You are on page 1of 7

Saint Paul School of Business and Law

Campetic, Palo, Leyte

Review Materials for Auditing Theory

INTERNAL CONTROL
Entity Objectives:
1. Reliability of financial reporting Most RELEVANT to audit and auditor MUST consider and
understand
2. Effectiveness and efficiency of operations
3. Compliance with applicable laws and regulations

5 Components of Internal Control: CRIME

C Control Environment: the overall tone of the organization


R Risk Assessment: managements identification of risk
I Information and Communication Systems: a means of recording transactions and communicating
responsibilities
M Monitoring: assessment of internal control performance over time
E Existing Control Activities: control policies and procedures

Control Testing = Internal Control (CRIME)

Auditor should focus on: How a specific control prevents, or detects and corrects, material misstatements
Generally, those controls that pertain to the first objective, reliability of financial reporting, are most relevant
to the audit; it is primarily those controls that the auditor must consider and understand. The auditor need
not assess all controls related to financial reporting, but use professional judgment in determining it.

***Its a CRIME not to have strong internal control.*** *


**CPA required understanding for each element of CRIME as it pertains to financial reporting.
The auditor should obtain an understanding of the five components of internal control sufficient to:
1. Evaluate the design of relevant controls and determine whether they have been implemented.
2. Assess the risk of material misstatement identify types of potential misstatement
3. Design the nature, extent, and timing of further audit procedures
a. Identify types of potential misstatement
b. Consider factors that affect the risks of material misstatement
c. Design tests of controls
d. Design substantive procedures

A CPA tests internal control in order to adequately plan the NET audit.

C Control Environment: - the overall tone of the organization; sets the tone of an organization

Integrity and ethical values


Competence
Participation of those charged with governance
Managements philosophy and operating style
The following circumstances would raise concerns regarding managements philosophy and operating
style:
Management consumed with meeting the budget
Management dominated by one person
Management compensation contingent upon the entitys financial performance (=bonus and stock
options)
Organizational structure
Assignment of responsibility
Human resource policies
The control environment has a pervasive effect on the auditors risk assessment, and preliminary
judgments about its effectiveness may influence the nature, extent, and timing of further audit procedures
to be performed.

R Risk Assessment: - managements identification of risk relevant to the FS

CPA should obtain understanding and knowledge


Entitys identification of risks to achievement of its objectives
The assessment by management of risk facing the entity, not the auditors assessment of control risk

A17 AT (005)

Page 1 of 7

Risks are generally related to changes, for example:


1) Change in regulatory environment
2) New personnel
3) New information systems or technology
4) Rapid expansion of operations
5) New business models
6) Corporate restructuring
7) Expansion or acquisition of foreign operations
8) Adoption of new accounting principles or pronouncements

I Information and Communication Systems: - a means of recording transactions and


communicating responsibilities

CPA should obtain understanding and knowledge


Support the identification, capture, and exchange of information in a timely and useful manner
The accounting information system:
Classes of transactions significant to FS
Accounting processing (both automated and manual), from initiation of a transaction to FS
Accounting records (both electronic and manual), supporting information, and specific
accounts involved in initiating, authorizing, recording, processing, and reporting transactions
Ways other significant events are captured by the system
Financial reporting process, including development of significant accounting estimates and
disclosures
Auditor should obtain understanding of:
Methods used to communicate roles and responsibilities
Communication between mgmt and those charged with governance, audit committee, and
external parties
Initiating, authorizing, recording, processing, and reporting entity transactions, conditions, and
events

M Monitoring: - assessment of internal control performance over time

CPA should obtain understanding and knowledge of activities to monitor internal control
Process that assesses the quality of internal control (design and control operations) performance over
time
Establishing and maintaining internal control is a responsibility of management, for example:
Internal audit function
Regular management and supervisory activities
Other procedures such as mailing customer statements

E Existing Control Activities: - control policies and procedures

CPA should obtain understanding and knowledge


Policies and procedures that ensure management directives are carried out and risks are addressed
Strong internal control has PAID-TIPS
P Pre-numbering documents
A Authorization of transactions
I Independent checks to maintain asset accountability
D Documentation
T Timely and appropriate performance reviews
I Information processing controls
P Physical controls for safeguarding assets
S Segregation of duties

.
P Pre-numbering documents
All transactions are recorded -Completeness
No transactions are recorded more than once -Existence
Example: Your Checkbook .
A Authorization of transactions
Authorization should occur before commitment of resources
Example: Signed approval .
I Independent checks to maintain asset accountability
Independent checks involve the verification of work previously performed by others:
Review of bank reconciliations
Comparison of subsidiary records to control accounts
Comparison of physical counts of inventory to perpetual records
Example: Checks and balances .
D Documentation
A17 AT (005)

