Chapter 12

Auditing and Assurance Services, 17e (Arens/Elder/Beasley)
Chapter 12 Assessing Control Risk and Reporting on Internal Controls
12.1 Learning Objective 12-1
1) When the auditor attempts to understand the operation of the accounting system by tracing a
few transactions through the accounting system, the auditor is said to be
A) tracing.
B) vouching.
C) performing a walkthrough.
D) testing controls.
Answer: C
Terms: Tracing transactions through accounting system
Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking
2) For financial statement audits, auditors need to understand controls that are relevant to the
audit in order to
A) identify and assess the risks of material misstatements.
B) perform preliminary analytical procedures.
C) detect fraud.
D) assess inherent risk.
Answer: A
Terms: Process for understanding internal control and assessing risk
Difficulty: Moderate
Objective: LO 12-1
3) Narratives, flowcharts, and internal control questionnaires are three common methods of
A) testing the internal controls.
B) documenting the auditor's understanding of internal controls.
C) designing the audit manual and procedures.
D) documenting the auditor's understanding of a client's organizational structure.
Answer: B
Terms: Narratives, flowcharts, and internal control questionnaires
Difficulty: Easy
Objective: LO 12-1
1
Copyright © 2020 Pearson Education, Inc.
4) When dealing with the documentation of internal control,
A) in a narrative, most questions simply require a "yes" or "no" response.
B) questionnaires offer useful checklists to remind the auditor of the many different types of
internal controls that should exist.
C) questionnaires and flowcharts should not be used together.
D) flowcharts fail to show the segregation of duties in the company.
Answer: B
Terms: Internal controls
Objective: LO 12-1
5) Which type of evidence is not used by the auditor to obtain an understanding of the design
and implementation of internal control?
A) inquiry
B) observation
C) confirmation
D) inspection
Answer: C
Terms: Audit evidence and internal control
Objective: LO 12-1
6) Walkthroughs combine observation, inspection, and inquiry to assure that the controls
designed by management have been implemented.
Answer: TRUE
Terms: Walkthroughs; understanding internal control
Difficulty: Easy
Objective: LO 12-1
7) A narrative should describe the disposition of every document and record in the system.
Answer: TRUE
Terms: Understanding internal controls
Difficulty: Easy
Objective: LO 12-1
8) Flowcharts are harder to read and update than narratives.

