Professional Documents
Culture Documents
Yasir
Chapter 07 - Internal Control
Chapter 07
Internal Control
Chapter 07 Internal Control
True / False Questions
or
ne
r.i
nf
o
Difficulty: Easy
es
c
2. The Foreign Corrupt Practices Act prohibits bribes to foreign corporate officials to obtain
business.
FALSE
pl
oy
e
Difficulty: Hard
Difficulty: Easy
.e
m
3. Incompatible duties exist when an employee is in a position to perpetrate and conceal errors
or fraud.
TRUE
w
w
4. Internal auditors should preferably report to the chief accounting officer of the company.
FALSE
Difficulty: Medium
Difficulty: Easy
7-2
6. CPA firms may use written narratives to describe internal control in their audit working
papers.
TRUE
Difficulty: Easy
or
ne
r.i
nf
o
Difficulty: Easy
Difficulty: Medium
pl
oy
e
es
c
8. If the auditors' assessment of the design of internal control reveals that it cannot be relied
upon, the auditors are not required to prepare any documentation of internal control for their
working papers.
FALSE
w
w
Difficulty: Easy
.e
m
9. The relatively low number of types of transactions incurred by small firms makes the
segregation of duties impossible.
FALSE
10. In a financial statement audit, CPAs are required to assess the operating effectiveness of
most significant accounting oriented controls.
FALSE
Difficulty: Medium
7-3
nf
o
11. Which of the following matters would an auditor most likely consider to be a significant
deficiency to be communicated to the audit committee?
A. Management's failure to renegotiate unfavorable long-term purchase commitments.
B. Recurring operating losses that may indicate going concern problems.
C. Evidence of a lack of objectivity by those responsible for accounting decisions.
D. Management's current plans to reduce its ownership equity in the entity.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
12. In assessing the objectivity of a client's internal auditors, the CPA would be most likely to
consider internal auditor:
A. Education levels.
B. Experience.
C. Organizational status within the company.
D. Training and supervisory skills.
pl
oy
e
Difficulty: Medium
w
w
.e
m
13. In a financial statement audit performed following AICPA Professional Standards, how
frequently must an auditor test operating effectiveness of controls that appear to function as
they have in past years and on which the auditor wishes to rely upon in the current year?
A. Monthly.
B. Each audit.
C. At least every second audit.
D. At least every third audit.
Difficulty: Medium
7-4
or
ne
r.i
nf
o
14. After obtaining an understanding of internal control and arriving at a preliminary assessed
level of control risk, an auditor decided to perform tests of controls. The auditor most likely
decided that:
A. Additional evidence to support a reduction in the assessed level of control risk is not
available.
B. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
C. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive procedures.
D. There were many internal control deficiencies that would allow misstatements to enter the
accounting system.
Difficulty: Hard
Source: AICPA
pl
oy
e
es
c
Difficulty: Hard
w
w
.e
m
16. Which of the following is not ordinarily a procedure for documenting an auditor's
understanding of internal control for planning purposes?
A. Checklist.
B. Flowchart.
C. Questionnaire.
D. Confirmation.
Difficulty: Easy
7-5
nf
o
Difficulty: Hard
es
c
or
ne
r.i
18. Which is most likely when the assessed level of control risk increases?
A. Change from performing substantive procedures at year-end to an interim date.
B. Perform substantive procedures directed inside the entity rather than tests directed toward
parties outside the entity.
C. Use the maximum number of dual purpose tests.
D. Use larger sample sizes for substantive procedures.
Difficulty: Medium
.e
m
pl
oy
e
19. Which of the following must the auditor communicate to the audit committee?
A. Significant deficiencies and material weaknesses.
B. Only significant deficiencies.
C. Only material weaknesses.
D. Neither significant deficiencies nor material weaknesses.
Difficulty: Medium
w
w
20. A client's internal control appears strong, but the CPA has elected not to perform any tests
of controls. The planned assessed level of control risk is at what level?
A. Zero.
B. Low.
C. Moderate.
D. Maximum.
Difficulty: Hard
7-6
21. Which of the following would be least likely to be regarded as a test of a control?
A. Tests of the additions to property by physical inspection.
B. Comparisons of the signatures on cancelled checks to the authorized check signer list.
C. Tests of signatures on purchase orders.
D. Recalculation of payroll deductions.
nf
o
Difficulty: Hard
es
c
or
ne
r.i
22. Which of the following is not considered one of the five major components of internal
control?
A. Risk assessment.
B. Segregation of duties.
C. Control activities.
D. Monitoring.
Difficulty: Medium
w
w
Difficulty: Easy
.e
m
pl
oy
e
23. Which of the following statements is correct concerning the understanding of internal
control needed by auditors?
A. The auditors must understand the information system, not the accounting system.
B. The auditors must understand monitoring and all preliminary accounting controls.
C. The auditors must have a sufficient understanding to assess the risks of material
misstatement.
D. The auditors must understand the control environment, risk assessment, and all control
activities.
Difficulty: Medium
7-7
nf
o
25. On financial statement audits, it is required that the auditors obtain an understanding of
internal control, including:
A. Its operating effectiveness.
B. Whether it has been implemented (placed in operation).
C. Performing tests of controls for all material controls.
D. Its ability to provide reasonable assurance.
Difficulty: Medium
es
c
or
ne
r.i
pl
oy
e
Difficulty: Medium
w
w
.e
m
27. This organization developed a set of criteria that provide management with a basis to
evaluate controls not only over financial reporting, but also over the effectiveness and
efficiency of operations and compliance with laws and regulations:
A. Foreign Corrupt Practices Corporation.
B. Committee of Sponsoring Organizations.
C. Cohen Commission.
D. Financial Accounting Standards Board.
Difficulty: Medium
7-8
nf
o
28. Which of the following is most likely to be considered a risk assessment procedure
relating to internal control?
A. Confirm accounts receivable.
B. Perform a test of a control relating to payroll.
C. Take test counts of the year-end inventory.
D. Trace a transaction through the information system relevant to financial reporting.
Difficulty: Hard
es
c
or
ne
r.i
29. Which statement is correct concerning the definition of internal control developed by the
Committee of Sponsoring Organizations (COSO)?
A. Its applicability is largely limited to internal auditing applications.
B. It is recognized in the Statements on Auditing Standards.
C. It emphasizes the effectiveness and efficiency of operations over the reliability of financial
reporting.
D. It suggests that it is important to view internal control as an end product as contrasted to a
process or means to obtain an end.
pl
oy
e
Difficulty: Hard
w
w
.e
m
Difficulty: Medium
7-9
nf
o
31. Which statement is correct concerning the relevance of various types of controls to a
financial statement audit?
A. An auditor may ordinarily ignore the consideration of controls when a substantive audit
approach is used.
B. Controls over the reliability of financial reporting are ordinarily most directly relevant to
an audit, but other controls may also be relevant.
C. Controls over safeguarding assets and liabilities are of primary importance, while controls
over the reliability of financial reporting may also be relevant.
D. All controls are ordinarily relevant to an audit.
or
ne
r.i
Difficulty: Hard
es
c
pl
oy
e
Difficulty: Medium
w
w
.e
m
33. Which of the following is not ordinarily considered a factor indicative of increased
financial reporting risk when an auditor is considering a client's risk assessment policies?
