You are on page 1of 5


When assets such as finished goods are being shipped or

received, exactly what controls should be in place?: The
following internal controls apply for the conveyance of assets
between a send and a recipient:
1. The recipient should reconcile the physical description of the
assets and the shipping documents with documents
independently received.
2. The recipient should count the assets and verify the quantity
received with the appropriate documentation.
3. The recipient should verify the condition of the assets and
should proceed with a freight claim if damage is found. The
recipient should have updated and current instructions for filing
such a claim.
4. The sender conveying the assets to the recipient should obtain
a signed receipt or document copy for the shipment that has been
2. What is the definition of internal control?: Internal control
is a system of policies and procedures designed to provide
reasonable assurance to management that the company's goals
and objectives will be achieved in the following areas:
1. Reliability of financial reporting.
2. Effectiveness and efficiency of operations.
3. Compliance with laws and regulations.
3. The internal control of a company can provide
reasonable assurance of no material misstatements in
the financial statements, but it cannot provide absolute
Why is absolute assurance is not possible?: No internal
control system can provide absolute assurance because certain
inherent limitations exist in any system of internal control that
cannot be avoided. Even if systems personnel can design an ideal
system, its effectiveness depends on the competency and
dependability of the people using it. Human beings are prone to
make errors every so often. In addition, management can
override an otherwise effective internal control system at any
4. What is the definition of control risk?
Why is the auditor's responsibility in connection with
control risk?: Control risk is the risk that a material
misstatement that has occurred will not be prevented or detected
by a company's internal control in a timely manner.
The auditor must assess the level of control risk that is present in
the internal control of the reporting company.
5. An auditor is performing tests of controls in the
accounting department after identifying the specifically
designed controls for the individual accounting tasks
that should reduce control risk.
How can the auditor test to determine whether these
specific control activities are functioning as efficiently
and as effectively as intended?: To determine whether
specific controls are operating as intended, the auditor can do the
1. Talk with the applicable entity personnel about the procedures
they follow.
2. Observe entity employees as they perform critical tasks.
3. Trace transactions through each activity to provide evidence to
indicate that the activities were performed as designed.
4. Re-perform key activities to verify that all situations were
6. A company process many of its transactions
electronically. Consequently, the auditor is unable to
gain sufficient appropriate evidence through
substantive testing.
What approach should the auditor take so that
reasonable assurance of no material misstatements can
still be given?: In situations where substantive testing is not
capable of obtaining sufficient appropriate evidence, the auditor
can extend (increase) the tests of controls. Once the auditor
determines that an automated control is functioning properly, he
can focus subsequent testing on assessing whether or not any
program changes have occurred that will limit the effectiveness
of the control. Such tests might include determining whether
program changes were properly authorized and tested prior to
implementation. If no program changes have occurred since the
prior reporting period, the auditor's work is much less intense
and more efficient.
In this manner, control risk may be reduced to a level low enough
to allow a sufficiently high acceptable level of detection risk.
7. What are the five components of internal control, as
described by COSO's Internal Control-Integrated
Framework, that an auditor must understand?: COSO's
five components of internal control that the auditor is required to
understand are as follows:
1. The control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. The monitoring of internal control.
CPA Audit - Internal Control
Study online at
8. One of the five components of internal control that an
auditor must understand is the control environment.
What is meant by the term control environment?: Control
environment encompasses all the company's actions, policies,
and procedures that reflect the overall attitude and philosophy of
top management toward internal control and its importance to
the entity. It covers the following:
1. Management's commitment to integrity and ethical values.
2. The amount of risk that management is willing to take.
3. Delegation of authority within the company.
4. Human resource policies, practices, and commitment to
5. Management's attitude toward financial reporting.
6. Board of director or audit committee participation.
7. Organizational structure.
9. One of the five components of internal control that an
auditor must understand is a company's general
control activities.
What is meant by the term control activities?: Control
activities are all other policies and procedures not included in the
other four internal control components that have been installed
by the company to help ensure that the necessary actions are
taken to address the risks in the achievement of the entity's
objectives, including reduction of the risk of material
misstatements to an acceptable low level. Control activities, for
example, include each of the following:
1. Performance reviews.
2. General controls to ensure the accuracy of data processing.
3. Application controls applied to individual transactions.
4. Physical controls to safeguard assets and records.
5. Segregation of duties.
10. One item included under control activities is the
segregation of duties.
How is segregation of duties achieved?: Segregation of
duties is normally achieved by having separate independent
individuals or departments perform each of the following tasks
within a given system of transaction cycle:
1. Authorization of transactions and separation of authorization
of transactions from custody of the related assets.
2. Recording of transactions (i.e., accounting) and separation
between the custody of assets from those accounting for them.
3. Maintaining custody of assets and separation of operational
responsibilities from record-keeping responsibilities.