Answer: FALSE
Terms: Flowcharts
Objective: LO 12-1
2
9) When documenting their understanding of a client's internal controls, auditors are required to
use narratives.
Answer: FALSE
Terms: Understanding internal controls; narratives
Objective: LO 12-1
10) The level of understanding of a client's internal controls required is less than what is required
for an audit of only the financial statements.
Answer: FALSE
Terms: Obtaining and documenting an understanding internal control
Objective: LO 12-1
11) For integrated audits of large, publicly traded companies, the level of understanding of
internal controls and the extent of testing of those controls need to be sufficient for the auditor to
issue an opinion on the effectiveness of internal controls over financial reporting.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
12) Management's documentation is not a major source of information for auditors in gaining an
understanding of the design of internal controls.
Answer: FALSE
Objective: LO 12-1
13) Evaluating the design of a control involves considering whether the control is effective in
preventing, detecting, or correcting material misstatements in the financial statements.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
3
14) As Section 404 of the Sarbanes-Oxley Act requires management to assess and to document
the design effectiveness of internal controls over financial reporting, management may have
already prepared narratives and flowcharts which the auditor can the use in documenting their
understanding of the design of such internal controls.
Answer: TRUE
Terms: Obtaining and documenting understanding of internal control design
Difficulty: Easy
Objective: LO 12-1
15) An adequate system flowchart should include the same characteristics required for system
narratives.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
16) Flowcharts have two advantages over narratives: typically, they are easier to read and easier
to update.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
17) It is typical to use both a narrative and a flowchart to describe the same system.
Answer: FALSE
Difficulty: Easy
Objective: LO 12-1
18) When using questionnaires, "no" responses typically indicate a potential internal control
deficiency requiring follow up by the auditor.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
4
19) The two disadvantages of using questionnaires are their inability to provide an overview of
the system and their inapplicability for some audits, especially smaller ones.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-1
20) Name four types of evidence which the auditor uses to obtain an understanding of the design
and implementation of controls.
Answer: Inspection; inquiries of client personnel; observation of employees performing control
processes; and reperformance by tracing one or a few transactions through the accounting system
from the start to the finish.
Difficulty: Easy
Objective: LO 12-1
21) Name three types of documents which auditors commonly use to obtain and to document
their understanding in the audit working paper of the design of internal controls.
Answer: Narratives; flowcharts; and internal control questionnaires
Difficulty: Easy
Objective: LO 12-1
22) A proper narrative of an accounting system and the related controls should include which
four characteristics?
Answer: The origin of every document and record in the system; the processing that takes place;
the disposition of every document and record in the system; and an indication of the controls
relevant to the control risk (including separation of duties; authorizations and approvals, and
internal verification performed by the client.
Objective: LO 12-1
23) Auditors should obtain an understanding of IT general controls. Name four procedures which
the auditor should employ to document their understanding of IT general controls.
Answer: Interview key IT personnel and key users; examine IT system documentation such as
flowcharts; examine user manuals; examine program change request procedures; examine system
testing results; review detailed questionnaires completed by IT staff.
Objective: LO 12-1
5
1) When making a preliminary assessment of control risk, the starting point for most auditors is
A) IT assessment controls.
B) assessment of entity level controls.
C) transaction-related controls.
D) fraud controls.
Answer: B
Terms: Control risk
Objective: LO 12-2
2) You are performing the audit of internal control for Clifton Company. Which of the following
would represent a material weakness in internal control?
A) The company's audit committee has experienced an unusual turnover of members.
B) The company's CFO was indicted for embezzling from the company.
C) Bank reconciliations are done monthly.
D) The CEO retired after twenty years of service to the company.
Answer: B
Terms: Material weaknesses in internal control
Difficulty: Challenging
Objective: LO 12-2
3) The employee in charge of authorizing credit to the company's customers does not fully
understand the concept of credit risk. This lack of knowledge would
A) constitute a deficiency in operation of internal controls.
B) constitute a deficiency in design of internal controls.
C) constitute a deficiency of management.
D) not constitute a deficiency.
Answer: A
Terms: Design and operation of internal control
Objective: LO 12-2
6
4) When assessing whether the financial statements are auditable, the auditor must consider
A) that the integrity of management and the adequacy of accounting records are the two primary
factors determining auditability.
B) that the integrity of management and the adequacy of risk management are the two primary
factors determining auditability.
C) that if all of the transaction information is available only in electronic form without a visible
audit trail, the company cannot be audited.
D) the control risk before determining if the entity is auditable.
Answer: A
Terms: Auditability of financial statements
Objective: LO 12-2
AACSB: Ethical understanding and reasoning
5) Once auditors determine that entity level controls are designed and placed in the operation,
they
A) make a preliminary assessment for each transaction-related audit objective for each major
type of transaction.
B) make a preliminary assessment of control risk.
C) obtain an understanding of the design and implementation of internal control.
D) prepare audit documentation in order to express their opinion on the company's internal
control system.
Answer: A
Terms: Entity level controls
Objective: LO 12-2
AACSB: Analytic thinking
6) Which of the following is the correct definition of "control deficiency"?

