Professional Documents
Culture Documents
Prepared by
Jenny James
Multiple-choice questions
1. The importance of internal control to management and auditors has been recognised for
many years. Which of the following is likely to be cited as a major factor contributing to
this importance?
a. The operations of the business entity have become so unwieldy that management
must rely on the chief financial officer to effectively control operations.
b. Checks and reviews protect against employee collusion and reduce the chance of
employee fraud.
c. Internal control procedures must be utilised to maintain accurate accounting records.
d. It is impractical for auditors to audit most companies within economic fee limitations
without relying on the client’s system of internal controls.
2. Which of these is not one of the fundamental concepts in the COSO report’s definition of
internal control?
a. Internal control is a guarantee.
b. Internal control is a process.
c. Internal control is affected by people.
d. Internal control is geared to the achievement of objectives in the overlapping
categories of financial reporting, compliance and operations.
3. ASA 315.A51 (ISA 315.A51) includes all of the following as components of internal
control except:
a. risk assessment.
b. information system.
c. legal environment.
d. control environment.
c. tracing trail.
d. accounting trail.
9. Which of the following is not generally considered one of the factors that make up the
control environment?
a. Board of directors.
b. Audit committee.
c. Organisational structure.
d. Accounting package used.
11. Which factor concerning boards of directors and audit committees would be considered
least influential in its impact on the control environment?
a. The sex of directors.
b. Experience and stature of directors.
c. The extent of director’s involvement and scrutiny of management’s activities.
d. Independence from management.
13. Restricting the use of the information system to particular authorised personnel by use of
passwords is an example of:
a. organisational controls.
b. systems development and maintenance controls.
c. data and procedural controls.
d. access controls.
16. The least likely procedure to obtain an understanding of the internal control structure
would be:
a. confirming transactions.
b. inspecting documents and records.
c. enquiring of appropriate management.
d. reviewing previous experience with the client.
b. tests of controls.
c. substantive tests.
d. procedures to obtain an understanding.
18. Which of the following is an example of how an auditor might document the
understanding of internal control?
a. Internal control questionnaire.
b. Flow chart and narrative memoranda.
c. Both of the above.
d. None of the above.
19. Which of these is not a major advantage of the internal control questionnaire?
a. It may be completed in a mechanical fashion.
b. It reduces errors of omission.
c. It provides guidance for less experienced staff.
d. It is usually developed by experienced professionals.
20. Smaller entities are best able to overcome their absence of safeguards by:
a. developing a culture that emphasises integrity, ethical values and competence.
b. removing authority from the owner/manager.
c. implementing a strict segregation of duties policy.
d. creating an audit committee.
Learning objective 9.5 ~ indicate the procedures for obtaining and documenting an
understanding of the entity’s internal control.
24. When the lower assessed level of control risk approach is used, the final assessment of
control risk is made after completing:
a. the procedures to obtain an understanding.
b. the documentation of the understanding.
c. all the planned tests of controls.
d. all the above.
27. The assessment of inherent risk requires consideration of matters that have a pervasive
effect on the entity as a whole and matters that may affect only specific accounts. Which
of the following is an example of a “pervasive effect” matter?
a. Industry of operation.
b. Susceptibility to misappropriation.
c. Sensitivity of valuations to economic factors.
d. All of the above.
29. For a given assertion, the relationship between the level of detection risk (DR) and
assessed control risk (CR) and inherent risk (IR) is shown correctly in which of the
following, where + means increase, - means decrease:
a. +DR if +CR and +IR.
b. +DR if -CR and -IR.
c. +DR if +CR and -IR.
d. +DR if -CR and +IR.
30. If inherent risk and control risk are both assessed as low, detection risk will be:
a. the same as audit risk.
b. medium.
c. high.
d. low.
Answer 9-1
Any four of the following:
Integrity and ethical values: management should exhibit integrity and ethical values. This can
be achieved by setting the tone by example, communicating expected behaviour, and by
reducing or eliminating incentives and temptations that encourage negative behaviour.
Commitment to competence: Personnel at every level in the organisation must possess the
knowledge and skills needed to perform their jobs effectively.
Participation by those charged with governance: the entity’s board of directors and audit
committee should be effective in that they should be independent from management, have
accounting knowledge, experience and stature, and be involved in scrutinising management’s
activities. They should also communicate with internal and external auditors and help
enhance the independence of these audit functions.
Management’s philosophy and operating style: This includes management’s approach to
taking and monitoring business risks, whether they have formal or informal communications,
their attitudes and actions towards financial reporting, whether they select accounting policies
that are aggressive or conservative, whether they are conservative in accounting estimates
and their attitudes to information processing and accounting functions and personnel.
Organisational structure: the organisational structure contributes to an entity’s ability to meet
its objectives by providing an overall framework for planning, executing, controlling and
monitoring the entity’s activities. The structure should appropriately designate key areas of
authority and responsibility, as well as appropriate lines of reporting.