4. Separation of IT duties from user departments.
5. Proper authorization of transactions and activities.
11. One of the five components of internal control an
auditor must understand is information and
What is meant by the term information and
communication?: Information and communication concerns
the ability of the accounting information system to generate
reliable information and convey it in a timely manner to those
parties that need it. The ability of this system to initiate, record,
process, and report the entity's transactions and to maintain
accountability for the related assets is what this component is
concerned with.
12. One of the five components of internal control an
auditor must understand is monitoring.
What is meant by the term monitoring?: Monitoring refers
to the ongoing or regular assessment of the quality of internal
control by management to determine that controls are operating
as intended and that they are modified as appropriate for
changes in conditions. It is important that internal control does
not become outdated or lose its dependability.
13. When assessing internal control, the auditor should be
aware of the presence of fraud risk factors that could
indicate the existence of fraud.
What are some examples of fraud risk factors?: Fraud
risk factors that might be noted during the auditor's assessment
of control risk include the following:
1. Failure of management to monitor certain significant controls.
2. Inadequate recording of assets that are susceptible to theft.
3. Lack of identified controls for authorizing transactions.
4. Failure to correct previously noted control weaknesses.
5. Failure of certain key employees to take at least annual
6. Failure to record transactions on a timely basis.
7. Poor physical safeguards for the entity's assets.
14. An auditor has assessed the risk of material
misstatement at the relevant assertion level and is
considering the appropriate audit approach to
designing and performing further audit procedures.
What are the two available approaches?: After assessing
the risk of material misstatement at the relevant assertion level,
the auditor can take one of the two following approaches for
designing and performing further audit procedures, depending
on the circumstances:
1. Perform only substantive testing procedures if the auditor's risk
assessment procedures have not identified any controls, and
since testing the operating effectiveness of such controls would
not be effective.
2. Perform both tests of controls and substantive testing
procedures, assuming that there are effective controls.
15. What documentation is necessary of the auditor's
assessment of internal control?: Both SAS 109 and PCAOB
AS 5 require auditors to obtain an understanding of internal
control for every audit and to document their understanding.
In all audit engagements, the auditor must document the
understanding that is achieved of the five components of internal
control. The auditor must also document the risk assessment
procedures performed, the assessment of the risks of material
misstatement, and the basis for the assessment.
As part of the auditor's risk assessment procedures, the auditor
uses certain procedures to obtain an understanding of internal
control, which involves gathering evidence about the design of
internal controls and whether they have been implemented. The
auditor then uses that information as a basis for the integrated
16. What are some of the methods used by the auditor to
document the understanding of the company and its
environment, including its internal control?: Auditors
commonly use the three following types of documents to obtain
and document their understanding of the design of internal
1. Narratives.
2. Flowcharts.
3. Internal control questionnaires.
17. What is a value-added network (VAN)?: A VAN is an
organization that gathers and transmits EDI communications
between specific companies. A VAN not only transports
(receives, stores, and forwards) messages, but also adds
hyperlink "/wiki/AUDIT" information to them and modifies the
data in the process of automatic error detection and correction or
conversion between hyperlink "/wiki/Communications protol"
communications protocols.
18. Why does the independent auditor make an assessment
of the internal auditor?: The quality and quantity of work
performed by the internal auditor can influence the assessment
made by the external auditor of both inherent risk (do the
accounting information systems produce information of a good
quality?) and control risk (are material misstatements that occur
in the information system detected in a timely manner?).
Thus, the external auditor needs to evaluate the work of the
internal auditor before any decision is made by the auditor on
further assessment of inherent risk and control risk.
19. In making an evaluation of the internal auditor, the
independent auditor needs to assess the competency of
the person or the staff.
How is this competency evaluated?: In attempting to
determine the competency of the internal auditor, the
independent auditor does the following:
1. Reviews the job description of the internal auditor.
2. Considers the person's or group's education, training,
certification, and experience.
3. Examines some of the work produced by the internal auditor.
External auditors typically consider internal auditors to be
effective, assuming that they are competent, if they are
independent of the operating units being evaluated, well trained,
and have performed relevant audit tests of the internal controls
and the financial statements.
20. In making an evaluation of the internal auditor, the
independent auditor needs to assess the objectivity of
the person or the staff.
How is this objectivity evaluated?: Objectivity is usually
evaluated by making certain that the internal auditor is not
prohibited form doing testing whenever and wherever considered
Objectivity is also determined by identifying the party to who the
internal auditor reports. The internal auditor should report to the
audit committee of the board of directors (or to the board of
directors if no audit committee exists). If the internal auditor
reports to any member of management, the objectivity of the
internal auditor is weakened.
21. Can the external auditor utilize work performed by the
internal auditor?: If the external auditor has assessed the
internal auditor as being competent and objective, in part by a
review of the internal auditor's work, the internal auditor can be
utilized for many of the audit tests.