A) A control deficiency exists if the design or operation of controls does not permit company
personnel to prevent or detect misstatements on a timely basis.
B) A control deficiency exists if one or more deficiencies exist that adversely affect a company's
ability to prepare external financial statements reliably.
C) A control deficiency exists if the design or operation of controls results in a more than remote
likelihood that controls will not prevent or detect misstatements.
D) A control deficiency exists if the design or operation of controls results in a more than
probable likelihood that controls will prevent or detect misstatements.
Answer: A
Terms: Control deficiency
Objective: LO 12-2
7
7) Which deficiency exists if a necessary control is missing or not properly implemented?
A) control
B) significant
C) design
D) operating
Answer: C
Terms: Design deficiency
Objective: LO 12-2
8) To determine if significant internal control deficiencies are material weaknesses, they must be
evaluated on their
A)
Likelihood Significance
Yes Yes
B)
No No
C)
Yes No
D)
No Yes
Answer: A
Terms: Internal control deficiencies are material weaknesses
Objective: LO 12-2
9) The auditor should identify and include only ________ controls since they will be sufficient to
achieve the transaction-related audit objectives and will also provide audit efficiency.
A) key
B) significant
C) material
D) compensating
Answer: A
Terms: Key controls
Difficulty: Easy
Objective: LO 12-2
8
10) Before making the final assessment of internal control at the end of an audit, the auditor must
A)
Test controls Perform substantive tests
Yes Yes
B)
No No
C)
Yes No
D)
No Yes
Answer: A
Terms: Final assessment of internal control for an audit
Objective: LO 12-2
11) When identifying audit objectives and existing controls,

A) audit objectives are identified for classes of transactions, account balances, and presentation
and disclosure.
B) the auditor identifies controls to satisfy each objective.
C) it is helpful for the auditor to use the five control activities as reminders of controls.
D) all of the above.
Answer: D
Terms: Audit objectives and existing controls
Objective: LO 12-2
12) A(n) ________ control is a control elsewhere in the system that offsets the absence of a key
control.
A) significant
B) alternate
C) design
D) compensating
Answer: D
Terms: Compensating control; key control
Objective: LO 12-2
9
13) A ________ exists if one or more control deficiencies exist that are less severe than a
material weakness, but are important enough to merit attention by those responsible for oversight
of the company's financial reporting.
A) potential misstatement
B) significant weakness
C) significant deficiency
D) fraud symptom
Answer: C
Terms: Significant deficiencies
Objective: LO 12-2
14) A five-step approach can be used to identify deficiencies, significant deficiencies, and
material weaknesses. The first step in this approach is
A) identify the absence of key controls.
B) consider the possibility of compensating controls.
C) determine potential misstatements that could result.
D) identify existing controls.
Answer: D
Terms: Control risk
Objective: LO 12-2
15) When assessing control risk,

A) many auditors use actuarial tables to assist in the control risk assessment process.
B) each control can be used to satisfy only one audit objective.
C) many auditors use a control risk matrix to assist in the control risk assessment process.
D) all controls, including key controls, should be considered.
Answer: C
Terms: Assessed level of control risk
Objective: LO 12-2
16) When a compensating control exists, the absence of a key control

A) is no longer a concern because there is no longer a significant deficiency or material
weakness.
B) is still a major concern to the auditor.
C) could cause a material loss, so it must be tested using substantive procedures.
D) is magnified and must be removed from the sampling process and examined in its entirety.
Answer: A
Terms: Compensating control; key control
Objective: LO 12-2
10
17) The assessment of control risk is the measure of the auditor's expectation that internal
controls will prevent material misstatements from occurring or detect and correct them if they
have occurred.
Answer: TRUE
Terms: Internal control risk assessment
Objective: LO 12-2
18) Key controls are not sufficient to achieve the transaction-related audit objectives.
Answer: FALSE
Terms: Key controls
Objective: LO 12-2
19) A design deficiency exists if the person performing the control is not qualified.
Answer: FALSE
Terms: Design deficiency
Objective: LO 12-2
20) A significant internal control deficiency is always considered a material weakness.

