Wiley CPAexcel’
TnesmeWecaneeaneontet er)
Preliminary Evaluation of
Intemal Control
+ If "effective" — consider the possibility of
assessing control risk at less than the
maximum level (which means “reliance”);
consider “cost-benefit” issues
“Inherent Limitations”
The design and implementation of internal
control is a management responsibility!
“Reasonable assurance” recognizes “cost-
benefit” considerations,
The costs of a control policy/procedure should
not outweigh the benefits from it
+ Mistakes may occur due to
misunderstandings, misjudgments, or
fatigue (the human element)
+ Breakdowns can occur due to collusion or
management “override” of internal control
Preliminary Evaluation of
Intemal Control
+ Based on the auditor’s understanding of the
“design” of internal control — make a
preliminary evaluation of its effectiveness
(and document the auditor's basis for
conclusions)
+ If “ineffective” — assess control risk at the
maximum level (which means “no
reliance”); perform a wholly substantive
audit approach
Evaluating “Operating Effectiveness”
+ When assessing control risk at less than the
maximum level, perform “tests of control” to
evaluate the operating effectiveness of
controls
+ Re-evaluate the expectation of operating
effectiveness based on the results of those
tests of control
+ Prepare the required written “audit
plan” (also called “audit program") designed
to achieve an appropriate level of detection
risk
Auditor's Consideration of I/CReview Question
The ultimate purpose of assessing control riskis
to contribute to the auditor's evaluation of the:
A, Factors that raise doubts about the
auditability of the financial statements
Internal Control Concepts 2
1. Preliminary Evaluation of Internal Control
The auditor may initially consider whether "reliance" on certain specific internal control strengths is appropriate.
The auditor may consider "assessing control risk at less than the maximum level."
‘A. Consider the apparent adequacy of controls (regarding “design” effectiveness) -- If internal control
is perceived to be “ineffective,” the auditor would assess control risk at the maximum level
Consider the possible types of errors or problems that could occur.
1
2. Consider the kinds of procedures that would prevent and/or detect such errors or problems.
3. Determine whether such controls are in place,
4.
Evaluate the implications of any identified weaknesses,
B. Consider cost-benefit tradeoffs -- Reliance on internal controls "buys" a reduction of substantive audit
work to some degree, but it "costs" additional effort to perform tests of control (and this may or may not
be cost beneficial, even if the design of internal control is perceived to be effective).
C. The auditor should document the basis for conclusions about internal control -- either way, whether
Internal control is perceived to be effective or ineffective.
II, Perform
‘ests of Controls”
If reliance is planned (regarding “operating effectiveness") ~- "reliance" means the same thing as "to assess
control risk at less than the maximum level" for purposes of accepting a somewhat higher level of detection risk.
A. Perform "tests of controls" -- but only for those specific control policies and procedures (strengths that
Justify accepting a somewhat higher level of detection risk) on which reliance is planned.
B. The purpose of performing tests of control is to verify that the controls that looked good "on paper”
(design effectiveness) were actually working as intended throughout the period (operating
effectiveness),
C. Circumstances that warrant performing tests of control (associated with a "reliance" strategy): (1) when
the auditor's risk assessment includes an expectation regarding the operating effectiveness of controls; or
(2) when the performance of substantive procedures alone do not limit audit risk to an acceptably low
level.
D. When performing “tests of controls” -- Select a sample of transactions and verify that the control
procedures of interest were, in fact, performed on the transactions in the sample which usually requires
that the control procedure be documented as it is performed. Undocumented controls may be tested by
the auditor's "observation" of the entity's performance of such controls.
II], Reevaluate Planned Reli
nce Based on the Results of These Tests of Controls
Determine whether the results of the tests of controls are consistent with the planned reliance on internalcontrols. (What looked good on paper may not be working satisfactorily in reality.)
IV. Develop a Detailed Audit Plan
(Also referred to as an “audit program") The auditor should prepare a written audit plan that specifies the nature,
timing, and extent of further audit procedures to be performed, and the auditor should document the conclusions
about control risk in planning the audit
‘A. Awholly substantive audit approach means "no reliance” on internal control (which means the same thing
as "assessing control risk at the maximum level"). In other words, the auditor plans to meet the audit risk
objectives by performing only substantive audit procedures without any expectation about the operating
effectiveness of internal control, Tests of control would not be performed.
B. Auditors may base their audit conclusions on both tests of controls and substantive audit procedures,
although the auditor must always perform substantive procedures to some extent (i.e., the auditor cannot
rely entirely on the operating effectiveness of internal control as a sole basis for conclusions), related to
“detection risk" in the audit risk model.
Auditor’s Consideration of I/C
4 Main -Pase” ‘Richer
Lominn 2 Miles. Perermtbe Reta a
tndvandiget peney ——appplinetntiol mance bacden vanes!
Vclonddoament Crakeorabout Seer Vedas rndsefthteas | AODrate [—P] tare on ye
iy relianceon VC planned of contol tests of mie
(emir edey contro on
civcendt
tnt)
Yes
ermine
Effective, neem the
vt 2 titre Ting
4. initia
‘tier of
Review of Preliminary sonore
7 evaluation an
of VC roca
Inettective [No
Disclaim an Donat rey] [ Bonet raiven Piverste
on W/C(usea — required
wholly atten written aus
substantive ial enariac program (the
from the audit eee audit
audit approach) strategy)
4. Re-evaluste
clanned
opinion or
withdraw
V. Inherent Limitations
The design and implementation of internal control is a management function (not the auditor's responsibility!)
and management must evaluate the applicable costs and benefits in the design and implementation of their
internal control policies and procedures.
‘A. The costs of internal controls should not outweigh the benefits attributable to those controls -- as a result,
controls provide reasonable (not absolute) assurance.
B. Mistakes may occur as a result of employees’ misunderstandings, misjudgments, carelessness, fatigue,
etc,
C. Segregation of duties may break down due to collusion (a conspiracy among employees or management to
circumvent internal controls) or management's "override" of controls -- override refers to management
imposing controls downward on subordinates without intending to be affected by those controls
themselves.engagement?
Answer
substantive procedures).
Question:
?)) Why must auditors consider an entity's internal control in planning the audit
In order to plan an effective and efficient audit, auditors must assess control risk as a
basis for setting the appropriate level of "detection risk” related to their substantive
auditing procedures (specifically, to determine the nature, timing, and extent of those
Flashcards
Flashcard #1 (Fc6799)
When should the auditor assess the design effectiveness
of internal control?
In planning every audit under GAAS, as a basis for
determining the nature, timing, and extent of further
audit procedures.