Assignment of authority and responsibility: This is an extension of the development of the
organisational structure. It includes the particulars of how and to whom authority and
responsibility are assigned, and should enable employees to know how their actions
contribute to the achievement of objectives and their accountability.
Human resource policies and practices: Policies and practices such as appropriate recruiting
policies, screening potential employees, familiarising new personnel with the culture and
operating style, training programs that communicate roles and responsibilities, disciplinary
actions, evaluating, counselling and promoting people based on appraisals, and compensation
programs that motivate and reward superior performance and promote ethical behaviour.
Reference: Learning objective 9.4 ~ appreciate the importance of internal control to an entity
and to its independent auditors.
Answer 9-2
• Internal control is a process. It is a means to an end, not an end in itself. It consists of a
series of actions that are pervasive and integrated with, not added onto, an entity’s
infrastructure.
• Internal control is effected by people. It is not merely having policy manuals and forms,
but by the actions of people at every level of an organisation, including the board of
directors, management, and other personnel.
• Internal control can be expected to provide only reasonable assurance, not absolute
assurance, for an entity’s management and board because of limitations inherent in all
internal control systems and the need to consider the relative costs and benefits of
establishing controls.
• Internal control is geared to the achievement of objectives in the overlapping categories of
financial reporting, compliance, and operations.
Reference: Learning objective 9.4 ~ appreciate the importance of internal control to an entity
and to its independent auditors.
Answer 9-3
Information processing controls: acceptable examples would involve either general controls
(organisational controls, systems development and maintenance controls, access controls or
data and procedural controls) or application controls (input controls, processing controls or
output controls) that are specific to a computerised system.
Segregation of duties: acceptable examples should adhere to the following principles:
• Responsibility for executing a transaction, recording the transaction and maintaining
custody of the assets resulting from the transaction should be assigned to different
people.
• The various steps involved in executing a transaction should be assigned to different
individuals or departments.
• Responsibility for certain accounting operations should be segregated.
Physical controls: acceptable examples would be either direct or indirect controls that
physically limit access to assets and important records.
Performance reviews: acceptable examples include management reviewing reports,
considering actual performance compared to expected or past performance, or analysing the
relationships of different sets of data.
Reference: Learning objective 9.4 ~ appreciate the importance of internal control to an entity
and to its independent auditors.
Answer 9-4
1. Performance reviews 5. Physical controls
2. Physical controls 6. Information processing controls
3. Information processing controls 7. Information processing controls
4. Segregation of duties 8. Performance reviews.
Reference: Learning objective 9.4 ~ appreciate the importance of internal control to an entity
and to its independent auditors.
Answer 9-5
Any three of the following:
Costs versus benefits: the cost of an entity’s internal control structure should not exceed the
benefits that are expected to ensue.
Management override: management can overrule prescribed policies or procedures for
illegitimate purposes, such as personal gain or enhanced presentation of an entity’s financial
condition.
Non-routine transactions: internal control systems focus on routine transactions which means
there will generally be an increased risk associated with non-routine transactions within the
entity.
Mistakes in judgement: occasionally management and other personnel may exercise poor
judgement in making business decisions or performing routine duties.
Collusion: individuals acting together may evade the planned segregation of duties to
perpetrate and conceal an irregularity.
Breakdowns: breakdowns may occur in established controls because personnel
misunderstand instructions or make errors.
Changes in conditions: over time, conditions may change that may result in procedures
becoming inadequate.
Reference: Learning objective 9.4 ~ appreciate the importance of internal control to an entity
and to its independent auditors.
Answer 9-6
1. The four procedures are:
• reviewing previous experience with the entity
• enquiring of appropriate management, supervisory and staff personnel
• inspecting documents and records
• observing entity activities and operations.
Reference: Learning objective 9.5 ~ indicate the procedures for obtaining and documenting
an understanding of the entity’s internal control.
Answer 9-7
1. An internal control questionnaire consists of a series of questions about accounting and
control policies and procedures that the auditor considers necessary to prevent material
misstatements in the financial statements. Auditors use the questionnaire to gain an
understanding of the entity’s internal control and to document that understanding.
Reference: Learning objective 9.5 ~ indicate the procedures for obtaining and documenting
an understanding of the entity’s internal control.
Answer 9-8
1. The audit risk model is: AR = IR X CR X DR, where:
AR = Audit Risk, which is the risk of failing to modify the audit report when the
financial statements are materially misstated.
IR = Inherent Risk, which is the risk that an error will occur for a given assertion,
assuming that there are no related internal control structure policies or procedures.
CR = Control Risk, which is the risk that a material misstatement that has occurred will
not be detected or corrected by the internal control policies and procedures in place.
DR = Detection Risk, which is the risk that the auditor’s substantive procedures will not
detect a material misstatement that exists in an assertion.
2. The component that is under the control of the auditor is detection risk. There is an
inverse relationship between inherent and control risks and the level of detection risk that
the auditor can accept for an assertion.
Reference: Learning objective 9.7 ~ explain the importance of the concept of audit risk and
its three components.