22. What is the definition of a significant deficiency?: A
significant deficiency is a control deficiency that adversely affects
the company's ability to initiate, authorize, record, process, or
report financial data reliably in accordance with generally
accepted accounting principles (GAAP).
With a significant deficiency, there is more than a remote
likelihood that a misstatement that is more than inconsequential
will not be prevented or detected.
23. When designing a questionnaire to learn about the
design of internal control in a particular accounting
information system, how does the auditor determine
the questions to be asked?
In a questionnaire, what response is normally
anticipated?: In creating a questionnaire for an accounting
information system, the auditor begins by anticipating the
controls that would normally be found - both the controls specific
to that system and the general controls that would apply to any
system. The auditor writes a question for each of these controls to
determine if the control has been included in the design of the
Because the auditor has anticipated the controls to be found, the
auditor would expect each question's answer to be "yes".
Normally, a "no" response is an automatic indication of a
possible control problem.
24. An auditor is performing tests of controls and has
already determined the design of the internal control
process within the client's accounting system.
What should the auditor do next?: Having determined the
design of the internal control process for an accounting
information system, the auditor should attempt to identify
specific control activities designed into the system that would
serve to reduce overall control risk. The auditor anticipates the
types of misstatements that could occur and then searches for
control activities that should either prevent or detect such
misstatements in a timely manner.
25. How and when does an independent auditor convey
information about significant deficiencies to
management and to those charged with governance?: All
significant deficiencies and material weaknesses must be
reported in writing to management and to those charged with
Any significant deficiencies and material weaknesses reported in
previous audits that have not been remediated must be
communicated again.
A report that there are no significant deficiencies in internal
control is unacceptable. An auditor may report that there are no
material weaknesses.
The report, if it is necessary, is usually made as of the date of the
auditor's report, but should be made no later than 60 days
following the report release date.
26. In Year 1, the independent CPA discovers a significant
deficiency in a reporting entity's internal control. The
appropriate management officials are informed;
however, the problem is never corrected.
How does this failure impact the independent CPA's
work in the current year?: If a company fails to correct a
significant deficiency after being advised of the problem, the
independent CPA normally faces the following two audit decision
1. The failure to correct the problem may be assumed to be a
possible fraud risk factor, which may mean the CPA has to
perform additional substantive procedures to ensure that fraud is
not present.
2. The CPA's assessment of control risk will likely have to be
raised because of the situation and the failure of management to
correct the deficiency.
27. What procedures are used by the auditor to test the
operating effectiveness of controls?: Procedures to test the
operating effectiveness of controls include the following:
1. Inquiries.
2. Inspection.
3. Observation.
4. Reperformance.
28. Internal control has inherent limitations, so only
reasonable assurance of no material misstatements can
be provided, rather than absolute assurance.
What are examples of inherent limitations?: Inherent
limitations of internal control include the following:
1. Reasonably designed internal control cannot prevent
management from overriding these controls.
2. Controls can often by avoided by collusion between two or
more employees.
3. Controls are monitored by employees who are always
susceptible to human error.
4. Controls that have been adequate in the past may become
unreliable due to changes in the entity or in the entity's
29. What is the function of the internal auditor or the
internal audit staff in a company?: The internal auditor
monitors all aspects of a company's internal control. The
internal auditor should continually test the design of the internal
controls and every aspect of the individual controls to make sure
that they are operating as efficiently and as effectively as
30. An independent auditor has assessed the work of the internal auditor and has a favorable impression of both the
competency and the objectivity of this individual.
How does this evaluation impact the work of the independent auditor?: Because of the favorable assessment that has been
assigned to the internal auditor's work, the independent auditor is likely to evaluate inherent risk and control risk to be somewhat lower. If
these risk levels are assessed to be lower, then the acceptable level of detection risk can be set at a higher level. When acceptable detection
risk is raised, the independent auditor can afford to gather less evidence through substantive testing or accept evidence that is of a lesser
31. What is the definition of a service organization?: A service organization is an outside company that provides accounting or other
related business services to one or more users. Thus, for the user, a part of its accounting system exists outside of the company.
When the independent auditor is assessing the control risk of the user, the portion of the system outside of the company must be included.
This portion of the control risk is normally assessed by obtaining a report on internal control from the independent auditor of the service
organization, although other approaches can also be used.
32. A company has a portion of its accounting activities handled by an outside service organization. The independent
auditor is attempting to assess control risk for the part of the company's accounting information system that exists
outside of the reporting company.
In what three ways can the independent auditor make this evaluation?: The following three approaches are possible ways to
assess control risk for entity activities handled by an outside service organization:
1. Test the reporting entity's own controls over the activities of the service organization (e.g., whether the company compares the original
information that is sent to the service organization t the results that are returned).
2. Rely on the report on internal control issued by the independent auditor of the service organizaiton.
3. Visit the service organization and perform tests of controls.