal control Question #15 arcra.ssi1i3aun-au) ‘A. Management's failure to place emphasis on meeting earnings projections would not lead the auditor to consider whether material misstatements exist. Rather, the presence of such an emphasis would be considered a potentially Positive risk factor reducing the potential presence of material misstatements. If management is placing little emphasis on meeting projections, then there is less pressure to overstate actual results, B. An active board of directors that makes all major financing decisions would be considered a positive control environment factor. It would not cause an auditor to consider whether material misstatements exist. C. The presence of uncorrected significant deficiencies would not necessarily cause the auditor to consider whether material misstatements exist. Management is able to apply cost-benefit considerations when deciding whether to correct internal control weaknesses. D, (Correct!) If transactions selected for testing are not supported by proper documentation, a concern as to the validity of the tested transactions will be raised. As a result, the auditor will consider whether material misstatements exist in an entity's financial statements, Question #16 (aicra.ss1110,u0-aU) ‘A. The auditor would not decrease substantive testing as a result of an increase in control risk. Control risk and detection risk are inversely related. If control risk increases, detection risk must decrease. When detection risk decreases, substantive testing increases. B. (Correct!) If the auditor has decided to increase the assessed level of control risk from that originally planned on the basis of audit evidence gathered and evaluated, the auditor has performed tests of controls, which do not indicate that the tested controls are operating effectively. As a result, a lowered control risk assessment is not supported and the control risk assessment must be increased, The auditor will have to decrease detection risk (and increase substantive tests) in order to achieve the planned audit risk level. The greater the control risk, the lower detection risk must be. C. The auditor would not increase inherent risk as a result of an increase in control risk. Control risk and inherent risk are assessed separately. Inherent risk is the susceptibility of an assertion to a material misstatement without regard to internal control. Control risk is the risk that a material misstatement will not be prevented or detected by the internal control structure, D. The auditor would not automatically increase materiality levels as a result of an increase in assessed control risk. Materiality is a matter of professional judgment and Is influenced by the auditor's perception of a reasonable person relying on the financial statements, Question #17 aicra.ssos2sauo-au) A. (Correct!) The performance of additional tests of controls would be performed only if such performance were considered cost-beneficial. The cost of obtaining the additional evidence must be less than the benefits to be derived from the related reduction in substantive testing, B. Comparison of the assessed level of inherent risk to the assessed level of control risk is inappropriate for determining whether to perform additional tests of controls. Inherent risk is the risk of a material misstatement occurring in an assertion, without regard for the related internal controls. High inherent risk for an assertion would lead the auditor to look more closely at the relevant internal controls to see if the risk of misstatement has been lessened by a strong internal control structure and perhaps to consider testing such controls. The primary decision factor, however, would always be the cost-benefit to be obtained.C. Concluding that the internal control was properly designed and able to be relied upon would precede the performance of any tests of control. The primary decision factor, however, would be the cost-benefit to be obtained. D. The auditor tests controls in order to support a reduction in the assessed level of control risk. It would not make sense for the auditor to conclude that the evidence obtainable through tests of controls would not support an INCREASED level of control risk Question #18 (aicra.saos24au0-Av) A. The statement is reversed. An auditor would not use the assessed level of control risk to evaluate effectiveness. An auditor evaluates the effectiveness of the entity's internal controls in order to determine the assessed level of control risk B. The assessment of control risk does not enable the auditor to identify transactions and account balances where inherent risk is at the maximum. Instead, the auditor first considers his/her assessment of inherent risk in order to determine where material misstatements are likely to occur. The auditor then obtains the required understanding of the internal control structure and assesses control risk - the risk that the internal control structure will not prevent or detect a material misstatement. The control risk assessment is then used to determine the acceptable level of detection risk. C. The auditor's assessed level of control risk would not be used to indicate whether materiality thresholds are sufficiently high. Instead, the assessed level of control risk impacts the acceptable level of detection risk and, thus, the evidence which must be gathered. Control risk is a component of audit risk. Audit risk and materiality are considered together in determining the nature, timing, and extent of auditing procedures to be performed. D. (Correct!) The auditor assesses control risk (the risk that the internal control structure will nat prevent or detect a material misstatement) and inherent risk (the risk of a material misstatement occurring) in order to determine the acceptable level of detection risk. Question #19 aicea.s#0sz2au0-Au) A. (Correct!) A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because of inherent limitations. These include the fallibility