Page 2 of 7

Evidence of transactions and a basis for responsibility for the execution and recording of
transaction
Example: Paper trail .
T Timely and appropriate performance reviews
Comparison of actual performance to budgets, forecasts, and prior periods
Comparison of financial and nonfinancial information
Example: Analytical procedures .
I Information processing controls
Ensure that transactions are valid, authorized, and completely and accurately recorded
Application controls: processing of individual applications (i.e. controls surrounding payroll)
General controls: information processing throughout the company (i.e. access controls, controls
over data center, network operations) .
P Physical controls for safeguarding assets
Physical segregation of security of assets
Authorized access to assets and records
Periodic counting and comparison of actual assets with amounts shown in accounting records
Example: Security .
S Segregation of duties
One individual provides a crosscheck on the work of another individual
Assigning different people the responsibilities of authorizing, recording transactions, and
maintaining custody of the related assets reduces the opportunities for any individual to both
perpetrate and conceal errors or fraud
Internal control environment should detect fraud by one person, NOT
Collusion
Management override
Client should separate these functions:
A Authorization
R Recordkeeping
C Custody of related assets
****Segregation of duties is your ARC to protect against a flood of troubles.

An audit does not require an understanding of all control activities .


Auditors primary consideration should be if a control prevents, or detects and corrects, material
misstatements

Limitations of internal control:

Human error
Deliberate circumvention of controls by collusion of two or more people
Management override of internal control
Segregation of duties may be difficult to achieve in a smaller entity (cost/benefit issue)

Effect of Information Technology on Internal Control

IT system may make it impossible to reduce detection risk through substantive testing alone
MUST also perform control testing.
A CPA must document all evaluations.

IT Benefits:

The ability to process large volumes of transactions and data accurately and consistently
Improved timeliness and availability of information
Facilitation of data analysis and performance monitoring
Reduction in the risk that controls will be circumvented
Enhanced segregation of duties through effective implementation of security controls

IT Risks:

Potential reliance on inaccurate systems


Unauthorized access to data which may result in loss of data and/or data inaccuracies
Unauthorized changes to data, systems, or programs
Failure to make required changes or updates to systems or programs

Auditor should:
1. Document use of programs
2. Perform tests more often during the year

Organization Structure of IT Department (Segregation of duties):

C Control group: responsible for internal control in IT dept. Maintain error log and determine its
cause.

A17 AT (005)

Page 3 of 7

O Operators: input data


P Programmers: write and develop computer programs
A Analysts: identify and design the overall system (programmers do the detailed work)
L Librarian: track programs, maintain data storage, controls access to programs

Weakness:
1. Anyone doing more than one job
2. Anyone supervising another area

MULTIPLE CHOICE QUESTIONS


1. Which of the following is correct regarding internal control system?
a. Internal control system refers to all the policies and procedures adopted by the auditor to assist in
achieving managements objective.
b. A strong environment, by itself, ensure the effectiveness of the internal control system.
c. In the audit of financial statements, the auditor is only concerned with those policies and procedures
within the accounting and internal control systems that are relevant to the financial statements.
d. The internal control system is confined to those matters which relate directly to the functions of the
accounting system.
2. Which of the following is correct about internal control?
a. Accounting and internal control systems provide management with conclusive evidence that objectives
are reached.
b. One of the inherent limitations of accounting and internal control systems is the possibility that the
procedures may become inadequate due to changes in conditions, and compliance with procedures
may deteriorate.
c. Most internal controls tend to be directed at non-routine transactions.
d. Management does not consider costs of the accounting and internal control systems.
3. Corporate directors, management, external auditors, and internal auditors all play important roles in
creating a proper control environment. Top management is primarily responsible for
a. Establishing a proper environment and specifying overall internal control.
b. Reviewing the reliability and integrity of financial information and the means used to collect and report
such information.
c. Ensuring that external and internal auditors adequately monitor the control environment.
d. Implementing and monitoring controls designed by the board of directors.
4. In an audit of financial statements, an auditors primary consideration regarding a control is whether it
a. Reflects managements philosophy and operating style.
b. Affects managements financial statement assertions.
c. Provides adequate safeguards over access to assets.
d. Enhances managements decision-making processes.
5. Effective internal control
a. Eliminates risk and potential loss to the organization.
b. Cannot be circumvented by management.
c. Is unaffected by changing circumstances and conditions encountered by the organization.
d. Reduces the need for management to review exception reports on a day-to-day basis.
6. Which of the following statements about internal control is correct?
a. Properly maintained internal controls reasonably assure that collusion among employees cannot
occur.
b. Establishing and maintaining internal control is the internal auditors responsibility.
c. Exceptionally strong control allows the auditor to eliminate substantive tests.
d. The cost-benefit relationship should be considered in designing internal control.
7. A proper understanding of the clients internal control is an integral part of the audit planning process. The
results of the understanding
a. Must be reported to the shareholders and the SEC.
b. Bear no relationship to the extent of substantive testing to be performed.
c. Are not reported to client management.
d. May be used as the basis for withdrawing from an audit engagement.
8. Audit evidence concerning segregation of duties ordinarily is best obtained by
a. Performing tests of transactions that corroborate managements financial statement assertions
b. Observing the employees as they apply specific controls.
c. Obtaining a flowchart of activities performed by available personnel.
d. Developing audit objectives that reduce control risk.
9. Based on a consideration of internal control completed at an interim date, the auditor assessed control risk
at a low level and performed interim substantive tests. The records and procedures would most likely be
tested again at year-end if
a. Tests of controls were not performed by the internal auditor during the remaining period.
b. Internal control provides a basis for limiting the extent of substantive testing.
c. The auditor used nonstatistical sampling during the interim period testing of controls.
d. Inquiries and observations lead the auditor to believe that conditions have changed.
10. Although substantive tests may support the accuracy of underlying records, these tests frequently provide
no affirmative evidence of segregation of duties because
A17 AT (005)