Answer: FALSE
Terms: Significant deficiencies and material weaknesses
Objective: LO 12-2
21) In some cases, management can correct deficiencies and material weaknesses before the
auditor does significant testing, which may permit a reduction in control risk.
Answer: TRUE
Terms: Control risk assessment
Objective: LO 12-2
22) In a small business, the daily involvement of the owner in the business is not sufficient to
overcome significant deficiencies or material weaknesses in internal controls.
Answer: FALSE
Terms: Compensating controls
Objective: LO 12-2
11
23) If the likelihood that a material misstatement would be prevented, detected, or corrected by
the controls in place, then the control risk is low in the revenue transaction cycle.
Answer: TRUE
Objective: LO 12-2
24) In order for the auditor to determine whether a significant internal control deficiency is a
material weakness, the deficiency should be evaluation along one of the following two
dimensions: likelihood or significance.
Answer: FALSE
Terms: Evaluation of potential material weakness
Objective: LO 12-2
25) If there is more than a reasonable possibility that a material misstatement could result from a
significant deficiency found during the audit, then that deficiency is considered a material
weakness in internal control.
Answer: TRUE
Terms: Evaluation of significant deficiency in controls
Objective: LO 12-2
26) You are the audit manager for a new audit client. Your staff auditors are unsure of what
constitutes a control deficiency. Discuss the terms control deficiency, design deficiency, and
operating deficiency.
Answer: A control deficiency exists if the design and implementation or operation of controls
does not permit company personnel to prevent or detect misstatements on a timely basis in the
normal course of performing assigned functions.
A design deficiency exists if a necessary control is missing, is not properly designed, or is not
properly implemented.
An operating deficiency exists if a well-designed control does not operate as designed or if the
person performing the control is insufficiently qualified or authorized.
Terms: Control deficiency; Design deficiency; Operating deficiency
Objective: LO 12-2
12
27) The text suggested a five-step approach to identify deficiencies, significant deficiencies, and
material weaknesses. Describe this approach.
Answer:
1. Identify existing controls. Because deficiencies and material weaknesses are the absence of
adequate controls, the auditor must first know which controls exist.
2. Identify the absence of key controls. Internal control questionnaires, flowcharts, and
walkthroughs are useful tools to identify where controls are lacking and the likelihood of
misstatement is therefore increased. It is also useful to examine the control risk matrix to look for
objectives where there are no or only a few controls to prevent or detect misstatements.
3. Consider the possibility of compensating controls. A compensating control is one elsewhere
in the system that offsets the absence of a key control. When a compensating control exists, there
is no longer a significant deficiency or material weakness.
4. Decide whether there is a significant deficiency or material weakness. The likelihood of
misstatements and their materiality are used to evaluate if there are significant deficiencies or
material weaknesses.
5. Determine potential misstatements that could result. This step is intended to identify specific
misstatements that are likely to result because of the significant deficiency or material weakness.
The importance of a significant deficiency or material weakness is directly related to the
likelihood and materiality of potential misstatements.
Terms: Five-step approach to identify deficiencies
Objective: LO 12-2
AACSB: Reflective thinking; Analytic thinking
1) If the results of tests of controls support the design and operations of controls as expected, the
auditor uses ________ control risk as the preliminary assessment.
A) a lower
B) the same
C) a higher
D) either a lower or higher
Answer: B
Terms: Control risk as preliminary assessment
Objective: LO 12-3
13
2) An auditor is likely to use four types of procedures to support the operating effectiveness of
internal controls. Which of the following would generally not be used?
A) make inquiries of appropriate client personnel
B) examine documents, records, and reports
C) reperform client procedures
D) inspect design documents
Answer: D
Terms: Operating effectiveness of internal controls
Objective: LO 12-3
3) Which of the following represents a correct statement regarding internal control testing?
A) When auditors plan to use evidence about the operating effectiveness of internal control
contained in prior audits, auditing standards require tests of the controls' effectiveness at least
every other year.
B) The greater the risk, the less audit evidence the auditor should obtain that controls are
operating effectively.
C) The auditor uses control risk assessment and results of tests of controls to determine planned
detection risk and the related substantive tests for the financial statement audit.
D) Testing of internal controls can only be performed by the auditor at the end of the fiscal year.
Answer: C
Terms: Internal control risk assessment
Objective: LO 12-3
4) An auditor traces the sales prices to the authorized price list in effect at the date of the
transaction. Which of the following procedures has the auditor performed?
A) inquiry
B) observation
C) reperformance
D) examination
Answer: C
Terms: Procedures for tests of controls
Objective: LO 12-3
14
5) Tests of controls
A) are the procedures used to test the effectiveness of controls in support of a reduced assessed
control risk.
B) are used to support the ending balances in the balance sheet and income statement accounts.
C) are performed at the end of the audit.
D) are designed to detect fraud.
Answer: A
Terms: Tests of controls
Objective: LO 12-3
6) Which of the following is an accurate statement relating to the extent of procedures?