A. Salaried sales personnel.
B. Implementation of a new information system.
C. Rapid growth of the organization.
D. Corporate restructuring.
Difficulty: Medium
34. The Sarbanes-Oxley Act of 2002 requires that the audit committee:
A. Annually reassess control risk using information from the CPA firm.
B. Be directly responsible for the appointment, compensation and oversight of the work of the
CPA firm.
C. Require that the company's CPA firm rotate the partner in charge of the audit.
D. Review the level of management compensation.
Difficulty: Medium
7-10
nf
o
35. When tests of controls reveal that controls are operating as anticipated, it is most likely
that the assessed level of control risk will:
A. Be less than the preliminary assessed level of control risk.
B. Equal the preliminary assessed level of control risk.
C. Equal the actual control risk.
D. Be less than the actual control risk.
Difficulty: Hard
es
c
or
ne
r.i
36. Under which circumstance is it likely that the extent of substantive procedures will be
expanded beyond that anticipated in the audit plan?
A. The auditors have determined that controls have been implemented (placed in operation)
but, in accordance with the audit plan, have performed no tests of controls.
B. Certain controls do not leave a trail of documentary evidence.
C. Deviation rates were greater than zero and approached anticipated levels.
D. The operating effectiveness of certain controls was found to be less than expected,
although no material misstatements were identified.
pl
oy
e
Difficulty: Hard
.e
m
37. The provisions of the Foreign Corrupt Practices Act apply to:
A. All U.S. corporations.
B. All U.S. corporations that engage in foreign operations.
C. All corporations that must file under the Securities Exchange Act of 1934.
D. All U.S. partnerships and corporations.
w
w
Difficulty: Medium
Difficulty: Medium
10
7-11
nf
o
39. During financial statement audits, the auditors' consideration of their clients' internal
control is integral to both assess the risk of material misstatement and to:
A. Assess inherent risk.
B. Design further audit procedures.
C. Assess compliance with the Foreign Corrupt Practices Act.
D. Provide a reasonable basis for an opinion on compliance with applicable laws.
Difficulty: Easy
Difficulty: Medium
pl
oy
e
es
c
or
ne
r.i
40. Which of the following comes closest to outlining the auditors' responsibility for
considering internal control in all financial statement audits?
A. An understanding of the control environment, information and communication, risk
assessment and monitoring is necessary; an understanding of control activities is only
necessary for areas in which the auditor is performing tests of controls.
B. The auditor must obtain an understanding of each of the five internal control components
sufficient to assess the risks of material misstatement for the audit.
C. When tests of controls have been performed, control risk must be assessed at a level less
than the maximum.
D. An understanding of the control environment is necessary, but no understanding of the
other components is necessary unless control risk is to be assessed at a level less than the
maximum.
w
w
.e
m
41. Which of the following is not a primary procedure auditors use to obtain sufficient
knowledge about the design of the relevant controls and to determine whether they have been
implemented (placed in operation)?
A. Previous experience with the entity.
B. Inquiries of appropriate management personnel.
C. Performance of substantive procedures.
D. Inspection of document and records.
Difficulty: Medium
11
7-12
nf
o
42. A control deficiency that is less severe than a material weakness, but important enough to
merit attention by those responsible for oversight of the company's financial reporting is
referred to as a(n):
A. Control deficiency.
B. Inherent limitation.
C. Reportable deficiency.
D. Significant deficiency.
or
ne
r.i
Difficulty: Medium
es
c
43. For effective internal control, which of the following functions should not be assigned to
the company's accounting department?
A. Reconciling accounting records with existing assets.
B. Recording financial transactions.
C. Signing payroll checks.
D. Preparing financial reports.
pl
oy
e
Difficulty: Medium
w
w
Difficulty: Hard
.e
m
44. Which of the following is not a responsibility that should be assigned to a company's
internal audit department?
A. Evaluating internal control.
B. Approving disbursements.
C. Reporting on the effectiveness of operating segments.
D. Investigating potential merger candidates.
12
7-13
nf
o
45. Which of the following is true about the auditors' consideration of internal control in a
financial statement audit?
A. The auditors must assess control risk at a level lower than the maximum.
B. The auditors must prepare a flowchart description of internal control for their working
papers.
C. The auditors must obtain an understanding of the steps in processing major types of
transactions.
D. The auditors must perform tests of controls.
or
ne
r.i
Difficulty: Medium
Difficulty: Medium
pl
oy
e
es
c
46. Which of the following is an advantage of describing internal control through the use of a
standardized questionnaire?
A. Questionnaires highlight weaknesses in the system.
B. Questionnaires are more flexible than other methods of describing internal control.
C. Questionnaires usually identify situations in which internal control weaknesses are
compensated for by other strengths in the system.
D. Questionnaires provide a clearer and more specific portrayal of a client's system than other
methods of describing internal control.
w
w
.e
m
47. Which of the following is least likely to be considered a risk assessment procedure
relating to internal control?
A. Counting marketable securities at year-end.
B. Inquiries of client personnel.
C. Inspecting documents and reports.
D. Observing the application of specific controls.
Difficulty: Hard
13
7-14
48. Which of the following is least likely to be considered a risk assessment procedure?
A. Analytical procedures.
B. Inspection of documents.
C. Observation of the counting of inventory.
D. Observation of the performance of certain accounting procedures.
nf
o
Difficulty: Hard
es
c
or
ne
r.i
49. Which of the following is not a factor that is considered a part of the client's overall
control environment?
A. The organizational structure.
B. The information system.
C. Management philosophy and operating style.
D. Board of directors.
Difficulty: Medium
.e
m
pl
oy
e
50. Which of the following would be least likely to be considered a benefit of effective
internal control?
A. Eliminating all employee fraud.
B. Restricting access to assets.
C. Detecting ineffectiveness.
D. Ensuring authorization of transactions.
w
w
Difficulty: Medium
51. After documenting the client's prescribed internal control, the auditors will often perform
a walk-through of each transaction cycle. An objective of a walk-through is to:
A. Verify that the controls have been implemented (placed in operation).
B. Replace tests of controls.
C. Evaluate the major strengths and weaknesses in the client's internal control.
D. Identify weaknesses to be communicated to management in the management letter.
Difficulty: Medium
14
7-15
52. The major components of internal control include all of the following, except:
A. Risk assessment.
B. The control environment.
C. Internal auditing.
D. Control activities.
nf
o
Difficulty: Medium
es
c
or
ne
r.i
53. Which of the following is correct with respect to control deficiencies discovered during an
audit?
A. Auditors must communicate and recommend corrections relating to all material
weaknesses in internal control to management.
B. All material weaknesses in internal control should be reported to the audit committee.
C. All such matters must be communicated to the audit committee and regulatory agencies.
D. All control deficiencies are also significant deficiencies.
Difficulty: Hard
w
w
.e
m
pl
oy
e
54. After considering the client's internal control the auditors have concluded that it is well
designed and is functioning as anticipated. Under these circumstances the auditors would
most likely:
A. Cease to perform further substantive procedures.
B. Reduce substantive procedures in areas where the internal control was found to be
effective.