Flashcard #2 (Fc6800)
When should the auditor assess the operat
effectiveness of internal control?
Whenever the auditor contemplates a reliance strategy
(which means the same thing as "assessing control risk at
less than the maximum level") and only after performing
the appropriate tests of control
Flashcard #3 (Fc6798)
Identify 2 reasons for assessing control risk at the
maximum level.
1. The auditor believes that the design of internal
control is ineffective; or
2. The auditor believes that reliance on internal
control (and performing applicable tests of control)
is not an efficient audit strategy compared to a
wholly substantive audit approach.
Flashcard #4 (Fco491)
Identify 3 inherent limitations of internal controls?
1. Cost of controls should not exceed expected
benefits
2. Mistakes may occur due to carelessness, fatigue,
misjudgments, etc.
3. Segregation of duties may break down due to
collusion or management override of internal
controls.
Proficiency Questions
Question #1 (298275)
The auditor should perform tests of control whenever the auditor concludes that the design of internal
control appears to be effective.
True
False
Question #2 (ras117)
The probability that mistakes are more likely as employees become fatigued is not an inherent limitation
of internal control.
True
FalseQuestion #3 _(eqos13)
Tests of control should be performed whenever the auditor assesses control risk at the maximum level.
True
False
Question #4 (290915)
Internal control should provide "reasonable assurance" that the entity's control obje
achieved, meaning that the costs associated with internal control should not outweigh the benefits.
True
False
Question #5 (290903)
Auditors must obtain a sufficient understanding of internal control in planning the audit primarily
because control risk affects the level of detection risk that is appropriate in the circumstances.
True
False
Question #6 (290904)
Detection risk is effectively set by the auditor when decisions about the nature, timing, and extent of
substantive audit procedures are made.
True
False
Past Exam Questions
Question #1 (aicea.s70515auD-Av)
Which of the following procedures would an auditor most likely perform to test controls relating to
management's assertion about the completeness of cash receipts for cash sales at a retail outlet?
Observe the consistency of the employees’ use of cash registers and tapes.
A,
B. Inquire about employees’ access to recorded but undeposited cash.
C. Trace the deposits in the cash receipts journal to the cash balance in the general ledger.
D.
Compare the cash balance in the general ledger with the bank confirmation request.
Question #2 (aicea.951126au0-av)
In addition to evaluating the frequency of deviations in tests of controls, an auditor should also consider
certain qualitative aspects of the deviations. The auditor most likely would give broader consideration to
the implications of a devi was
The only deviation discovered in the sample.
A
B, Identical to a deviation discovered during the prior year’s audit.
C. Caused by an employee's misunderstanding of instructions.
D.
Initially concealed by a forged document,
Question #3 (aicra.ss1124au0-Av)
When assessing control risk below the maximum level, an auditor is required to document the auditor'sUnderstanding of the entity's control Basis for concluding that control risk is below the
environment um level
Yes No
No Yes
Yes Yes
No No
Question #4 aicpa.s511234u0-Au)
After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in
the assessed level of control risk. At this time, the auditor would consider whether
It would be efficient to obtain an understanding of the entity's accounting system,
The entity's internal control structure polices and procedures have been placed in operation.
The entity's internal control structure polices and procedures pertain to any financial statement assertions.
Additional evidential matter sufficient to support a further reduction is likely to be available.
jon #5 _(aicea.9511220UD-AU)
Assessing control risk at below the maximum level most likely would involve
A. Performing more extensive substantive tests with larger sample sizes than originally planned.
B, Reducing inherent risk for most of the assertions relevant to significant account balances.
C. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year
end,
D. Identifying specific internal control structure policies and procedures relevant to specific assertions.
Question #6 (aicea.951121AU0-av)
An auditor assesses control risk because it
Is relevant to the auditor's understanding of the control environment.
A
B. Provides assurance that the auditor's materiality levels are appropriate.
C. Indicates to the auditor where inherent risk may be the greatest.
D.
Affects the level of detection risk that the auditor may accept,
Question #7 (aicps.ss1120au0-Au)
Which of the following statements is correct concerning an auditor's assessment of control risk?
‘A. Assessing control risk may be performed concurrently during an audit with obtaining an understanding of
the entity's internal control structure.
B. Evidence about the operation of control procedures in prior audits may not be considered during the
current year's assessment of control risk.
C. The basis for an auditor's conclusions about the assessed level of control risk need not be documented
unless control risk is assessed at the maximum level.
D. The lower the assessed level of control risk, the less assurance the evidence must provide that the control
procedures are operating effectively.
Question #8 arcpa.ss1118au0-Av)
In assess
19 control risk, an auditor ordinarily selects from a variety of techniques, inclu
A. Inquiry and analytical procedures.
B, Reperformance and observation:C. Comparison and confirmation
D. Inspection and verification.
Question #9 (aices.9s1104au0-av)
Which of the following auditor concerns could most likely be so serious that the auditor concludes that a
financial statement audit cannot be conducted?
The entity has no formal written code of conduct.
The integrity of the entity's management is suspect.
Procedures requiring segregation of duties are subject to management override
gogp
Management fails to modify prescribed controls for changes in conditions.
Question #10 (aicea.950533AuD-Au)
After obtaining an understanding of the internal control structure and asses:
decided to perform tests of controls. The auditor most likely decided that
19 control risk, an auditor
‘A. It would be efficient to perform tests of controls that would result in a reduction in planned substantive
tests.
B. Additional evidence to support a further reduction in control risk is not available.
. An increase in the assessed level of control risk is justified for certain financial statement assertions
D. There were many internal control structure weaknesses that could allow errors to enter the accounting
system.
Question #11 aicra.ssoszsAun-Av)
When an auditor assesses control
auditor's
‘ed to document the
k at the maximum level, the auditor is req
Understanding of the entity's accounting Basis for concluding that control risk is at the
system maximum level
No No
No Yes
Yes No
Yes Yes
Question #12 caicra.ssos27AUD-AU)
Control risk should be assessed
terms of
Specific control procedures.
Types of potential irregularities.
Financial statement assertions.
gogP
Control environment factors.
Question #13 (aica.ss1132Au0-Au)
Which of the following is a step in an auditor's decision to assess control risk at below the maximum?
‘A. Apply analytical procedures to both financial data and nonfinancial information to detect conditions that
may indicate weak controls.
B. Perform tests of details of transactions and account balances to identify potential errors and irregularities,
C. Identify specific internal control policies and procedures that are likely to detect or prevent material
misstatements.
D. Document that the additional audit effort to perform tests of controls exceeds the potential reduction in‘substantive testing.
Question #14 (aicpa.se11300u0-Au)
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that
Tests of controls may fail to identify procedures relevant to assertions.