A) If an auditor wants a lower assessed control risk than the preliminary assessed control risk,
the number of controls tested increases while the extent of the tests for each control decrease.
B) The extent of testing depends on the frequency of the operation of the controls.
C) All controls must be tested only at year-end.
D) The frequency of testing is the same for both manual and computer controls.
Answer: B
Terms: Extent of tests of controls procedures
Objective: LO 12-3
7) When testing manual or automated controls,

A) automated controls are always subject to random error or manipulation.
B) automated controls cannot be altered by making a change to the software application.
C) when there are effective general controls and automated application controls, the auditor will
need to select a larger sample size of transactions to verify.
D) the extent of testing depends on whether it is a manual or automated control.
Answer: D
Terms: Extent of tests of controls procedures
Objective: LO 12-3
15
8) Which of the following is true regarding the relationship between tests of controls and
procedures to obtain an understanding?
A) In obtaining an understanding of internal control, the procedures to obtain an understanding
are applied to all controls identified during that phase.
B) Tests of controls are applied only when the assessed control risk has not been satisfied by the
procedures to obtain an understanding.
C) Procedures to obtain an understanding are performed only on one or a few transactions.
D) All of the above are correct.
Answer: D
Terms: Relationship between tests of controls and procedures to obtain an understanding
Objective: LO 12-3
9) When a client uses a service center for processing transactions,

A) the auditor can assume that the controls are adequate because it is an independent enterprise.
B) auditing standards require the auditor to test the service center's controls if the service center
application involves processing significant financial data.
C) and the user auditor decides to rely on the service auditor's report, the user auditor must make
reference to the report of the service auditor in the opinion on the user organization's financial
statements.
D) none of the above.
Answer: B
Terms: Outsourced services
Objective: LO 12-3
10) An auditor traces the cost of sales entry for a sample of product sales to the inventory unit
costs in effect at the date of each transaction. Which of the following procedures has the auditor
performed?
A) inquiry
B) observation
C) reperformance
D) examination
Answer: C
Terms: Procedures for tests of controls
Objective: LO 12-3
16
11) The procedures to obtain an understanding of internal control are only applied when the
assessed control risk is high.
Answer: FALSE
Difficulty: Easy
Objective: LO 12-3
12) Controls that are applied throughout the accounting period must be tested both at an interim
date and then again on the balance sheet date.
Answer: FALSE
Objective: LO 12-3
13) When there are a number of controls tested in prior audits that have not been changed,
auditing standard require auditors to test some of those controls each year to ensure there is a
rotation of controls testing throughout the three-year period.
Answer: TRUE
Terms: Reliability of evidence
Objective: LO 12-3
14) The AICPA guide to data analytics indicates audit data analysis can be used throughout the
audit process, but not including tests of controls.
Answer: FALSE
Terms: Using audit software and data analytics to perform test of controls
Objective: LO 12-3
15) A company requires the controller's e-approval for all fixed asset purchases in excess of
$50,000. Audit software can be used to identify if there are any instances where a fixed asset
purchase in excess of $50,000 lacked the controller's e-approval, instead of manual checking.
Answer: TRUE
Objective: LO 12-3
17
16) An example of substantive testing and also a test of controls is using audit software to
identify purchases where the vendor's invoice, the receiving report, and the purchase order did
not match prior to payment of the vendor's invoice.
Answer: TRUE
Objective: LO 12-3
17) In evaluating the operational effectiveness of internal controls, the auditor is likely to use
four types of audit procedures. List the procedures below.
Answer:
• Make inquiries of appropriate client personnel.
• Examine documents, records, and reports.
• Observe control-related activities.
• Reperform client procedures.
Terms: Operational effectiveness; internal controls; audit procedures
Objective: LO 12-3
1) Which of the following is a correct statement?