C. Increase the extent of anticipated analytical procedures.
D. Perform all tests of controls to the extent outlined in the preplanned audit program.
Difficulty: Easy
Source: AICPA
15
7-16
nf
o
55. The use of fidelity bonds protects a company from embezzlement loses and also:
A. Minimizes the possibility of employing persons with dubious records in positions of trust.
B. Reduces the company's need to obtain expensive business interruption insurance.
C. Allows the company to substitute the fidelity bonds for various parts of internal control.
D. Protects employees who made unintentional errors from possible monetary damages
resulting from such errors.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
56. The independent auditors might consider the procedures performed by the internal
auditors because:
A. They are employees whose work must be reviewed during substantive testing.
B. They are employees whose work might affect the independent auditors' work.
C. Their work impacts upon the cost/benefit tradeoff in evaluating inherent limitations.
D. Their degree of independence may be inferred by the nature of their work.
pl
oy
e
Difficulty: Medium
Source: AICPA
w
w
Difficulty: Easy
Source: AICPA
.e
m
57. In the consideration of internal control, the operating effectiveness of controls is tested
by:
A. Flowcharts verification.
B. Tests of controls.
C. Substantive procedures.
D. Decision tables.
16
7-17
nf
o
58. The auditors who become aware of an internal control significant deficiency are required
to communicate this to the:
A. Client's legal counsel.
B. Compensation committee.
C. Audit committee.
D. Internal auditors.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
59. A material weakness involves an amount that could result in a misstatement that is
A. Smaller than inconsequential.
B. Larger than inconsequential.
C. Tolerable.
D. Material.
Difficulty: Medium
.e
m
pl
oy
e
60. At least what level of probability of a material misstatement is required for a control
deficiency to be considered a material weakness?
A. More than remote.
B. Probable.
C. Reasonable possibility.
D. Sufficient.
w
w
Difficulty: Medium
61. A situation in which the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
material misstatements on a timely basis is referred to as a:
A. Control deficiency.
B. Material weakness.
C. Reportable condition.
D. Significant deficiency.
Difficulty: Medium
17
7-18
nf
o
62. To provide for the greatest degree of independence in performing internal auditing
functions, an internal auditor most likely should report to the:
A. Financial vice-president.
B. Corporate controller.
C. Audit committee.
D. Corporate stockholders.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
63. Well-designed internal control that is functioning effectively is most likely to detect an
fraud arising from:
A. The fraudulent action of several employees.
B. The fraudulent action of an individual employee.
C. Informal deviations from the official organization chart.
D. Management fraud.
pl
oy
e
Difficulty: Medium
Source: AICPA
.e
m
w
w
Difficulty: Medium
Source: AICPA
Difficulty: Medium
Source: AICPA
18
7-19
nf
o
66. The scope of substantive procedures as compared to the scope of tests of controls
generally vary:
A. In a parallel manner.
B. Inversely.
C. Directly.
D. Equally.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
67. Which of the following is least likely to be a factor that might indicate to an auditor that
an identified risk of misstatement requires special audit consideration?
A. Complex calculations are involved.
B. The rate of technological change is moderate in the industry.
C. The potential for fraud seems high.
D. Various subjective methods of application of a key accounting policy exist.
pl
oy
e
Difficulty: Easy
.e
m
68. Which of the following audit tests would be regarded as a test of a control?
A. Tests of the specific items making up the balance in a given general ledger account.
B. Tests confirming receivables.
C. Tests of the signatures on canceled checks to board of director's authorizations.
D. Tests of the additions to property, plant, and equipment by physical inspection.
w
w
Difficulty: Medium
Source: AICPA
69. If the independent auditors decide that the work performed by the internal auditors may
have a bearing on their own procedures, they should consider the internal auditors':
A. Competence and objectivity.
B. Efficiency and experience.
C. Independence and review skills.
D. Training and supervisory skills.
Difficulty: Medium
Source: AICPA
19
7-20
nf
o
70. In the consideration of internal control, the auditor is basically concerned that it provides
reasonable assurance that:
A. Management can not override the system.
B. Operational efficiency has been achieved in accordance with management plans.
C. Misstatements have been prevented or detected.
D. Controls have not been circumvented by collusion.
or
ne
r.i
Difficulty: Medium
Source: AICPA
es
c
71. Which of the following is least likely to be considered an appropriate response relating to
risks the auditors identify at the financial statement level?
A. Assign more experienced staff.
B. Incorporate additional elements of unpredictability in the selection of audit procedures.
C. Increase the scope of auditor procedures.
D. Emphasize the need to remain neutral, rather than to exercise professional skepticism.
pl
oy
e
Difficulty: Easy
.e
m
72. In assessing the competence of a client's internal auditor, an independent auditor most
likely would consider the
A. Internal auditor's compliance with professional internal auditing standards.
B. Client's policies that limit the internal auditor's access to management salary data.
C. Evidence supporting a further reduction in the assessed level of control risk.
D. Results of ratio analysis that may identify unusual transactions and events.
w
w
Difficulty: Medium
Source: AICPA
73. Which of the following factors would most likely be considered an inherent limitation to
an entity's internal control?
A. The complexity of the information processing system.
B. Human judgment in the decision making process.
C. The ineffectiveness of the board of directors.
D. The lack of management incentives to improve the control environment.
Difficulty: Medium
Source: AICPA
20
7-21
nf
o
74. Proper segregation of duties reduces the opportunities to allow any employee to be in a
position to both
A. Journalize cash receipts and disbursements and prepare the financial statements.
B. Monitor internal controls and evaluate whether the controls are operating as intended.
C. Adopt new accounting pronouncements and authorize the recording of transactions.
D. Record and conceal fraudulent transactions in the normal course of assigned tasks.
or
ne
r.i
Difficulty: Easy
Source: AICPA
es
c
75. Which of the following is intended to detect deviations from prescribed controls?
A. Substantive procedures specified by a standardized audit program.
B. Tests of controls designed specifically for the client.
C. Analytical procedures as set forth in an industry audit guide.
D. Computerized analytical procedures tailored for the configuration of the computer
equipment in use.
pl
oy
e
Difficulty: Medium
Source: AICPA
w
w
.e
m
76. An auditor's purpose for performing tests of controls is to provide reasonable assurance
that:
A. Controls are operating effectively.
B. The risk that the auditor may unknowingly fail to modify the opinion on the financial
statements is minimized.
C. Transactions are executed in accordance with management's authorization and access to
assets is limited by a segregation of functions.
D. Transactions are recorded as necessary to permit the preparation of the financial statements
in conformity with generally accepted accounting principles.
Difficulty: Medium
Source: AICPA
21
7-22
nf
o
77. Of the following statements about internal control, which one is not valid?
A. No one person should be responsible for the custodial responsibility and the recording
responsibility for an asset.
B. Transactions must be properly authorized before such transactions are processed.
C. Because of the cost/benefit relationship, a client may apply control procedures on a test
basis.
D. Control activities reasonably insure that collusion among employees can not occur.
or
ne
r.i
Difficulty: Easy
Source: AICPA
es
c
pl
oy
e
Difficulty: Hard
.e
m
79. Which of the following would be least likely to be included in an auditor's tests of
controls?