Page 4 of 7

a. Substantive tests rarely guarantee the accuracy of the records if only a person who performs
incompatible functions.
b. The records may be accurate even though they are maintained by a person who performs
incompatible functions.
c. Substantive tests relate to the entire period under audit, but tests of controls ordinarily are confined to
the period during which the auditor is on the clients premises.
d. Many computerized procedures leave no audit trail of who performed them, so substantive tests may
necessarily be limited to inquiries and observation of office personnel.
11. After obtaining an understanding of internal control and assessing control risk, an auditor decided not to
perform additional tests of controls. The auditor most likely concluded that the
a. Additional evidence to support a further reduction in control risk was not cost-beneficial to obtain.
b. Assessed level of inherent risk exceeded the assessed level of control risk.
c. Internal control was properly designed and justifiably may be relied on.
d. Evidence obtainable through tests of controls would not support an increased assessment of control
risk.
12. The objective of tests of details of transactions performed as tests of controls is to
a. Monitor the design and use of entity documents such as prenumbered shipping form
b. Determine whether controls have been placed in operation.
c. Detect material misstatements in the account balances of the financial statements.
d. Evaluate whether controls operated effectively.
13. An auditor wishes to perform tests of controls on a clients cash disbursements procedures. If the controls
leave no audit trail of documentary evidence, the auditor most likely will test the procedures by
a. Confirmation and observation.
c. Analytical procedures and confirmation.
b. Observation and inquiry.
d. Inquiry and analytical procedures
14. The auditor is examining copies of sales invoices only for the initials of the person responsible for checking
the extensions. This is an example of a
a. Test of controls
c. Dual purpose test
b. Substantive test
d. Test of balances
15. Which of the following types of evidence would an auditor most likely examine to determine whether
controls are operating as designed?
a. Confirmations of receivables verifying account balances.
b. Letters of representations corroborating inventory pricing.
c. Attorneys responses to the auditors inquiries.
d. Client records documenting the use of computer programs.
16. An auditor is least likely to test controls that provide for
a. Classification of revenue and expense transactions by product line
b. Approval of the purchase and sale of trading securities
c. Segregation of the functions of recording disbursements and reconciling the bank account
d. Comparison of receiving reports and vendors invoices with purchase orders
17. In a small company that doesn't employ an adequate number of employees to permit proper division of
responsibilities, effective internal control can be strengthened by
a. Direct participation by the owner of the business in the record keeping activities of the business.
b. Employment of temporary personnel to aid in the separation of duties.
c. Delegation of full, clear-cut responsibility to each employee for the functions assigned to each.
d. Engaging a CPA to perform monthly "write up" work.
18. Which of the following is true of the communication to management of material weaknesses in accounting
and internal control?
a. Communication must be in writing.
b. Oral communication of material weaknesses, when appropriate, would be documented in the audit
working papers.
c. The communication should indicate that the auditor had extensively examined the accounting and
internal control system of the client.
d. The auditors should indicate in the communication that the examination is primarily designed to
determine whether the accounting and internal control is adequate.
19. Internal control should provide reasonable (but not necessarily absolute) assurance which means that:
a. The cost of control activities should not exceed the benefits.
b. Internal control is managements, not auditors, responsibility.
c. An attestation engagement about managements internal control assertions may not necessarily detect
all reportable conditions.
d. There is always a risk that reportable conditions may result in material misstatements.
20. Which of the following statements is an example of an inherent limitation of internal control?
a. Errors may arise from mistakes in judgments.
b. The effectiveness of control procedures depends on segregation of duties.
c. Procedures are designed to assure that transactions are executed as management authorities.
d. Computers process large numbers of transactions.
21. Which of the following activities would be least likely to strengthen a companys internal control?
a. Maintaining insurance for fire and theft.
b. Separating accounting from other financial operations.
c. Fixing responsibility for the performance of employee duties.
d. Carefully selecting and training employees.
22. When considering internal control, the auditors primary concern is to determine
a. The reliability of the accounting information system.
A17 AT (005)
Page 5 of 7

b. The possibility of fraud occurring.