A) The auditor uses the control risk assessment and results of tests of controls to determine
planned detection risk.
B) The auditor links the inherent risk assessments to the balance-related audit objectives.
C) The audit risk model is used determine the level of audit risk.
D) All of the above are correct statements.
Answer: A
Terms: Planned detection risk and design substantive tests
Objective: LO 12-4
2) The auditor assesses control risk for each related audit objective and supports control risk
assessments with tests of controls.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-4
18
3) In October 2013, the PCAOB Staff Audit Practice Alert No.11, titled "Considerations for
Audits of Internal Control over Financial Reporting". In this Staff Audit Practice Alert, the
PCAOB highlighted three common deficiencies related to audits of internal control. Name these
three common deficiencies.
Answer: The failure of the auditor to understand a company's flow of transactions; auditor's lack
of understanding of management review controls, a detective control designed to identify error or
fraud; and the testing of system-generated data or reports.
Objective: LO 12-4
1) How must significant deficiencies and material weaknesses be communicated to those charged
with governance?
A) Either oral or written communication is acceptable.
B) Oral communication is required.
C) Written communication is required.
D) Written communication is required for material weaknesses, but oral communication is
allowed for significant deficiencies.
Answer: C
Terms: Significant deficiencies and material weaknesses
Objective: LO 12-5
2) Auditors often identify less significant internal control-related issues, as well as opportunities
for the client to make operational improvements in the
A) adverse opinion.
B) Section 404 report.
C) management letter.
D) Type 1 report.
Answer: C
Terms: Management representation letter
Objective: LO 12-5
19
3) The auditor will issue an unqualified opinion on internal control over financial reporting when
A) there are no identified material weaknesses as of the end of the fiscal year.
B) there have been no restrictions on the scope of the auditor's work.
C) both a and b
D) either a or b
Answer: C
Terms: Types of opinions on internal control
Objective: LO 12-5
4) What type of report is issued when one or more material internal control weaknesses exist?
A) unqualified opinion
B) disclaimer of opinion
C) adverse opinion
D) qualified opinion
Answer: C
Objective: LO 12-5
5) Which of the following is true regarding the auditor's opinion on the effectiveness of internal
control?
A) The auditor is attesting to the effectiveness of internal controls as of the end of the fiscal year.
B) If the client remedies a material weakness before the end of the fiscal year, the auditor must
still issue a qualified opinion or a disclaimer of opinion.
C) A scope limitation requires the auditor to issues an adverse opinion.
D) Section 404 requires that the auditor design the audit to detect all deficiencies in internal
control.
Answer: A
Objective: LO 12-5
20
6) When determining what type of report to issue on internal control under Section 404,
A) an adverse opinion on internal control must be given if any weaknesses in a key internal
control is discovered.
B) a scope limitation requires the auditor to disclaim an opinion on internal controls.
C) if the auditor gives a qualified opinion on the financial statements, they must give a qualified
opinion on internal controls.
D) a scope limitation requires the auditor to express a qualified opinion or a disclaimer of
opinion on internal controls.
Answer: D
Terms: Internal control audit requirements of auditor
Difficulty: Easy
Objective: LO 12-5
7) The scope of the auditor's report on internal control is limited to obtaining reasonable
assurance that significant weaknesses in internal control are identified.
Answer: FALSE
Terms: Section 404 of the Sarbanes-Oxley Act
Objective: LO 12-5
8) To issue an unqualified opinion on internal control over financial reporting, there must be no
identified material weaknesses and no restrictions on the scope of the audit.
Answer: TRUE
Terms: Unqualified opinion on internal control
Objective: LO 12-5
1) It is generally possible for small companies to have all of the following except for
A) adequate documents and records.
B) physical controls over assets.
C) competent, trustworthy personnel.
D) internal auditors.
Answer: D
Terms: Control; smaller company
Difficulty: Easy
Objective: LO 12-6
21
2) The auditor designs and performs a combination of tests of controls and substantive
procedures to obtain reasonable assurance that the financial statements are fairly stated when
control risk
A) is assessed above the maximum.
B) is assessed below the maximum.
C) cannot be assessed.
D) none of the above
Answer: B
Difficulty: Easy
Objective: LO 12-6
3) In the audit of a private company, the auditor will test internal controls when control risk is
initially assessed at
A)
Low Moderate High
Yes No Yes
B)
Low Moderate High
No No Yes
C)
Low Moderate High
Yes Yes No
D)
Low Moderate High
No Yes No
Answer: C
Terms: Control risk
Objective: LO 12-6
22
4) Which of the following may represent the biggest challenge smaller public companies and
nonpublic companies face in implementing effective internal control?
A) a lack of competent, trustworthy personnel
B) no clear lines of authority
C) no adequate separation of duties
D) a lack of adequate documents and records
Answer: C
Terms: Internal control, biggest challenge
Objective: LO 12-6
5) Which of the following is most correct for audits of non-public companies?