A. Inspection.
B. Observation.
C. Inquiry.
D. Analytical procedures.
w
w
Difficulty: Medium
Source: AICPA
80. The internal control provisions of the Sarbanes-Oxley Act of 2002 apply to which
companies in the United States:
A. All companies.
B. SEC registrants.
C. Only those companies included in the Fortune 500.
D. All nonpublic companies.
Difficulty: Medium
22
7-23
nf
o
81. An integrated audit performed under Section 404b of the Sarbanes-Oxley Act addresses
financial statements and:
A. Compliance with laws.
B. Internal control over asset safeguarding.
C. Internal control over financial reporting.
D. Suitable criteria.
Difficulty: Medium
es
c
or
ne
r.i
82. A report on internal control performed in accordance with PCAOB Standard No. 2
includes an opinion on internal control for:
A. The entire year.
B. The prior quarter.
C. The "as of date."
D. The end of each quarter.
Difficulty: Hard
.e
m
pl
oy
e
83. When performing an audit of internal control under PCAOB requirements, auditors
evaluate control:
w
w
A. Option A
B. Option B
C. Option C
D. Option D
Difficulty: Medium
23
7-24
nf
o
84. When performing an internal control audit under PCAOB requirements, one or more
material weaknesses in internal control that exist at year-end may result in what type of
report(s):
or
ne
r.i
A. Option A
B. Option B
C. Option C
D. Option D
Difficulty: Hard
.e
m
A. Option A
B. Option B
C. Option C
D. Option D
pl
oy
e
es
c
85. When performing an internal control audit under PCAOB standards, one or more material
weaknesses in internal control that exist at year-end may result in what type of report(s):
w
w
Difficulty: Medium
24
7-25
Essay Questions
nf
o
86. Independent auditors should consider the work of internal auditors in their assessment of
control risk.
a. Are internal auditors independent of management? Explain.
b. What is the difference between the primary objective of the independent auditors and that
of internal auditors? Explain.
c. Discuss the factors that should be considered by the independent auditors in deciding how
much, if any, reliance should be placed on the work of the internal auditors.
es
c
or
ne
r.i
a. No. However, internal auditors may achieve independence from departments they evaluate
by reporting to a senior officer or the board of directors.
b. The independent auditors' objective is to express an opinion on the client's financial
statements. The internal auditors' primary objective is to aid management in achieving the
most efficient and effective administration of the business.
c. In deciding the degree of reliance to be placed on the work of the internal auditors, the
independent auditors should consider the competence and objectivity of the internal auditors,
and evaluate their work.
pl
oy
e
Difficulty: Hard
w
w
.e
m
a. The auditors' consideration of their clients' internal control is integral to both (1) to assess
the risks of material misstatement in the financial statements and (2) to design the nature,
timing and extent of further audit procedures.
b. The limitations of internal control include (only three required):
Carelessness.
Misunderstanding of instructions.
Top management may override the system
Collusion among employees may circumvent controls dependent upon segregation of duties.
Cost considerations often limit the effectiveness of the design of the structure.
Difficulty: Medium
25
7-26
88. When considering a client's internal control, the auditors focus on its various
characteristics. For each of the following characteristics indicate the auditors' responsibility
under generally accepted auditing standards and the procedures used to meet that
responsibility.
a. The design of internal control.
b. Controls have been implemented (placed in operation).
c. The operating effectiveness of controls.
w
w
.e
m
Difficulty: Medium
pl
oy
e
es
c
or
ne
r.i
nf
o
26
7-27
or
ne
r.i
nf
o
89. Assume that you have assessed inherent risk for an audit area at a very high level. While
obtaining an understanding of internal control, you have determined that it appears to be very
strong. Nonetheless, due to the large number of transactions involved, you have chosen not to
test controls in the area.
a. At what level will the planned assessed level of control risk be established?
b. Describe the scope of tests of controls that will be performed.
c. At what level will the assessed level of control risk be established?
d. What must be documented in the working papers relating to internal control?
e. At what level will detection risk be established?
f. Describe the required scope of substantive procedures, if any. Make certain to discuss
details of likely nature, timing and extent.
pl
oy
e
es
c
w
w
.e
m
Difficulty: Hard
27
7-28
Chapter 10
Internal Control
Multiple-Choice Questions
Which of the following is responsible for establishing a private companys internal control?
a. Management.
b. Auditors.
c. Management and auditors.
d. Committee of Sponsoring Organizations.
2.
easy
d
Which of the following is not one of the three primary objectives of effective internal control?
a. Reliability of financial reporting
b. Efficiency and effectiveness of operations
c. Compliance with laws and regulations
d. Assurance of elimination of business risk.
3. (Public)
easy
b
The Public Company Accounting Oversight Board states that reasonable assurance allows a:
a. small likelihood of ineffective internal controls.
b. remote likelihood that material misstatements will not be prevented or detected by
internal control.
c. likelihood that material misstatements will not be prevented or detected by internal
control.
d. high likelihood that material misstatements will not be prevented or detected by
internal control.
4.
easy
c
Two
are:
a.
b.
c.
d.
5.
easy
a
or
ne
r.i
es
c
pl
oy
e
key concepts that underlie managements design and implementation of internal control
.e
m
w
w
6.
easy
d
nf
o
1.
easy
a
A major control available in a small company, which might not be feasible in a big company, is:
a. a wider segregation of duties.
b. a voucher system.
c. fewer transactions to process.
d. the owner-managers personal interest and close relationship with personnel.
7. (Public)
easy
a
Which of the following is responsible for establishing internal controls for a public company?
a. Management.
b. The PCAOB.
c. Management and auditors.
d. Committee of Sponsoring Organizations.
8.
medium
a
Which of the following parties provides an assessment of the effectiveness of internal control
over financial reporting for public companies?
Arens/Elder/Beasley
28
a.
b.
c.
d.
Management
Yes
No
Yes
No
An act of two or more employees to steal assets or misstate records is frequently referred to as:
a. collusion.
b. a material weakness.
c. a control deficiency.
d. a significant deficiency.
10.
easy
c
When the auditor attempts to understand the operation of the accounting system by tracing a
few transactions through the accounting system, the auditor is said to be:
a. tracing.
b. vouching.
c. performing a walk-through.
d. testing controls.
11. (SOX)
easy
c
Which section of the Sarbanes-Oxley Act requires management to issue an internal control
report?
a. 202
b. 203
c. 404
d. 408
12. (SOX)
easy
a
Sarbanes-Oxley requires management to issue an internal control report that includes two
specific items. Which of the following is one of these two requirements?
a. A statement that management is responsible for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.
b. A statement that management and the board of directors are jointly responsible for
establishing and maintaining an adequate internal control structure and procedures for
financial reporting.
c. A statement that management, the board of directors, and the external auditors are jointly
responsible for establishing and maintaining an adequate internal control structure and
procedures for financial reporting.
d. A statement that the external auditors are solely responsible.
es
c
pl
oy
e
.e
m
When management is evaluating the design of internal control, management evaluates whether
the control can do which of the following?
w
w
13. (SOX)
easy
c
or
ne
r.i
nf
o
9.
easy
a
14. (SOX)
easy
b
Internal control reports issued by public companies must identify the framework used to
evaluate the effectiveness of internal control. Which of the following is the most common
framework in the U.S.?
a. Effective Internal Control Framework - AICPA
b. Internal Control - Integrated Framework - COSO
c. Enterprise Internal Control - COSO
d. Enterprise Internal Control - AICPA
15. (Public)
When one material weakness is present at the end of the year, management of a public company
Arens/Elder/Beasley
29
16. (Public)
easy
a
The auditors tests to understand the clients internal controls might include which of the
following types of procedures?
a.
b.
c.
d.