c. Compliance with policies, plans, and procedures.
d. The type of an opinion he will issue.
23. Which of the following audit techniques most likely would provide an auditor with the most assurance
about the effectiveness of the operation on an internal control procedure?
a. Confirmation with outside parties
c. Recomputation of account balance
b. Observation of client personnel
d. Inquiry of client personnel
24. Which of the following would not be a method used to conduct tests of controls?
a. Inquiry
b. Walkthrough
c. Confirmation
d. Observation
25. Of the following, the best statement of the CPAs primary objective in considering internal control is that the
review is intended to provide
a. A basis for reliance on the system and determining the scope of other auditing procedures.
b. Reasonable protection against client fraud and defalcations by client employees.
c. A basis for constructive suggestions to the client for improving his internal control system.
d. A method for ensuring that there is reasonable assurance that the financial statements are reliable.
26. After considering a clients internal control, an auditor has concluded that the system is well designed and
is functioning as anticipated. Under these circumstances, the auditor would most likely
a. Cease to perform further substantive tests
b. Not increase the extent of planned substantive tests
c. Increase the extent of anticipated analytical procedures
d. Perform all tests of controls to the extent outlined in the preplanned audit program
27. After considering internal control, an auditor might decide to
a. Increase the extent of tests of controls and substantive tests in areas where internal control is strong
b. Increase the extent of substantive tests in areas where internal control is weak
c. Reduce the extent of tests of controls in areas where internal control is strong
d. Reduce the extent of both substantive tests and tests of controls in areas where internal control is
strong
28. After obtaining an understanding of a clients controls, an auditor may decide to omit tests of the controls.
Which of the following in not appropriate reason to omit tests of controls?
a. The controls duplicate other controls.
b. The controls appear adequate.
c. Reportable conditions preclude assessing control risk below the maximum.
d. The effort to test controls exceeds the effort saved by not performing substantive tests.
29. In general, a material weakness in internal control may be defined as a condition in which material errors
or irregularities may occur and not be detected within a timely period by
a. An independent auditor during tests of controls.
b. Management when reviewing interim financial statements and reconciling account balances.
c. Employees in the normal course of performing their assigned functions.
d. Outside consultants who issue a special-purpose report on internal control structure.
30. Internal control procedures are not designed to provide reasonable assurance that
a. Transactions are executed in accordance with management's authorization.
b. Access to assets is permitted only in accordance with management's authorization.
c. Irregularities will be eliminated.
d. The recorded accountability for assets is compared with the existing assets at reasonable intervals.
31. A secondary purpose of the auditor's consideration of internal control is to provide
a. A basis for assessing control risk.
b. An assurance that the records and documents have been maintained in accordance with existing
company policies and procedures.
c. A basis for constructive suggestions about improvements in internal control structure.
d. A basis for the determination of the resultant extent of the tests to which auditing procedures are to be
restricted.
32. Tests of controls are performed to obtain audit evidence about the effectiveness of the
a. Operation of the internal controls at the time the tests are being applied.
b. Operations of the internal controls in eliminating fraud and errors.
c. Design of the internal controls in eliminating fraud and errors.
d. Design of the accounting and internal controls systems.
33. The evaluation of deviations that were observed upon completing tests of controls
a. May require the need for doing more extensive understanding of control.
b. May require more extensive tests of controls.
c. Always requires documentation of the basis of assessment of control risk.
d. May require modification of the nature, timing, and extent of planned substantive procedures
34. It is important for the auditor to consider the competence of the audit clients employees, because their
competence bears directly and importantly upon the
a. Costbenefit relationship of internal control
b. Achievement of the objectives of internal control
c. Comparison of recorded accountability with assets
d. Timing of the tests to be performed
35. Auditing standards require the auditor to obtain an understanding of the clients internal control structure
a. For every audit.
b. For first time audits.
c. Sufficient to find any frauds which may exist.
A17 AT (005)
Page 6 of 7

d. Whenever it would be appropriate

A17 AT (005)

Page 7 of 7