A) An audit of internal control is required.
B) An audit of internal control is not required.
C) An audit of the design of internal controls is required.
D) An audit of the operational effectiveness of internal controls is required.
Answer: B
Terms: Audits of non-public companies
Objective: LO 12-6
6) If, when obtaining an understanding of control activities of a relatively small client, the
auditor identified no control activities, the auditor would probably set a high assessment of
control risk.
Answer: TRUE
Terms: Control activities; control risk
Difficulty: Easy
Objective: LO 12-6
7) The auditor obtains a sufficient understanding of internal control to assess the risk of material
misstatement at the overall financial statement level and at the relevant assertion level.
Answer: TRUE
Difficulty: Easy
Objective: LO 12-6
8) The procedures used to gain an understanding of internal control do not vary from client to
client.
Answer: FALSE
Difficulty: Easy
Objective: LO 12-6
23
9) In an audit of a nonpublic company, the less control risk there is, the smaller the amount of
planned substantive evidence that is required.
Answer: TRUE
Terms: Nonpublic company; control risk; substantive evidence
Objective: LO 12-6
10) The assessment of control risk does not impact the testing of controls.
Answer: FALSE
Terms: Control risk
Difficulty: Easy
Objective: LO 12-6
11) A company's size should have no impact on the nature of internal control and the controls
that are implemented.
Answer: FALSE
Terms: Internal controls for smaller companies
Objective: LO 12-6
12) Control risk is generally set at minimum for most private companies.
Answer: FALSE
Terms: Internal controls for smaller companies
Objective: LO 12-6
1) The auditor's objective in determining whether the client's computer program correctly
processes valid and invalid transactions is accomplished through the
A) test data approach.
B) generalized audit software approach.
C) microcomputer-aided auditing approach.
D) generally accepted auditing standards.
Answer: A
Terms: Test data approach
Objective: LO 12-7
24
2) When using the test data approach,
A) auditors process test data supplied by the client.
B) auditors often obtain assistance from a computer audit specialist.
C) the tests must be performed at the end of the year.
D) the test data must remain in the client's records.
Answer: B
Objective: LO 12-7
3) Which of the following is not seen as an advantage to using generalized audit software
(GAS)?
A) Auditors can learn the software in a short period of time.
B) It can be applied to a variety of clients after detailed customization.
C) It can be applied to a variety of clients with minimal adjustments to the software.
D) It greatly accelerates audit testing over manual procedures.
Answer: B
Terms: Generalized audit software
Objective: LO 12-7
4) When using the test data approach,

A) test data should include data that the client's system should accept or reject.
B) application programs tested by the auditor's test data must be different from those used by the
client throughout the year.
C) select data may remain in the client system after testing.
D) None of the above statements is correct.
Answer: A
Objective: LO 12-7
5) Auditing by testing automated internal controls and account balances electronically, generally
because effective general controls exist, is known as
A) auditing through the computer.
B) auditing around the computer.
C) embedded audit module approach.
D) parallel simulation testing.
Answer: A
Terms: IT auditing environment
Objective: LO 12-7
25
6) Which of the following computer-assisted auditing techniques inserts an audit module in the
client's application system to identify specific types of transactions?
A) parallel simulation testing
B) test data approach
C) embedded audit module
D) generalized audit software testing
Answer: C
Terms: Computer-assisted auditing techniques allow fictitious and real transactions
Objective: LO 12-7
7) Which of the following best describes the test data approach?