Observation of employees
Yes
No
Yes
No
Inquiries of personnel
Yes
No
No
Yes
nf
o
easy
c
Which of managements concerns with respect to implementing internal controls is the auditor
primarily concerned?
a. Efficiency of operations.
b. Reliability of financial reporting.
c. Effectiveness of operations.
d. Compliance with applicable laws and regulations.
18.
easy
b
Which of the following activities would be least likely to strengthen a companys internal
control?
a. Separating accounting from other financial operations.
b. Maintaining insurance for fire and theft.
c. Fixing responsibility for the performance of employee duties.
d. Carefully selecting and training employees.
19. (Public)
medium
c
20.
easy
b
When auditing a private company, the auditor should obtain an understanding of internal control
sufficient to:
a. provide reasonable protection against client fraud and defalcations by client employees.
b. assess control risk.
c. provide a basis for suggestions to the client for improving the accounting system.
d. provide a method for safeguarding assets, checking the accuracy and reliability of
accounting data, promoting operational efficiency, and encouraging adherence to
prescribed managerial policies.
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
17.
easy
b
The initial presumption in the audit of a public company is that control risk is:
a. low.
b. moderate.
c. high.
d. low or moderate, but not high.
22.
In the audit of a private company, the auditor will test controls when control risk is initially
assessed at:
21. (Public)
medium
a
medium
c
a.
b.
c.
Low
Yes
No
Yes
Moderate
No
No
Yes
High
Yes
Yes
No
Arens/Elder/Beasley
30
No
Yes
No
24.
medium
b
25.
medium
d
Internal controls can never be regarded as completely effective. Even if company personnel
could design an ideal system, its effectiveness depends on the:
a. adequacy of the computer system.
b. proper implementation by management.
c. ability of the internal audit staff to maintain it.
d. competency and dependability of the people using it.
26.
medium
c
Even with the most effectively designed internal control, the auditor must obtain audit evidence,
beyond testing the controls, for every:
a. transaction.
b. financial statement account.
c. material financial statement account.
d. financial statement account that will be relied upon by third parties.
27.
medium
d
28. (Public)
medium
c
To issue a report on internal control over financial reporting for a public company, an auditor
must:
a. evaluate managements assessment process.
b. independently assess the design and operating effectiveness of internal control.
c. evaluate managements assessment process and independently assess the design and
operating effectiveness of internal control.
d. test controls over significant account balances.
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
23. (Public)
medium
c
29. (Public)
medium
a
30.
Medium
a
Which of the stock exchanges require listed companies to have an audit committee composed
entirely of independent directors?
a.
b.
c.
d.
NYSE
Yes
No
Yes
No
NASDAQ
Yes
No
No
Yes
a.
Geographic dispersion of
company operations
Yes
Arens/Elder/Beasley
31
No
Yes
No
No
No
Yes
32.
medium
b
Authorizations can be either general or specific. Which of the following is not an example of a
general authorization?
a. Automatic reorder points for raw materials inventory.
b. A sales managers authorization for a sales return.
c. Credit limits for various classes of customers.
d. A sales price list for merchandise.
33.
medium
c
The most important type of protective measure for safeguarding assets is:
a. adequate separation of duties among personnel.
b. proper authorization of transactions.
c. the use of physical precautions.
d. adequate documentation.
34.
medium
a
Which of the following is correct with respect to the design and use of business documents?
a. Not all documents used for internal purposes need to be prenumbered.
b. Documents should be designed for single purposes only to avoid confusion in their use.
c. Documents should be designed to be understandable only by those who use them.
d. Documents designed for external use must be prenumbered.
35. (Public)
medium
a
PCAOB Standard 2 requires auditors to evaluate the effectiveness of the audit committees
oversight of the companys:
Efficiency of
operations
No
No
Yes
Yes
w
w
36.
medium
c
External financial
reporting
Yes
No
Yes
No
.e
m
a.
b.
c.
d.
pl
oy
e
es
c
or
ne
r.i
nf
o
31.
medium
b
37.
medium
a
Which of the following principles is not necessary for the proper design and use of documents
and records?
a. Designed for a single use to increase efficiency of operations.
b. Constructed in a manner that encourages correct preparation.
c. Prepared at the time a transaction takes place.
d. Designed for multiple uses to increase efficiency of operations.
38.
medium
b
Narratives, flowcharts, and internal control questionnaires are three common methods of:
a. testing the internal controls.
b. documenting the auditors understanding of internal controls.
Arens/Elder/Beasley
32
_____ deal with ongoing or periodic assessment of the quality of internal control by
management.
a. Quality monitoring activities
b. Monitoring activities
c. Oversight activities
d. Management activities
40. (Public)
medium
c
Smaller public companies face challenges implementing effective internal control due to
______.
a. a lack of expertise
b. reduced importance
c. limited resources
d. limited available guidance
41.
medium
a
Which of the following is not one of the levels of an absence of internal controls?
a. Major deficiency.
b. Material weakness.
c. Significant deficiency.
d. Control deficiency.
42.
medium
a
43.
medium
c
A(n) _______ deficiency exists if a necessary control is missing or not properly formulated.
a. control
b. significant
c. design
d. operating
or
ne
r.i
es
c
pl
oy
e
.e
m
To determine if significant internal control deficiencies are material weaknesses, they must be
evaluated on their:
w
w
44.
medium
a
nf
o
39.
medium
b
45.
medium
d
a.
b.
c.
d.
Likelihood
Yes
No
Yes
No
Significance
Yes
No
No
Yes
a.
b.
c.
d.
Monitor
transactions
Yes
No
Yes
No
Record and
process
transactions
Yes
No
No
Yes
Initiate transactions
Yes
No
No
Yes
Arens/Elder/Beasley
33
A procedure that would most likely be used by an auditor in performing tests of control
procedures that involve segregation of functions and that leave no transaction trail is:
a. inspection.
b. observation.
c. reperformance.
d. reconciliation.
47.
medium
b
If the results of tests of controls support the design and operations of controls as expected, the
auditor uses ____ control risk as the preliminary assessment.
a. a lower
b. the same
c. a higher
d. either a lower or higher
48.
medium
b
Internal controls normally include procedures designed to provide reasonable assurance that:
a. employees act with integrity when performing their assigned tasks.
b. transactions are executed in accordance with managements authorization.
c. decision processes leading to managements authorization of transactions are sound.
d. collusive activities would be detected by segregation of employee duties.
49.
medium
d
50.
medium
d
Which of the following is not a likely procedure to support the operating effectiveness of internal
controls?
a. Inquiry of client personnel.
b. Observation of control-related activities.
c. Reperformance of client procedures.
d. Completing an internal control questionnaire.
51. (Public)
medium
a
Before making the final assessment of internal control at the end of an integrated audit, the
auditor must:
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
46.
medium
b
w
w
a.
b.
c.
d.
Test controls
Yes
No
Yes
No
Significant deficiencies and material weaknesses in internal control of a public company must
be reported to which of the following?
a. The Public Company Accounting Oversight Board.
b. Members of management who are responsible for the related area of the company.
c. Audit committee of the companys board of directors.
d. The AICPA.