Material misstatements may exist in the financial statements.
Specified controls requiring segregation of duties may be circumvented by collusion.
gogp
Entity policies may be overridden by senior management.
Question #15 (aicea.41113AuD-au)
Which of the following circumstances most likely would cause an auditor to consider whether material
misstatements exist in an entity's financial statements?
Management places little emphasis on meeting earnings projections.
The board of directors makes all major financing decisions.
Significant deficiencies previously communicated to management are not corrected,
SogP
Transactions selected for testing are not supported by proper documentation.
Question #16 (aicpa.ser110au0-au)
On the basis of audit evidence gathered and evaluated, an auditor decides to increase the assessed level
of control risk from that originally planned. To achieve an overall audit risk level that is substantially the
same as the planned audit risk level, the auditor would
Decrease substantive testing.
A
B, Decrease detection risk.
C. Increase inherent risk,
D.
Increase materiality levels.
Question #17 a1cra.ssos2sauo-au)
After obtaining an understanding of the internal control structure and assessing control risk, an auditor
decided not to perform additional tests of controls. The auditor most likely concluded that the
Additional evidence to support a further reduction in control risk was not cost beneficial to obtain.
Assessed level of inherent risk exceeded the assessed level of control risk.
Internal control structure was properly designed and justifiably may be relied on.
gog>
Evidence obtainable through tests of controls would not support an increased level of control risk.
Question #18 (aicra.s40524au0-Av)
An auditor uses the assessed level of control risk to
Evaluate the effectiveness of the entity's internal control policies and procedures.
A
B. Identify transactions and account balances where inherent risk is at the maximum
C. Indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high
D.
Determine the acceptable level of detection risk for financial statement assertions,
Question #19 (aicra.s405220U0-AU)
ich of the following most likely would not be consi
effectiveness of an entity's internal control structure?Incompatible duties.
Management override,
Mistakes in judgment,
gagp
Collusion among employees.
Question #20 aicra.gs11224u0-au)
Which of the following statements concerning control risk is correct?
‘A. Assessing control risk and obtaining an understanding of an entity's internal control structure may be
performed concurrently.
B. When control risk is at the maximum level, an auditor is not required to document the basis for that
assessment,
C. Control risk may be assessed sufficiently low to eliminate substantive testing for significant transaction
classes.
D. When assessing control risk, an auditor should not consider evidence obtained in prior audits about the
‘operation of control procedures.
Question #21 aicea.s30s12Au0-Au)
In obtaining an understanding of an entity's
‘ternal control structure, an auditor is required to obtain
knowledge about the
Operating effectiveness of policies and procedures Design of policies and procedures
Yes Yes
No Yes
Yes No
No No
Question #22 (aicea.930507AuD-Au)
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the
Factors that raise doubts about the auditability of the financial statements,
Operating effectiveness of internal control policies and procedures.
Risk that material misstatements exist in the financial statements.
gog>
Possibility that the nature and extent of substantive tests may be reduced,
Question #23 (aicra.s205420U0-AU)
h of the following is not a step in an auditor's decision to assess control risk at below the maximum?
Evaluate the effectiveness of the internal control procedures with tests of controls.
Obtain an understanding of the entity's accounting system and control environment.
Perform tests of details of transactions to detect material misstatements in the financial statements.
gogp>
Consider whether control procedures can have a pervasive effect on financial statement assertions.
Question #24 (aicra.s20540au0-AU)
As part of understanding the internal control structure, an audi
ris not required to
Consider factors that affect the risk of material misstatement.
A
B. Ascertain whether internal control structure policies and procedures have been placed in operation.
C. Identify the types of potential misstatements that can occur.
D
Obtain knowledge about the operating effectiveness of the internal control structure.Question #25 (aicea.11134au0-au)
After obtaining an understanding of the internal control structure and assessing control risk of an entity,
an auditor decided not to perform tests of controls. The auditor most likely decided that
A. The available evidential matter obtained through tests of controls would not support an increased level of
control risk,
B. A reduction in the assessed level of control risk is justified for certain financial statement assertions.
C. It would be inefficient to perform tests of controls that would result in a reduction in planned substantive
tests,
D. The assessed level of inherent risk exceeded the assessed level of control risk
Question #26 aicra.si0s27Au0-AU)
An auditor may des
auditor believes
je to assess control risk at the maximum level for cert
assertions because the
Sufficient evidential matter to support the assertions is likely to be available.
Evaluating the effectiveness of policies and procedures is inefficient.
More emphasis on tests of controls than substantive tests is warranted,
gog>
Considering the relationship of assertions to specific account balances is more efficient.
Question #27 (aicra.s105220U0-Av)
An auditor assesses control risk because it
Indicates where inherent risk may be the greatest.
Affects the level of detection risk the auditor may accept.
Determines whether sampling risk is sufficiently low.
gog>
Includes the aspects of nonsampling risk that are controllable.
Question #28 (aicra.so1145AU0-Av)
To obtain evidential matter about control risk, an auditor ordinarily selects tests from a variety of
techniques, including
Analysis.
Confirmation.
Reperformance.
gog>
Comparison.
Question #29 (aicra.so0530au0-Av)
h of the following statements about internal control structure is correct?
‘A. A properly maintained internal control structure reasonably ensures that collusion among employees
cannot occur.
B. The establishment and maintenance of the internal control structure are important responsibilities of the
internal auditor.
C. An exceptionally strong internal control structure is enough for the auditor to eliminate substantive tests
on a significant account balance
D. The cost-benefit relationship is a primary criterion that should be considered in designing an internal
control structure.
Question #30 (aica.:30710au0)An auditor is evaluating a client's internal controls. Which of the following situations would be the most
difficult internal control issue for an auditor to detect?
‘A. The accounting staff neglects the control, due to increased transactions to be processed.
B. The technology department writes a program that does not properly implement the control, due to a lack
of understanding,
C. Two employees, who work in different departments, are circumventing an internal control.
D, Someone erroneously disables edit checks in a software program designed to identify control exceptions.
Question #31 (aicea.s207340u0)
Which of the following statements best describes why an auditor would use only substantive procedures
to evaluate specific relevant assertions and risks?
The relevant internal control components are NOT well dacumented,
The internal auditor already has tested the relevant controls and found them effective.
Testing the operating effectiveness of the relevant controls would NOT be efficient.
GogP
The cost of substantive procedures will exceed the cost of testing the relevant controls.
Question #32 (1icea.:11167u0)
wi
h of the following statements is correct regarding internal control?