of human judgment and performance and the possibility of collusion or management override, The answer which is NOT an inherent limitation is A, "incompatible duties." B. A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because of inherent limitations. These include the fallibility of human judgment and performance and the possibilty of collusion or management override. The answer which is NOT an inherent limitation is A, "incompatible duties.” C.A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because of inherent limitations. These include the fallillity of human judgment and performance and the possibility of collusion or management override. The answer which is NOT an inherent limitation is A, "incompatible duties.” D. A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because of inherent limitations. These include the fallibility of human judgment and performance and the possibilty of collusion or management override. The answer which is NOT an inherent limitation is A, "incompatible duties.” Question #20 (aicra.931122Au0-Au) A. (Correct!) Gaining an understanding of internal control and assessing control risk may be performed concurrently. Procedures performed to obtain an understanding of internal contral may also be used to gather the evidence needed to assess control risk B. The auditor is required to document the basis for assessing control risk at maximum. The auditor is also required to document the basis for a lowered control risk assessment. C. Substantive testing cannot be eliminated through a lowered assessment of control risk. The auditor must perform substantive tests for significant account balances and transaction classes. D. When assessing control risk, the auditor may consider evidence obtained in prior audits about the operation of controls. In evaluating the use of such evidence, the auditor should consider the significance of the assertion involved, the specific controls evaluated previously, the degree to which the effective design and operation of those controls were evaluated, the results of previous tests of controls, and other evidential matter obtained about controls during the audit. Question #24 arcea.s30si2Au0-Au) A. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control components and whether they have been placed in operation. The auditor is NOT required to determine the operating effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level. B. (Correct!) An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control components and whether they have been placed in operation. The auditor is NOT required to determine the operating effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level.C. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control components and whether they have been placed in operation. The auditor is NOT required to determine the operating effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level. D. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control components and whether they have been placed in operation. The auditor is NOT required to determine the operating effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level. Question #22 (aica.s30s07Au0-Au) A. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. The auditor considers factors that raise doubts about the auditability of the financial statements in assessing control risk. B. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. The auditor considers the operating effectiveness of the controls in gaining an understanding of the internal control structure and in assessing control risk. C. (Correct!) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. Assessing control risk and inherent risk help the auditor identify where misstatements might exist; the auditor then performs auditing procedures to detect those misstatements. D. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. The auditor considers whether to reduce the nature and extent of substantive tests as a result of assessing control risk. Question #23 (aicra.s20s42AuD-Au) ‘A. In assessing control risk below maximum, the auditor must: 1) obtain an understanding of the internal control structure; 2) identify specific controls relevant to specific financial statement assertions; and 3) test the identified controls to determine if they are operating effectively. Thus, the auditor would evaluate the effectiveness of internal control with tests of controls. B. In assessing control risk below maximum, the auditor must: 1) obtain an understanding of the internal control structure; 2) identify specific controls relevant to specific financial statement assertions; and 3) test the identified controls to determine if they are operating effectively. Thus, the auditor would obtain an understanding of the entity's accounting system and control environment, C. (Correct!) In assessing control risk below maximum, the auditor must 1) obtain an understanding of the internal control structure; 2) identify specific controls relevant to specific financial statement assertions; and 3) test the identified controls to determine if they are operating effectively. The auditor would NOT perform tests of details of transactions. These are substantive procedures which would generally be performed after the assessment of control risk is made D. In assessing control risk below maximum, the auditor must: 1) obtain an understanding of the internal control structure 2) identify specific controls relevant to specific financial statement assertions; and 3) test the identified controls to determine if they are operating effectively. In identifying specific controls relevant to financial statement assertions, the auditor would also consider whether control procedures have a pervasive effect on the financial statements. Question #24 (aicra.s205¢0au0-Av) ‘A. In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material misstatement, Identify the types of potential misstatements that can occur, and ascertain whether internal controls have been placed in operation. ‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of controls). B. In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material misstatement, identify the types of potential misstatements that can occur, and ascertain whether internal controls have been placed in operation. ‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of controls). C.In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material misstatement, identify the types of potential misstatements that can occur, and ascertain whether internal controls have been placed in operation.‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of controls). D. (Correct!) In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material misstatement, identify the types of potential misstatements that can occur, and ascertain whether internal controls have been placed in operation. The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of controls) Question #25 (aicpa.s1113¢0u0-au) A. The auditor performs tests of controls in order to reduce the assessed level of control risk, not increase it. It would not make sense for the auditor to conclude that the available evidential matter obtained through tests of controls would not support an INCREASED level of control risk, B, The auditor performs tests of controls in order to reduce the assessed level of control risk. He/she would decide not to perform tests of controls if he/she concluded that a reduction in the assessed level of control risk is NOT justified for certain financial statement assertions. C. (Correct!) There is always a cost-benefit tradeoff in testing controls. The auditor tests controls in order to rely on them and to reduce substantive testing. If testing controls won't reduce substantive testing sufficiently ( i.e., enough to offset the cost of testing controls), the auditor will opt NOT to test controls. In other words, it would be inefficient to perform the tests of controls. D. If the auditor has decided not to perform tests of controls, control risk will be assessed at 100%. The inherent risk assessment cannot exceed 100%. The auditor could not decide that the inherent risk assessment exceeded the control risk assessment. Question #26 (aicra.910527AUD-AU) A. Control risk may be assessed at the maximum level for certain assertions because the auditor believes that evaluating the effectiveness of the controls would be inefficient, The auditor considers whether evidence is likely to be available and whether gathering that evidence would be efficient. The availability of sufficient evidential matter to support the assertions (assuming that testing would be efficient) would cause the auditor to consider reducing the control risk assessment rather than assessing it at maximum, B. (Correct!) Control risk may be assessed at the maximum level for certain assertions because the auditor believes that evaluating the effectiveness of the controls would be inefficient. ‘The auditor considers whether evidence is likely to be available and whether gathering that evidence would be efficient. The cost of gathering the additional evidence must be less than the benefit derived from being able to reduce substantive tests as a result. C. If the auditor believed that more emphasis should be placed on tests of controls, the auditor would consider reducing the control risk assessment rather than assessing it at maximum. Tests of controls are performed only if control risk is to be assessed at less than maximum. D. If the auditor has decided to assess control risk at maximum, the aucitor will not need to identify specific internal controls relevant to specific assertions and account balances. Such identification is made (and related tests of controls performed) when control risk is to be assessed below maximum Question #27 (aicra.s105220U0-Av) A. Inherent risk is the risk that a material misstatement will occur without regard to related controls. It is assessed independently from control risk. Both control and inherent risk are assessed because they affect the level of detection risk the auditor may accept. B, (Correct!) Control risk is the risk that material misstatements will occur that are not prevented or detected by the internal control structure. An auditor assesses control risk (and inherent risk) because they affect the level of detection risk the auditor may accept. C. Control risk is the risk that material misstatements will occur that are not prevented or detected by the internal control structure. A control risk assessment would not determine whether sampling risk was sufficiently low and would precede any such determination. D. Control risk is the risk that material misstatements will occur that are not prevented or detected by the internal control structure. A control risk assessment would not include controllable aspects of nonsampling risk and would precede any consideration of nonsampling risk. Question #28 a1cea.so114sauo-Au) ‘A. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They would not include analysis, confirmation, and comparison which are used for substantive testing, B. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They wouldnot include analysis, confirmation, and comparison which are used for substantive testing. C. (Correct!) Procedures performed to evaluate control risk include inquiries of personnel; inspection of documents and records; observation of activities and operations; and reperformance of the control procedure. D. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They would not include analysis, confirmation, and comparison which are used for substantive testing, Question #29 (arcra.so0ss0au0-Av) ‘A. An inherent limitation of any system of internal control is circumvention of controls by collusion among two or more people, Because of inherent limitations like this one, only reasonable assurance can be provided that an entity will achieve its control objectives. B. While an internal auditor's responsibilities frequently include monitoring of the internal control system, the establishment and maintenance of internal control are the responsibilities of management. Internal audit activities would be directed more toward evaluation of the adequacy and effectiveness of a company's internal control system as well as determination of the level of compliance related thereto. C. The assessed level of control risk can never be sufficiently low as to eliminate all substantive tests on a significant account balance. The auditor is required to perform substantive tests on significant account balances and transaction classes regardless of the assessed level of control risk D. (Correct!) A primary criterion of any system of internal control is the cost-benefit relationship. The cost of an entity's internal control should not exceed the benefits to be derived, Question #30 (aices.:307:00U0) ‘A. This is an error that would be more easily identified than an intentional circumvention of controls associated with collusion. B. This is an error that would be more easily Identified than an intentional circumvention of controls associated with collusion. C. (Correct!) An intentional circumvention of controls associated with collusion involving employees in different departments would be particularly difficult to detect. D. This is an error that would be more easily identified than an intentional circumvention of controls associated with collusion, Question #31 (aicra.:207340u0) ‘A. When controls are not well documented, the auditor may still be able to gather evidence as to whether such controls are being properly performed, such as observation. So performing tests of controls in such circumstances might still be possible. B. If the internal auditor has determined that controls are effective, it would increase the likelihood that the external auditor would consider a reliance strategy instead of a wholly substantive audit approach. C. (Correct!) The auditor would properly choose a wholly substantive audit approach (over a reliance strategy involving tests of control) when the wholly substantive audit approach is more efficient. D. If a wholly substantive audit approach is more costly than a reliance strategy involving tests of control, the wholly substantive audit approach would be viewed as less efficient and would not be chosen by the auditor. Question #32 (aicea.::11670u0) A. Internal control (including but not limited to the control environment) provides reasonable (not absolute) assurance of achieving the entity's control objectives. The word "ensures" is an overstatement, B. (Correct!) The potential for management override of internal control is considered an inherent limitation and is a consequence of the natural cost-benefit tradeoffs associated with reasonable assurance. C. The potential for employees to commit collusion (that is, to conspire to beat the system) is considered an inherent limitation and is a consequence of the natural cost-benefit tradeoffs associated with reasonable assurance. D. Internal control provides reasonable (not absolute) assurance of detecting material (not “all") errors and fraud, Question #33 aicpa.cs0786.0u0-AU) ‘A. This is an internal control deficiency, not an inherent limitation of the internal control system. B. (Correct!) The inherent limitations of internal control include the possibility of management override of controls.C. ‘This is an internal control deficiency, not an inherent limitation of the internal control system. D. This is an internal control deficiency, not an inherent limitation of the internal control system. Question #34 (aices.c7oss2au0) ‘A. If control risk based on the auditor's sample is LESS than the true operating effectiveness, the auditor has assessed control risk too low. B. If the auditor believes that the control activity relates to the client's assertions when it really doesn't, the auditor has simply performed ineffectively (testing the wrong controls). Such testing would most likely result in the auditor assessing control risk too low, rather than too high. C. If the auditor believes that the control activity will reduce the extent of substantive testing when it really won't, the auditor has simply performed ineffectively (testing the wrong controls). Such testing would most likely result in the auditor assessing control risk too low, rather than too high D. (Correct!) When the auditor assesses control risk too high, it means that the auditor's sample indicates that the control is NOT working properly when it really is. Thus, control risk based on the auditor's sample is higher than the true operating effectiveness of the control would warrant. Question #35 (aicra.c20511AuD-Au) ‘A. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the assertion of rights and obligations, It does not address presentation and disclosure. B. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are valid; i-e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the assertion of rights and obligations. It does not address presentation and disclosure. C. (Correct!) Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the assertion of rights and obligations. It does not address presentation and disclosure. D. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the assertion of rights and obligations. It does not address presentation and disclosure. Question #36 (aicra.c20s06au0-Av) A. Control environment factors must also be documented, B. Control activities must also be documented. C. (Correct!) The auditor is always required to obtain a sufficient understanding of the internal control system in order to plan the audit. This understanding must be documented, regardless of the level at which control risk is to be assessed. Control activities and control environment factors are both components of the internal control system. As a result, they would both be documented, D. Both control activities and control environment factors must be documented.