53.
medium
d
Of the following statements about internal controls, which one is not valid?
a. No one person should be responsible for the custodial responsibility and the recording
responsibility for an asset.
b. Transactions must be properly authorized before such transactions are processed.
c. Because of the cost-benefit relationship, a client may apply controls on a test basis.
d. Control procedures reasonably ensure that collusion among employees cannot occur.
52. (Public)
medium
c
Arens/Elder/Beasley
34
55.
medium
c
Which of the following is not one of the subcomponents of the control environment?
a. Managements philosophy and operating style.
b. Organizational structure.
c. Adequate separation of duties.
d. Commitment to competence.
56.
medium
b
It is important for the CPA to consider the competence of the clients personnel because their
competence bears directly and importantly upon the:
a. cost/benefit relationship of the system of internal control.
b. achievement of the objectives of internal control.
c. comparison of recorded accountability with assets.
d. timing of the tests to be performed.
57.
medium
a
Audit evidence concerning proper segregation of duties normally is best obtained by:
a. direct personal observation of the employee who applies control procedures.
b. making inquiries of co-workers about the employee who applies control procedures.
c. preparation of a flowchart of duties performed and available personnel.
d. inspection of third-party documents containing the initials of who applied control
procedures.
58.
medium
b
59.
medium
a
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
54.
medium
a
60.
medium
d
61.
medium
b
Which of the following statements about auditor documentation of the clients internal controls
is correct?
a. Documentation must include flow charts.
b. Documentation must include procedural write-ups.
c. No documentation is necessary although it is desirable.
d. No one particular form of documentation is necessary.
Significant deficiencies are matters that come to an auditors attention and should be
communicated to an entitys audit committee because they represent:
a. material frauds perpetrated by high-level management.
b. internal control deficiencies that could adversely affect a companys ability to initiate,
record, process, or report external financial statements reliably.
c. flagrant violations of the entitys documented conflict-of-interest policies.
d. intentional attempts by client personnel to limit the scope of the auditors field work.
Arens/Elder/Beasley
35
63.
challenging
a
64. (SOX)
challenging
a
65.
challenging
d
When considering internal control, an auditor should be aware of the concept of reasonable
assurance, which recognizes that the:
a. segregation of incompatible functions is necessary to ascertain that internal control is
effective.
b. employment of competent personnel provides assurance that the objectives of internal
control will be achieved.
c. establishment and maintenance of internal control is an important responsibility of the
management and not of the auditor.
d. costs of internal control should not exceed the benefits expected to be derived from
internal control.
66.
challenging
a
The financial statements are not likely to correctly reflect GAAP if the:
a. controls affecting the reliability of financial reporting are inadequate.
b. companys controls do not promote efficiency.
c. companys controls do not promote effectiveness.
d. companys control do not promote compliance with applicable rules and regulations.
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
62.
medium
c
67.
challenging
a
68.
challenging
69.
An auditor should consider two key issues when obtaining an understanding of a clients
Arens/Elder/Beasley
36
70.
challenging
c
The independent auditor should acquire an understanding of the internal audit function as it
relates to the independent auditors study and evaluation of internal control because the:
a. audit programs, working papers, and reports of internal auditors can often be used as a
substitute for the work of the independent auditors staff.
b. procedures performed by the internal audit staff may eliminate the independent auditors
need for an extensive study and evaluation of internal control.
c. work performed by internal auditors may be a factor in determining the nature, timing, and
extent of the independent auditors procedures.
d. understanding of the internal audit function is an important substantive test to be
performed by the independent auditor.
71.
challenging
c
72.
challenging
d
Hanlon Corp. maintains a large internal audit staff that reports directly to the chief financial
officer. Audit reports prepared by the internal auditors indicate that the system is functioning as
it should and that the accounting records are reliable. An independent auditor will probably:
a. eliminate tests of controls.
b. increase the depth of the study and evaluation of administrative controls.
c. avoid duplicating the work performed by the internal audit staff.
d. place limited reliance on the work performed by the internal audit staff.
73.
challenging
d
External financial statement auditors must obtain evidence regarding what attributes of an
internal audit (IA) department if the external auditors intend to rely on IAs work?
a. Integrity
b. Objectivity
c. Competence
d. All of the above
es
c
pl
oy
e
.e
m
When planning an audit, the auditors assessed level of control risk is:
a. determined by using actuarial tables.
b. calculated by using the audit risk model.
c. an economic issue, trading off the costs of testing controls against the cost of testing
balances.
d. calculated by using the formulas provided in the AICPAs auditing standards.
w
w
74.
challenging
c
or
ne
r.i
nf
o
challenging
c
76.
challenging
c
After considering a clients internal controls, an auditor has concluded that it is well designed
and is functioning as intended. Under these circumstances the auditor would most likely:
a. perform tests of controls to the extent outlined in the audit program.
b. determine the control procedures that should prevent or detect errors and irregularities.
c. not increase the extent of predetermined substantive tests.
75.
challenging
a
Arens/Elder/Beasley
37
77.
challenging
a
a.
b.
c.
nf
o
d.
management may establish appropriate policies and procedures but not act on them.
the board of directors may not be aware of managements attitude toward the control
environment.
the auditor may believe that the policies and procedures are inappropriate for that
particular entity.
the policies and procedures may be so weak that no reliance is contemplated by the
auditor.
78.
medium
or
ne
r.i
Essay Questions
Describe each of the three broad objectives management typically has for internal control. With
which of these objectives is the auditor primarily concerned?
pl
oy
e
es
c
Answer:
The three objectives are:
Reliability of financial reporting. Management has both a legal and professional
responsibility to be sure that the information is fairly presented in according with
reporting requirements such as GAAP.
Efficiency and effectiveness of operations. Controls within an organization are meant
to encourage efficient and effective use of its resources to optimize the companys
goals.
Compliance with laws and regulations. Public and non-public organizations are
required to follow many laws and regulations. Some relate to accounting only
indirectly, such as environmental protection and civil rights laws. Others are closely
related to accounting, such as income tax regulations and fraud.
79.
medium
.e
m
The auditor is primarily concerned with the objective of reliable financial reporting.
Briefly describe the responsibilities of management and external auditors for internal controls.
Answer:
w
w
Management is responsible for establishing and maintaining the entitys internal controls.
For public companies, management is also required by Section 404 to publicly report on
the operating effectiveness of those controls. In contrast, the auditors responsibilities
include understanding and testing internal control over nancial reporting. For public
company clients, the auditor is also required by Section 404 to issue an audit report on
managements assessment of its internal controls, including the auditors opinion on the
operating effectiveness of those controls.
80. (Public)
medium
There are four steps in the auditors process of understanding internal control and assessing
control risk for a public company. Step one is obtain and document an understanding of
internal control: design and operation. What are the remaining three steps?
Arens/Elder/Beasley
38
Answer:
The remaining three steps are:
Assess control risk.
Design, perform, and evaluate tests of controls.
Decide planned detection risk and substantive tests.
81.
medium
Certain principles dictate the proper design and use of documents and records. Briefly describe
several of these principles.
Answer:
pl
oy
e
82.
medium
es
c
nf
o
or
ne
r.i
w
w
.e
m
Answer:
There are many factors that may lead to increased risk in an organization. Some examples
include:
failure to meet prior objectives,
decreasing quality of personnel,
increasing geographic dispersion of company operations,
increasing significance and complexity of core business processes,
introduction of new information technologies, and
entrance of new competitors.