A. A well-designed internal control environment ensures the achievement of an entity's control objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by management
override,
C. Awell-designed and operated internal control environment should detect collusion perpetrated by two
people.
D. Internal control is a necessary business function and should be designed and operated to detect all errors
and fraud
Question #33 (arcra.ov0786.Au0-Av)
Which of the following represents an inherent limitation of internal controls?
Bank reconciliations are not performed on a timely basis.
The CEO can request a check with no purchase order,
Customer credit checks are not performed.
gop
Shipping documents are not matched to sales invoices,
Question #34 caices.c7osa2au0)
As a result of tests of controls, an auditor assesses control risk too high. Thi
likely occurred because
correct assessment most
‘A. Control risk based on the auditor's sample is less than the true operating effectiveness of the client's
control activity.
B. The auditor believes that the control activity relates to the client's assertions when, in fact, it does not
C. The auditor believes that the control activity will reduce the extent of substantive testing when, in fact, it
will not.
D. Control risk based on the auditor's sample is greater than the true operating effectiveness of the client's
control activity.
Question #35 aica.cz0si1Auo-au)
An auditor observed that a client mails monthly statements to customers. Subsequently, the auditor
reviewed evidence of follow-up on the errors reported by the customers. This test of controls most likelywas performed to support management's financial statement assertion(s) of
Presentation and disclosure Rights and obligation
Yes Yes
Yes No
No Yes
No No
Question #36 (aicra.c20s06au0-Av)
When assessing control risk at below the maximum level, an auditor is required to document the
auditor's understanding of the I. Entity's control activities that help ensure management directives are
carried out.
II. Entity's control environment factors that help the auditor plan the engagement.
A, Tonly,
B. Ionly.
C. Both I and II.
D. Neither I nor I
Proficiency Question Answers
Question #1: False
Question #2: False
Question #3: False
Question #4: True
Question #5: True
Question #6 : True
Past Exam Question Answers
Question #1 aicra.s7osisauo-av)
A. (Correct!) The cardinal rule regarding cash receipts is to ensure that they are recorded. By requiring employees to
record all sales in the cash register and to give customers the cash register tape evidencing the sale, companies can
ensure that all cash sales are recorded (the completeness of cash receipts for cash sales). The auditor can test controls by
‘observing employees’ use of cash registers and tapes,
B. Relates to controls over recorded cash, not unrecorded cash. Completeness in this question refers to the recording of all
cash sales. If cash has been recorded and then is subsequently stolen, the problem becomes existence, rather than
completeness. (Recorded cash that has been stolen no longer exists.)
C. This relates to controls over recording accuracy or valuation, Tracing deposits in the cash receipts journal to the general
ledger ensures that such deposits are accurately recorded. This is a control related to valuation, not completeness. (Note:
This procedure could also be considered a substantive test of transactions.)
D, Relates to a substantive auditing procedure. Confirming the bank balance is a required substantive procedure for
auditing cash. It is not a test of controls. In addition, confirming the bank balance provides evidence of existence, rather
than completeness
Question #2 (aices.9511268u0-av)
‘A. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an
intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that a single
deviation was found would impact only the computation of the upper error limit.
B. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an
intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that an
identical error was found last year would not by itself provide a reason for giving broader consideration to the error.C. The auditor must consider both qualitative and quantitative aspects of deviations. In particular, forgery indicates an
intentional act of manipulation and concealment which potentially impacts other areas of the audit. The fact that the
error was caused by an employee's misunderstanding is a reflection of the inherent limitations of internal control and
would not by itself be a reason to give broader consideration to the error.
D. (Correct!) A deviation will receive more consideration if itis initially concealed by a forged document. The forgery
indicates a planned and intentional effort to conceal an irregularity as opposed to a deviation resulting from an error. The
auditor must consider both the qualitative and quantitative aspects of deviations noted. Qualitative aspects, in particular,
are important because of the potential impact on other areas of the audit.
Question #3 (aicpa.ss1124qu0-Av)
A. This answer is incorrect because of the "No" in the second column. The auditor is required to document his/her
understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of
control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at
below the maximum level, the auditor is required to document his/her basis for that conclusion.
B. This answer is incorrect because of the "No" in the first column, The auditor is required to document his/her
understanding of the entity's control environment as well as the conclusion reached regarding the assessed level of
control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at
below the maximum level, the auditor is required to document his/her basis for that conclusion.
C. (Correct!) The auditor is required to document his/her understanding of the entity's control environment as well as
the conclusion reached regarding the assessed level of control risk IN ALL CASES. These are not optional steps. If an
auditor concludes that control risk may be assessed at below the maximum level, the auditor is required to document
his/her basis for that conclusion.
D. This answer is incorrect because of the "No's" in the first and second columns. The auditor is required to document
his/her understanding of the entity's control environment as well as the conclusion reached regarding the assessed level
of control risk IN ALL CASES. These are not optional steps. If an auditor concludes that control risk may be assessed at
below the maximum level, the auditor is required to document his/her basis for that conclusion.
Question #4 (aicen.9511230UD-AU)
‘A. An auditor is required by GAAS to obtain an understanding of the entity's information system relevant to financial
reporting. This step would be performed before assessing control risk. The issue of "efficiency" is not relevant in this
instance.
B. In obtaining an understanding of the internal control structure, the auditor must determine which internal controls are
relevant to any financial statement assertions and whether such controls have been placed in operation. This step is
performed first, before an assessment of control risk is made.
C.In obtaining an understanding of the internal control structure, the auditor must determine which internal controls are
relevant to any financial statement assertions and whether such controls have been placed in operation. This step is
performed first, before an assessment of control risk is made.
D, (Correct!) If the auditor desires to further reduce the assessed level of control risk, he/she must first consider
whether additional evidence will be available to support such a reduction. The auditor must also consider whether it would
be efficient (cost-effective) to collect such evidence.
Question #5 aicpa.os112200-Au)
A. The extent of substantive testing is based on the assessment of control risk. Assessing control risk below maximum
means that there are controls in place which are believed to lessen the risk of a material misstatement occurring
undetected in the financial statements. As a result, less extensive rather than more extensive substantive testing would
be performed with smaller rather than larger sample sizes.
B. Control risk pertains to the risk of a material misstatement occurring which is not prevented or detected by the internal
control system. Inherent risk relates to the risk of a material misstatement occurring in an account or a transaction
without regard to the related internal controls. The two risks are assessed independently; it does not make sense for the
assessment of inherent risk to be reduced as a result of a control risk assessment below maximum.
C. Assessing control risk below maximum means that there are controls in place which are believed to lessen the risk of a
material misstatement occurring undetected in the financial statements, As a result, the timing of substantive tests could
be moved TO interim rather than at year end. Evidence collected at an interim date is less competent than evidence
collected at year end because of the additional risk that the year end balances may be materially misstated caused by
collecting evidence early.