A) Auditors process their own test data using the client's computer system and application
program.
B) Auditors process their own test data using their own computers that simulate the client's
computer system.
C) Auditors use auditor-controlled software to do the same operations that the client's software
does, using the same data files.
D) Auditors use client-controlled software to do the same operations that the client's software
does, using auditor created data files.
Answer: A
Objective: LO 12-7
8) The embedded audit module approach requires the auditor to insert an audit module in the
client's application system to identify specific types of transactions.
Answer: TRUE
Terms: Embedded audit module approach
Objective: LO 12-7
9) The objective of the test data approach is to determine whether the client's computer programs
can correctly process valid and invalid transactions.
Answer: TRUE
Objective: LO 12-7
26
10) Parallel simulation is used primarily to test internal controls over the client's IT systems,
whereas the test data approach is used primarily for substantive testing.
Answer: FALSE
Terms: Parallel simulation
Objective: LO 12-7
11) Generalized audit software is used to test automated controls.

Answer: TRUE
Terms: Generalized audit software
Objective: LO 12-7
12) Describe three computer auditing techniques available to the auditor.

Answer: Computer auditing techniques available to the auditor are:
• Test data approach. Using this approach, the auditors process their own test data using the
client's computer system and application program to determine whether the automated controls
correctly process the test data.
• Parallel simulation. The auditors use auditor-controlled software to do the same operations
that the client's software does, using the same data files. The purpose is to determine the
effectiveness of automated controls and to obtain evidence about electronic account balances.
• Embedded audit module. Using this approach, the auditor inserts an audit module into the
client's application system to identify specific types of transactions.
Terms: Computer auditing techniques
Objective: LO 12-7
13) Discuss the advantages and benefits of using generalized audit software.
Answer: Advantages and benefits of using generalized audit software include:
• It is relatively easy to train the audit staff in its use, even if they have little formal IT training.
• The software can be applied to a wide variety of clients with minimal customization.
• It has the ability to do audit tests much faster and, in more detail, than using traditional
manual procedures.
Terms: Advantages of using generalized audit software
Objective: LO 12-7
27
14) Auditors often use Generalized Audit Software during their testing of a client's internal
controls. For the following uses of the software provide a description and an example.
Verify extensions and footings

Print confirmation requests
Compare data on separate files
Answer: Verify extensions and footings: Verify accuracy of the client's computations by
calculating information independently; foot any subsidiary ledger.
Print confirmation requests: Print data for sample items selected for confirmation testing; print
customer name, address, and account balance information from master files.
Compare data on separate files: Determine that information contained in two or more data files
agrees; compare changes in accounts receivable balances between two dates using sales and cash
receipts in transaction files.
Terms: Generalized Audit Software and testing of internal controls
Objective: LO 12-7
28

Chapter 12

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 12

Uploaded by

Copyright:

Available Formats

Auditing and Assurance Services, 17e (Arens/Elder/Beasley)

Chapter 12 Assessing Control Risk and Reporting on Internal Controls

12.1 Learning Objective 12-1

8) Flowcharts are harder to read and update than narratives.

6) Which of the following is the correct definition of "control deficiency"?

11) When identifying audit objectives and existing controls,

15) When assessing control risk,

16) When a compensating control exists, the absence of a key control

20) A significant internal control deficiency is always considered a material weakness.

12.3 Learning Objective 12-3

6) Which of the following is an accurate statement relating to the extent of procedures?

7) When testing manual or automated controls,

9) When a client uses a service center for processing transactions,

12.4 Learning Objective 12-4

1) Which of the following is a correct statement?

12.5 Learning Objective 12-5

12.6 Learning Objective 12-6

5) Which of the following is most correct for audits of non-public companies?

12.7 Learning Objective 12-7

4) When using the test data approach,

7) Which of the following best describes the test data approach?

11) Generalized audit software is used to test automated controls.

12) Describe three computer auditing techniques available to the auditor.

Verify extensions and footings

You might also like