83.
medium
During a financial statement audit of a private company, three steps must be completed by the
auditor before concluding that control risk is low. What are these steps?
Answer:
The three steps that must be completed by the auditor before concluding that control risk is
low are:
1. obtaining an understanding of the control environment, risk assessment procedures,
accounting information and communication system, and monitoring methods at a
fairly detailed level;
2. identify specific controls that will reduce control risk and make an assessment of
control risk; and
3. test the effectiveness of controls.
Arens/Elder/Beasley
39
84.
medium
What are the two primary factors that auditors consider in determining if an entity is auditable?
Answer:
The two primary factors are the integrity of management and the adequacy of accounting
records.
85.
medium
Define the following terms: control deficiency, significant deficiency, and material weakness.
Answer:
A signicant deciency exists if one or more control deciencies exist that results in
more than a remote likelihood that a misstatement that is more than inconsequential
will not be prevented or detected.
or
ne
r.i
nf
o
A control deciency exists if the design or operation of controls does not permit
company personnel to prevent or detect misstatements on a timely basis.
es
c
86.
medium
The internal control framework developed by COSO includes five so-called components of
internal control. Discuss each of these five components.
.e
m
87.
medium
pl
oy
e
Answer:
The effectiveness of internal controls depends on the competency and dependability of the
people using it. Inherent limitations of internal control include:
employee carelessness,
lack of understanding,
management override, and
collusion.
w
w
Answer:
Five components of internal control are:
The control environment. The control environment consists of the actions, policies,
and procedures that reflect the overall attitudes of top management about control and
its importance to the company.
Risk assessment. This is managements identification and analysis of risks relevant to
the preparation of financial statements in accordance with GAAP.
Information and communication. This is the set of manual and/or computerized
procedures that identifies, assembles, classifies, analyzes, records, and reports a
companys transactions and maintains accountability for the related assets.
Control activities. These are the policies and procedures that help ensure necessary
actions are taken to address risks in the achievement of the companys objectives.
Monitoring. This is managements ongoing and periodic assessment of the quality of
internal control performance to determine that controls are operating as intended and
modified when needed.
Arens/Elder/Beasley
40
89.
challenging
nf
o
88.
medium
90.
challenging
es
c
or
ne
r.i
Answer:
The auditor must communicate signicant deciencies and material weaknesses in writing
to those charged with governance as soon as they become aware of their existence. The
communication is usually addressed to the audit committee and to management. Timely
communications may provide management an opportunity to address control deciencies
before managements report on internal control must be issued. In some instances,
deciencies can be corrected sufciently early such that both management and the auditor
can conclude that controls are operating effectively as of the balance sheet date.
The text suggested a five-step approach to identify deficiencies, significant deficiencies, and
material weaknesses. Describe this approach.
pl
oy
e
Answer:
w
w
.e
m
1. Identify existing controls. Because deciencies and material weaknesses are the
absence of adequate controls, the auditor must rst know which controls exist.
2. Identify the absence of key controls. Internal control questionnaires, owcharts, and
walkthroughs are useful tools to identify where controls are lacking and the likelihood
of misstatement is therefore increased.
3. Consider the possibility of compensating controls. A compensating control is one
elsewhere in the system that offsets the absence of a key control. When a
compensating control exists, there is no longer a signicant deciency or material
weakness.
4. Decide whether there is a signicant deciency or material weakness. The
likelihood of misstatements and their materiality are used to evaluate if there are
signicant deciencies or material weaknesses.
5. Determine potential misstatements that could result. This step is intended to identify
specic misstatements that are likely to result because of the signicant deciency or
material weakness. The importance of a signicant deciency or material weakness is
directly related to the likelihood and materiality of potential misstatements.
Arens/Elder/Beasley
41
Auditing standards related to the audits of private companies specify the extent to which
auditors can rely on evidence about internal controls obtained in prior years. Briefly describe
this guidance.
Adequate separation of duties is an important control activity. Discuss the four general
guidelines for separation of duties to prevent both intentional and unintentional misstatements
that are of significance to auditors.
or
ne
r.i
92.
challenging
nf
o
Answer:
When auditors plan to use evidence about the operating effectiveness of internal control
obtained in prior audits, SAS 110 requires them to test their effectiveness at least every
third year. If auditors determine that a key control has been changed since it was last
tested, they should test it in the current year. When there are a number of controls tested in
prior audits that have not been changed, SAS 110 requires auditors to test some of those
controls each year to ensure there is a rotation of controls testing throughout the three-year
period.
es
c
Answer:
The general guidelines are:
Custody of assets should be separated from accounting,
Authorizing transactions should be separated from custody of related assets,
Operational responsibility should be separated from record-keeping, and
Duties within IT should be separated.
Match seven of the terms (a-i) with the definitions provided below (1-7):
a. Control environment
b. Control activities
c. Independent checks on performance
d. Internal control
e. Monitoring
f.
Separation of duties
g. General authorization
h. Specific authorization
i.
Risk assessment
.e
m
93.
medium
pl
oy
e
1.
2.
3.
The actions, policies, and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about control and its
importance to the entity.
4.
w
w
Arens/Elder/Beasley
42
5.
6.
Policies and procedures that help ensure necessary actions are taken to address
risks in the achievement of the entitys objectives.
7.
nf
o
If, when obtaining an understanding of control activities of a relatively small client, the auditor
identified no control activities, the auditor would probably set a high assessment of control risk.
a. True
b. False
If, when obtaining an understanding of control activities of a relatively small client, the auditor
identified no control activities, the auditor would probably determine the client were
unauditable.
a. True
b. False
or
ne
r.i
94.
easy
a
95.
easy
a
When internal controls are effective, then substantive audit tests are more reliable; thus, the
extent of substantive tests should be reduced.
a. True
b. False
97.
easy
b
Auditors of private companies may rely on prior periods tests of controls for a period not to
exceed four years.
a. True
b. False
98.
easy
a
In an audit of a non-public company, the less control risk there is, the smaller the amount of
planned substantive evidence that is required.
a. True
b. False
pl
oy
e
.e
m
As a clients information system becomes more complex, it is likely that an auditor will
decrease reliance on controls and increase substantive tests to support a control risk assessment.
a. True
b. False
w
w
99.
easy
b
es
c
96.
easy
b
When a company designs and implements internal controls, cost of the controls is not a valid
consideration.
a. True
b. False
101. (Public)
easy
a
102.
easy
b
100.
easy
b
Arens/Elder/Beasley
43
For proper internal control, there should be adequate separation of duties. However, the extent
of separation of duties considered adequate depends heavily on the size of the organization.
a. True
b. False
104.
medium
a
In an audit of a non-public company, the auditors assessment of control risk and the extent of
tests of controls are inversely related.
a. True
b. False
105.
medium
b
Smaller companies usually have more extensive internal controls than larger companies which
result in fewer frauds being committed at small companies.
a. True
b. False
106. (Public)
medium
a
To issue an unqualified opinion on internal control over financial reporting, there must be no
identified material weaknesses and no restrictions on the scope of the audit.
a. True
b. False
107. (SOX)
medium
a
The Sarbanes-Oxley Act of 2002 requires that public companies issue an internal control report.
a. True
b. False
108.