D. (Correct!) In order to assess control risk below maximum the auditor must collect evidence to support the reduction.
Collecting such evidence involves identifying specific internal controls relevant to specific assertions and then performing
tests of controls to evaluate the effectiveness of the controls.Question #6 (aicra.951121AUD-Av)
‘A. The auditor must obtain an understanding of the control environment BEFORE determining the assessed level of,
control risk, That understanding is then used to assess control risk
B. An assessment of control risk does NOT provide assurance that the auditor's materiality levels are appropriate.
Assessed control risk and assessed inherent risk enable the auditor to set detection risk and to determine the nature,
timing, and extent of the auditing procedures to be performed.
C. Control risk and inherent risk are independently assessed risks. Inherent risk pertains to the risk that a material
misstatement will occur in an account or a transaction without considering related internal controls. Control risk relates to
the risk that the internal controls will not prevent or detect a material misstatement in an account or a transaction. It
does not make sense, therefore, for the control risk assessment to indicate where inherent risk may be the greatest,
D. (Correct!) An auditor uses the assessed levels of control and inherent risk to establish the level of detection risk that
the auditor may accept.
Question #7 (aicpa.951120nu0-Av)
A. (Correct!) Understanding internal control and assessing control risk are steps which may be performed concurrently
in an audit. The evidence collected to achieve one objective may also be used for the other objective. For example,
inquiries and information gathered about management's use of budgets in order to understand the control environment
may also be used as a test of control over the effectiveness and operation of the budgeting control.
B, Evidence about the operation of controls in prior audits IS a factor impacting an auditor's current year assessment of
control risk.
C. The basis for an auditor's conclusions about the assessed level of control risk needs to be documented regardless of the
level of control risk assessed.
D. The lower the assessed level of control risk, the MORE assurance evidence must provide that the controls are operating
effectively. An assessment of control risk below maximum must be supported by the collection of evidence indicating the
controls are operating effectively. An assessment of control risk at maximum does not require the collection of evidence
about the operation of the controls; however, it does require documentation of the basis for the assessment at
maximum:
Question #8 (aicra.ssi11e,u0-AV
A. While inquiry is a procedure used in testing controls, analytical procedures are not. Analytical procedures are performed
during planning, as substantive procedures, and during the final review
B. (Correct!) Tests of controls directed toward effectiveness or operation of a control would ordinarily include inquiries,
inspections of documents, observation, and reperformance of the application of a control. Thus, both reperformance and
‘observation are used by an auditor to assess control risk,
C. Comparison and confirmation are substantive auditing procedures. They are not tests of controls used in assessing
control risk.
D. Although inspection can be used as a test of control to assess control risk, verification is a substantive auditing
procedure.
Question #9 (aicea.9s1104au0-av)
‘A. The lack of a formal written code of conduct is a weakness in the control environment which would be taken into
consideration in planning and conducting the audit. It would not normally, however, be considered so serious that the
auditor would immediately withdraw from the engagement.
B, (Correct!) The auditor would decide that an audit could not be conducted if management integrity were questioned,
Management integrity is such a critical component of an effective internal control environment that the suspected lack
thereof would be cause for the auditor to withdraw from the engagement,
C. Management override is always a possibility and is an inherent limitation of an internal control structure. It would not
normally be considered serious enough to warrant withdrawal from the audit.
D. Management's failure to modify prescribed controls for changes in conditions has potential ramifications for the conduct
of the audit. For example, additional or more extensive audit procedures might have to be performed if the failure has
resulted in an increased risk of material misstatement. The failure, however, would not normally be considered so serious
that the auditor would immediately withdraw from the engagement.
Question #10 arcpa.ss0s33aun-Au)
A. (Correct!) After obtaining an understanding of internal control and assessing control risk, an auditor will perform tests
of controls, if it is believed that such performance will result in a reduction in planned substantive tests. If theperformance of tests of controls would not result in @ reduction in substantive testing, completing tests of controls would
be inefficient and therefore should not be performed.
B. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of
controls if additional evidence to support a further reduction in control risk were not considered to be available. Tests of
controls could only be performed if such evidence were available.
C. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of
controls if an increase in the assessed level of control risk were considered to be justified for certain financial statement
assertions. Tests of controls are performed to support reductions, not increases, in control risk.
D. After obtaining an understanding of internal control and assessing control risk, an auditor would not perform tests of
controls if the auditor believed that there were many internal control weaknesses that could allow errors to enter the
accounting system. Such a belief would warrant assessment of control risk at maximum eliminating any need for the
performance of tests of controls.
Question #11 (aicra.s505290U0-Av)
‘A. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also
required to document the basis for the assessment of control risk, including when control risk is assessed at maximum.
B. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also
required to document the basis for the assessment of control risk, including when control risk is assessed at maximum:
C. The auditor is required to document the understanding of the system obtained to plan the audit. The auditor is also
required to document the basis for the assessment of control risk, including when control risk is assessed at maximum.
D. (Correct!) The auditor is required to document the understanding of the system obtained to plan the audit. The
auditor is also required to document the basis for the assessment of control risk, including when control risk is assessed at
maximum!
Question #12 (aicra.sso527AU0-AU)
‘A. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found
in the account balance, transaction class, or disclosure components. Control risk is not assessed for specific controls.
Rather, individual controls are important only in so far as they relate to a specific assertion. The auditor may decide that a
reduction in control risk for an assertion may be supported through the testing of a specific control or controls.
B. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found
in the account balance, transaction class, or disclosure components. Contral risk is not assessed for the types of potential
irregularities which may be present in the financial statements. Identification of the types of potential irregularities aids
the auditor in identifying the assertions which are subject to greater inherent risk and thus require stronger controls to
prevent material misstatements.
C. (Correct!) The auditor assesses control risk for the assertions present in the financial statements. Such assertions
may be found in the account balance, transaction class, or disclosure components, Based upon the understanding of
internal control and the control risk assessments, the auditor determines the nature, timing, and extent of the auditing
procedures to be performed.
D. The auditor assesses control risk for the assertions present in the financial statements. Such assertions may be found
in the account balance, transaction class, or disclosure components. Control risk is not assessed for control environment
factors. Rather, the control environment factors are considered when assessing control risk.
Question #13 arcea.ss11320u0-au)
A. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that
are likely to detect or prevent material misstatements and the testing of those controls. It does not involve the
performance of analytical procedures. Analytical procedures are performed during planning, as substantive procedures,
and during the overall review. They are not used to test controls.
B. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that
are likely to detect or prevent material misstatements and the testing of those controls. It does not involve the
performance of tests of details of transactions and account balances. Such tests are performed as substantive procedures.
‘They are not used to test controls.
C. (Correct!) An auditor's assessment of control risk at below the maximum requires identification of specific internal
controls that are likely to detect or prevent material misstatements and the testing of those controls,
D. An auditor's assessment of control risk at below the maximum requires identification of specific internal controls that
are likely to detect or prevent material misstatements and the testing of those controls, If the cost of performing the
tests of controls exceeds the benefit derived; i.e. the reduction in substantive testing, the tests of controls would not be
performed and the assessment of control risk would not be reduced below the maximum,Question #14 (aicra.s41130AUD-au)
‘A. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that tests of
controls may fall to identify procedures relevant to the assertions, Tests of controls are performed AFTER procedures
relevant to the financial statement assertions have been identified. The primary purpose of such tests is to determine the
operating effectiveness of tested controls,
B. (Correct!) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that
material misstatements may exist in the financial statements. The assessment of control risk combined with the
assessment of inherent risk aids the auditor in identifying where material misstatements might exist in the financial
statements. The auditor must then select and perform the auditing procedures necessary to detect material
misstatements, if they exist.
C. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that specified
controls requiring segregation of duties may be circumvented by collusion. The risk of collusion is an inherent limitation of
any system of internal control.
D. The ultimate purpose of assessing control risk is NOT to contribute to the auditor's evaluation of the risk that entity
policies may be overridden by senior management. The risk of management override of controls is an inherent limitation
of any system of internal control
Question #15 arcra.ssi1i3aun-au)
‘A. Management's failure to place emphasis on meeting earnings projections would not lead the auditor to consider
whether material misstatements exist. Rather, the presence of such an emphasis would be considered a potentially
Positive risk factor reducing the potential presence of material misstatements. If management is placing little emphasis on
meeting projections, then there is less pressure to overstate actual results,
B. An active board of directors that makes all major financing decisions would be considered a positive control
environment factor. It would not cause an auditor to consider whether material misstatements exist.
C. The presence of uncorrected significant deficiencies would not necessarily cause the auditor to consider whether
material misstatements exist. Management is able to apply cost-benefit considerations when deciding whether to correct
internal control weaknesses.
D, (Correct!) If transactions selected for testing are not supported by proper documentation, a concern as to the validity
of the tested transactions will be raised. As a result, the auditor will consider whether material misstatements exist in an
entity's financial statements,
Question #16 (aicra.ss1110,u0-aU)
‘A. The auditor would not decrease substantive testing as a result of an increase in control risk. Control risk and detection
risk are inversely related. If control risk increases, detection risk must decrease. When detection risk decreases,
substantive testing increases.
B. (Correct!) If the auditor has decided to increase the assessed level of control risk from that originally planned on the
basis of audit evidence gathered and evaluated, the auditor has performed tests of controls, which do not indicate that
the tested controls are operating effectively. As a result, a lowered control risk assessment is not supported and the
control risk assessment must be increased, The auditor will have to decrease detection risk (and increase substantive
tests) in order to achieve the planned audit risk level. The greater the control risk, the lower detection risk must be.
C. The auditor would not increase inherent risk as a result of an increase in control risk. Control risk and inherent risk are
assessed separately. Inherent risk is the susceptibility of an assertion to a material misstatement without regard to
internal control. Control risk is the risk that a material misstatement will not be prevented or detected by the internal
control structure,
D. The auditor would not automatically increase materiality levels as a result of an increase in assessed control risk.
Materiality is a matter of professional judgment and Is influenced by the auditor's perception of a reasonable person
relying on the financial statements,
Question #17 aicra.ssos2sauo-au)
A. (Correct!) The performance of additional tests of controls would be performed only if such performance were
considered cost-beneficial. The cost of obtaining the additional evidence must be less than the benefits to be derived from
the related reduction in substantive testing,
B. Comparison of the assessed level of inherent risk to the assessed level of control risk is inappropriate for determining
whether to perform additional tests of controls. Inherent risk is the risk of a material misstatement occurring in an
assertion, without regard for the related internal controls. High inherent risk for an assertion would lead the auditor to
look more closely at the relevant internal controls to see if the risk of misstatement has been lessened by a strong
internal control structure and perhaps to consider testing such controls. The primary decision factor, however, would
always be the cost-benefit to be obtained.C. Concluding that the internal control was properly designed and able to be relied upon would precede the performance of
any tests of control. The primary decision factor, however, would be the cost-benefit to be obtained.
D. The auditor tests controls in order to support a reduction in the assessed level of control risk. It would not make sense
for the auditor to conclude that the evidence obtainable through tests of controls would not support an INCREASED level
of control risk
Question #18 (aicra.saos24au0-Av)
A. The statement is reversed. An auditor would not use the assessed level of control risk to evaluate effectiveness. An
auditor evaluates the effectiveness of the entity's internal controls in order to determine the assessed level of control risk
B. The assessment of control risk does not enable the auditor to identify transactions and account balances where
inherent risk is at the maximum. Instead, the auditor first considers his/her assessment of inherent risk in order to
determine where material misstatements are likely to occur. The auditor then obtains the required understanding of the
internal control structure and assesses control risk - the risk that the internal control structure will not prevent or detect
a material misstatement. The control risk assessment is then used to determine the acceptable level of detection risk.
C. The auditor's assessed level of control risk would not be used to indicate whether materiality thresholds are sufficiently
high. Instead, the assessed level of control risk impacts the acceptable level of detection risk and, thus, the evidence
which must be gathered. Control risk is a component of audit risk. Audit risk and materiality are considered together in
determining the nature, timing, and extent of auditing procedures to be performed.
D. (Correct!) The auditor assesses control risk (the risk that the internal control structure will nat prevent or detect a
material misstatement) and inherent risk (the risk of a material misstatement occurring) in order to determine the
acceptable level of detection risk.
Question #19 aicea.s#0sz2au0-Au)
A. (Correct!) A system of internal control can provide only reasonable assurance of achieving an entity's control
objectives because of inherent limitations. These include the fallibility of human judgment and performance and the
possibility of collusion or management override, The answer which is NOT an inherent limitation is A, "incompatible
duties."
B. A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because
of inherent limitations. These include the fallibility of human judgment and performance and the possibilty of collusion or
management override. The answer which is NOT an inherent limitation is A, "incompatible duties.”
C.A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because
of inherent limitations. These include the fallillity of human judgment and performance and the possibility of collusion or
management override. The answer which is NOT an inherent limitation is A, "incompatible duties.”
D. A system of internal control can provide only reasonable assurance of achieving an entity's control objectives because
of inherent limitations. These include the fallibility of human judgment and performance and the possibilty of collusion or
management override. The answer which is NOT an inherent limitation is A, "incompatible duties.”
Question #20 (aicra.931122Au0-Au)
A. (Correct!) Gaining an understanding of internal control and assessing control risk may be performed concurrently.
Procedures performed to obtain an understanding of internal contral may also be used to gather the evidence needed to
assess control risk
B. The auditor is required to document the basis for assessing control risk at maximum. The auditor is also required to
document the basis for a lowered control risk assessment.
C. Substantive testing cannot be eliminated through a lowered assessment of control risk. The auditor must perform
substantive tests for significant account balances and transaction classes.
D. When assessing control risk, the auditor may consider evidence obtained in prior audits about the operation of controls.
In evaluating the use of such evidence, the auditor should consider the significance of the assertion involved, the specific
controls evaluated previously, the degree to which the effective design and operation of those controls were evaluated,
the results of previous tests of controls, and other evidential matter obtained about controls during the audit.
Question #24 arcea.s30si2Au0-Au)
A. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control
components and whether they have been placed in operation. The auditor is NOT required to determine the operating
effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level.
B. (Correct!) An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five
internal control components and whether they have been placed in operation. The auditor is NOT required to determine
the operating effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the
maximum level.C. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control
components and whether they have been placed in operation. The auditor is NOT required to determine the operating
effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level.
D. An auditor must obtain knowledge about the design of relevant controls pertaining to each of the five internal control
components and whether they have been placed in operation. The auditor is NOT required to determine the operating
effectiveness of controls (by testing the controls) unless control risk is to be assessed at below the maximum level.
Question #22 (aica.s30s07Au0-Au)
A. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material
misstatements exist in the financial statements. The auditor considers factors that raise doubts about the auditability of
the financial statements in assessing control risk.
B. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material
misstatements exist in the financial statements. The auditor considers the operating effectiveness of the controls in
gaining an understanding of the internal control structure and in assessing control risk.
C. (Correct!) The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that
material misstatements exist in the financial statements. Assessing control risk and inherent risk help the auditor identify
where misstatements might exist; the auditor then performs auditing procedures to detect those misstatements.
D. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material
misstatements exist in the financial statements. The auditor considers whether to reduce the nature and extent of
substantive tests as a result of assessing control risk.
Question #23 (aicra.s20s42AuD-Au)
‘A. In assessing control risk below maximum, the auditor must:
1) obtain an understanding of the internal control structure;
2) identify specific controls relevant to specific financial statement assertions; and
3) test the identified controls to determine if they are operating effectively. Thus, the auditor would evaluate the
effectiveness of internal control with tests of controls.
B. In assessing control risk below maximum, the auditor must:
1) obtain an understanding of the internal control structure;
2) identify specific controls relevant to specific financial statement assertions; and
3) test the identified controls to determine if they are operating effectively. Thus, the auditor would obtain an
understanding of the entity's accounting system and control environment,
C. (Correct!) In assessing control risk below maximum, the auditor must
1) obtain an understanding of the internal control structure;
2) identify specific controls relevant to specific financial statement assertions; and
3) test the identified controls to determine if they are operating effectively. The auditor would NOT perform tests of details
of transactions. These are substantive procedures which would generally be performed after the assessment of control
risk is made
D. In assessing control risk below maximum, the auditor must:
1) obtain an understanding of the internal control structure
2) identify specific controls relevant to specific financial statement assertions; and
3) test the identified controls to determine if they are operating effectively. In identifying specific controls relevant to
financial statement assertions, the auditor would also consider whether control procedures have a pervasive effect on the
financial statements.
Question #24 (aicra.s205¢0au0-Av)
‘A. In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of
material misstatement, Identify the types of potential misstatements that can occur, and ascertain whether internal
controls have been placed in operation.
‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of
controls).
B. In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material
misstatement, identify the types of potential misstatements that can occur, and ascertain whether internal controls have
been placed in operation.
‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of
controls).
C.In gaining an understanding of internal control, an auditor is required to consider factors that affect the risk of material
misstatement, identify the types of potential misstatements that can occur, and ascertain whether internal controls have
been placed in operation.‘The auditor is NOT required to obtain knowledge about the operating effectiveness of internal control (i.e. perform tests of
controls).
D. (Correct!) In gaining an understanding of internal control, an auditor is required to consider factors that affect the
risk of material misstatement, identify the types of potential misstatements that can occur, and ascertain whether
internal controls have been placed in operation. The auditor is NOT required to obtain knowledge about the operating
effectiveness of internal control (i.e. perform tests of controls)
Question #25 (aicpa.s1113¢0u0-au)
A. The auditor performs tests of controls in order to reduce the assessed level of control risk, not increase it. It would not
make sense for the auditor to conclude that the available evidential matter obtained through tests of controls would not
support an INCREASED level of control risk,
B, The auditor performs tests of controls in order to reduce the assessed level of control risk. He/she would decide not to
perform tests of controls if he/she concluded that a reduction in the assessed level of control risk is NOT justified for
certain financial statement assertions.
C. (Correct!) There is always a cost-benefit tradeoff in testing controls. The auditor tests controls in order to rely on
them and to reduce substantive testing. If testing controls won't reduce substantive testing sufficiently ( i.e., enough to
offset the cost of testing controls), the auditor will opt NOT to test controls. In other words, it would be inefficient to
perform the tests of controls.
D. If the auditor has decided not to perform tests of controls, control risk will be assessed at 100%. The inherent risk
assessment cannot exceed 100%. The auditor could not decide that the inherent risk assessment exceeded the control
risk assessment.
Question #26 (aicra.910527AUD-AU)
A. Control risk may be assessed at the maximum level for certain assertions because the auditor believes that evaluating
the effectiveness of the controls would be inefficient,
The auditor considers whether evidence is likely to be available and whether gathering that evidence would be efficient.
The availability of sufficient evidential matter to support the assertions (assuming that testing would be efficient) would
cause the auditor to consider reducing the control risk assessment rather than assessing it at maximum,
B. (Correct!) Control risk may be assessed at the maximum level for certain assertions because the auditor believes that
evaluating the effectiveness of the controls would be inefficient.
‘The auditor considers whether evidence is likely to be available and whether gathering that evidence would be efficient.
The cost of gathering the additional evidence must be less than the benefit derived from being able to reduce substantive
tests as a result.
C. If the auditor believed that more emphasis should be placed on tests of controls, the auditor would consider reducing
the control risk assessment rather than assessing it at maximum. Tests of controls are performed only if control risk is to
be assessed at less than maximum.
D. If the auditor has decided to assess control risk at maximum, the aucitor will not need to identify specific internal
controls relevant to specific assertions and account balances.
Such identification is made (and related tests of controls performed) when control risk is to be assessed below maximum
Question #27 (aicra.s105220U0-Av)
A. Inherent risk is the risk that a material misstatement will occur without regard to related controls. It is assessed
independently from control risk. Both control and inherent risk are assessed because they affect the level of detection risk
the auditor may accept.
B, (Correct!) Control risk is the risk that material misstatements will occur that are not prevented or detected by the
internal control structure. An auditor assesses control risk (and inherent risk) because they affect the level of detection
risk the auditor may accept.
C. Control risk is the risk that material misstatements will occur that are not prevented or detected by the internal control
structure. A control risk assessment would not determine whether sampling risk was sufficiently low and would precede
any such determination.
D. Control risk is the risk that material misstatements will occur that are not prevented or detected by the internal control
structure. A control risk assessment would not include controllable aspects of nonsampling risk and would precede any
consideration of nonsampling risk.
Question #28 a1cea.so114sauo-Au)
‘A. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They would
not include analysis, confirmation, and comparison which are used for substantive testing,
B. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They wouldnot include analysis, confirmation, and comparison which are used for substantive testing.
C. (Correct!) Procedures performed to evaluate control risk include inquiries of personnel; inspection of documents and
records; observation of activities and operations; and reperformance of the control procedure.
D. Procedures performed to evaluate control risk include inquiry, inspection, reperformance, and observation. They would
not include analysis, confirmation, and comparison which are used for substantive testing,
Question #29 (arcra.so0ss0au0-Av)
‘A. An inherent limitation of any system of internal control is circumvention of controls by collusion among two or more
people, Because of inherent limitations like this one, only reasonable assurance can be provided that an entity will achieve
its control objectives.
B. While an internal auditor's responsibilities frequently include monitoring of the internal control system, the
establishment and maintenance of internal control are the responsibilities of management. Internal audit activities would
be directed more toward evaluation of the adequacy and effectiveness of a company's internal control system as well as
determination of the level of compliance related thereto.
C. The assessed level of control risk can never be sufficiently low as to eliminate all substantive tests on a significant
account balance. The auditor is required to perform substantive tests on significant account balances and transaction
classes regardless of the assessed level of control risk
D. (Correct!) A primary criterion of any system of internal control is the cost-benefit relationship. The cost of an entity's
internal control should not exceed the benefits to be derived,
Question #30 (aices.:307:00U0)
‘A. This is an error that would be more easily identified than an intentional circumvention of controls associated with
collusion.
B. This is an error that would be more easily Identified than an intentional circumvention of controls associated with
collusion.
C. (Correct!) An intentional circumvention of controls associated with collusion involving employees in different
departments would be particularly difficult to detect.
D. This is an error that would be more easily identified than an intentional circumvention of controls associated with
collusion,
Question #31 (aicra.:207340u0)
‘A. When controls are not well documented, the auditor may still be able to gather evidence as to whether such controls
are being properly performed, such as observation. So performing tests of controls in such circumstances might still be
possible.
B. If the internal auditor has determined that controls are effective, it would increase the likelihood that the external
auditor would consider a reliance strategy instead of a wholly substantive audit approach.
C. (Correct!) The auditor would properly choose a wholly substantive audit approach (over a reliance strategy involving
tests of control) when the wholly substantive audit approach is more efficient.
D. If a wholly substantive audit approach is more costly than a reliance strategy involving tests of control, the wholly
substantive audit approach would be viewed as less efficient and would not be chosen by the auditor.
Question #32 (aicea.::11670u0)
A. Internal control (including but not limited to the control environment) provides reasonable (not absolute) assurance of
achieving the entity's control objectives. The word "ensures" is an overstatement,
B. (Correct!) The potential for management override of internal control is considered an inherent limitation and is a
consequence of the natural cost-benefit tradeoffs associated with reasonable assurance.
C. The potential for employees to commit collusion (that is, to conspire to beat the system) is considered an inherent
limitation and is a consequence of the natural cost-benefit tradeoffs associated with reasonable assurance.
D. Internal control provides reasonable (not absolute) assurance of detecting material (not “all") errors and fraud,
Question #33 aicpa.cs0786.0u0-AU)
‘A. This is an internal control deficiency, not an inherent limitation of the internal control system.
B. (Correct!) The inherent limitations of internal control include the possibility of management override of controls.C. ‘This is an internal control deficiency, not an inherent limitation of the internal control system.
D. This is an internal control deficiency, not an inherent limitation of the internal control system.
Question #34 (aices.c7oss2au0)
‘A. If control risk based on the auditor's sample is LESS than the true operating effectiveness, the auditor has assessed
control risk too low.
B. If the auditor believes that the control activity relates to the client's assertions when it really doesn't, the auditor has
simply performed ineffectively (testing the wrong controls). Such testing would most likely result in the auditor assessing
control risk too low, rather than too high.
C. If the auditor believes that the control activity will reduce the extent of substantive testing when it really won't, the
auditor has simply performed ineffectively (testing the wrong controls). Such testing would most likely result in the
auditor assessing control risk too low, rather than too high
D. (Correct!) When the auditor assesses control risk too high, it means that the auditor's sample indicates that the
control is NOT working properly when it really is. Thus, control risk based on the auditor's sample is higher than the true
operating effectiveness of the control would warrant.
Question #35 (aicra.c20511AuD-Au)
‘A. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are
valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the
assertion of rights and obligations, It does not address presentation and disclosure.
B. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are
valid; i-e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the
assertion of rights and obligations. It does not address presentation and disclosure.
C. (Correct!) Follow-up on errors reported by customers provides evidence that the customers exist and that the
receivables are valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence
to support the assertion of rights and obligations. It does not address presentation and disclosure.
D. Follow-up on errors reported by customers provides evidence that the customers exist and that the receivables are
valid; i.e., that the client has the rights to the assets. The auditor's test of controls thus provides evidence to support the
assertion of rights and obligations. It does not address presentation and disclosure.
Question #36 (aicra.c20s06au0-Av)
A. Control environment factors must also be documented,
B. Control activities must also be documented.
C. (Correct!) The auditor is always required to obtain a sufficient understanding of the internal control system in order to
plan the audit. This understanding must be documented, regardless of the level at which control risk is to be assessed.
Control activities and control environment factors are both components of the internal control system. As a result, they
would both be documented,
D. Both control activities and control environment factors must be documented.