medium
b
109.
medium
a
The primary emphasis by auditors when evaluating and testing internal control is on controls
over classes of transactions rather than controls over account balances.
a. True
b. False
110.
medium
b
When internal controls over a given financial statement account are assessed as highly effective,
the auditor need not obtain audit evidence for that account beyond testing the controls.
a. True
b. False
or
ne
r.i
es
c
pl
oy
e
.e
m
The chart of accounts is a control and is closely related to the controls related to adequate
documents and records.
a. True
b. False
w
w
111.
medium
a
nf
o
103.
easy
a
Auditing standards prohibit reliance on the work of internal auditors due to the lack of
independence of the internal auditors.
a. True
b. False
113.
medium
a
If an auditor wishes to rely on the work of internal auditors (IA), the auditor must obtain
satisfactory evidence related to the IAs competence, integrity, and objectivity.
a. True
b. False
112.
medium
b
Arens/Elder/Beasley
44
Procedures used to obtain an understanding of internal control are normally performed on fewer
transactions than procedures used to test controls.
a. True
b. False
115.
medium
a
For most uses, flowcharts are superior to narratives as a method of communicating the
characteristics of internal control.
a. True
b. False
116.
medium
b
When documenting their understanding of a clients internal controls, auditors are required to
use narratives.
a. True
b. False
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
114.
medium
a
Arens/Elder/Beasley
45
Chapter 26
Internal Control
nf
o
Multiple-Choice Questions
The IIA Code of Ethics is based on all but which of the following ethical principles?
a. Integrity.
b. Independence.
c. Competency.
d. Confidentiality.
2.
easy
c
3.
easy
c
4.
easy
a
Which of the following is not a similarity between external and internal auditors?
a. Both must be independent of the company.
b. Both must be competent.
c. Both use similar methodologies in performing their work.
d. Both consider risk and materiality in their work.
es
c
pl
oy
e
.e
m
w
w
5.
easy
d
or
ne
r.i
1.
easy
b
Auditing standards _______ external auditors to use the internal auditors for direct assistance on
the audit.
a. discourage
b. prohibit
c. encourage
d. permit
7.
easy
b
The primary source of authoritative literature for doing government audits is the:
a. Purple Book.
b. Yellow Book.
c. Green Book.
d. Red Book.
6.
easy
d
Arens/Elder/Beasley
46
8.
easy
c
a
When a state or local government agency receives federal financial assistance, it is subject to
the audit requirements of:
Yellow Book
Yes
No
Yes
Yes
a.
b.
c.
d.
Which of the following is not one of the broad categories of operational audits?
a. Functional audits.
b. Organizational audits.
c. Single Audit Act audits.
d. Special assignment audits.
10.
easy
d
11.
easy
b
The IIAs professional practice framework (including its code of ethics and International
Standards for the Professional Practice of Internal Auditing) is commonly referred to as the:
a. Blue Book.
b. Red Book.
c. Green Book.
d. Yellow Book.
12.
easy
b
The professional organization which is responsible for providing guidance for internal auditors
is the:
a. APA.
b. IIA.
c. ABA.
d. AIA.
or
ne
r.i
es
c
pl
oy
e
.e
m
The financial auditing standards of the Yellow Book are ______ the 10 GAAS of the AICPA.
a. the same as
b. quite different from
c. incompatible with
d. consistent with
w
w
13.
easy
d
nf
o
9.
easy
c
Which of the following is not one of the three phases in an operational audit?
a. Planning.
b. Training and supervising employees.
c. Evidence accumulation and evaluation.
d. Reporting and follow-up.
15.
medium
a
16.
medium
The Yellow Book recognizes that, because of the sensitivity of government activities and their
public accountability, in government audits the thresholds of acceptable audit risk and tolerable
14.
easy
b
Arens/Elder/Beasley
47
17.
medium
b
The Single Audit Act requires that an audit be conducted for recipients who receive total federal
funds in any fiscal year of:
a. $1,000,000 or more.
b. $500,000 or more.
c. $300,000 or more.
d. $100,000 or more.
18.
medium
b
An audit conducted in accordance with the Yellow Book must include an audit report that states
the audit was performed in accordance with:
a. GAAS.
b. GAGAS.
c. GASA.
d. SAS.
19.
medium
d
An audit designed to evaluate the efficiency and effectiveness of an organization or some part
of an organization would not be called a(n):
a. performance audit.
b. management audit.
c. operational audit.
d. compliance audit.
20.
medium
c
Which of the following is not one of the major differences between financial and operational
auditing?
a. The financial audit is oriented to the past, but an operational audit concerns performance
for the future.
b. The financial audit report is distributed to many readers, but the operational audit report
goes to a few managers.
c. Financial audits deal with the information on the financial statements, but operational
audits are concerned with the information in the ledgers.
d. Financial audits are limited to matters that directly affect the financial statements, but
operational audits cover any aspect of efficiency and effectiveness.
or
ne
r.i
es
c
pl
oy
e
.e
m
Before an operational audit for effectiveness can be performed, there must be:
a. a financial audit by an independent auditor.
b. a financial audit by an internal auditor.
c. a review performed by either an independent or an internal auditor.
d. specific criteria developed to define effectiveness.
w
w
21.
medium
d
nf
o
22.
medium
d
Auditors involved in planning, performing, or reporting on audits under GAGAS must complete
____ hours of continuing professional education in each two-year period.
a. 20
b. 40
c. 60
d. 80
23.
medium
b
Arens/Elder/Beasley
48
d.
interact.
Special operational auditing assignments arise at the request of management.
25.
medium
a
Which of the following is not a difference between operational auditing and financial auditing?
a. Both must be CPAs.
b. Operational audit reports are usually of a restricted distribution while financial audit
reports are widely distributed.
c. Operational audits often cover non-financial issues while financial audits do not.
d. None of the above is a difference.
26.
medium
c
27.
or
ne
r.i
es
c
pl
oy
e
Responsibilities
Yes
No
No
Yes
Reporting Structure
No
No
Yes
Yes
w
w
28.
challenging
d
a.
b.
c.
d.
.e
m
medium
d
nf
o
24.
medium
b
29.
challenging
d
30.
challenging
b
A(n) _________ audit emphasizes how efficiently and effectively functions interact.
a. operational
b. compliance
c. financial
d. organizational
Which of the following is not a purpose of a program audit as performed by government
auditors?
a. Determination of the extent to which the desired results established by the legislature are
being achieved.
b. Determination of the causes of inefficiencies in sponsored programs.
c. Determination of the effectiveness of organizations, programs and activities.
d. Determination as to whether the entity has complied with laws and regulations applicable
to the program.
Arens/Elder/Beasley
49
What distinguishes internal control evaluation and testing for financial and operational
auditing?
a. Purpose of the work.
b. Scope of the work.
c. Both a and b.
d. Neither a nor b.
32.
challenging
c
Of the many hours of continuing professional education required every two years, how many
must be in subjects related to the government environment and government auditing for auditors
involved in planning, performing and reporting on audits under GAGAS?
a. 8 hours
b. 16 hours
c. 24 hours
d. 32 hours
33.
Challenging
b
a.
b.
c.
d.
Competence
Yes
No
No
Yes
.e
m
Essay Questions
35.
easy
External financial statement auditors must obtain evidence regarding what attributes of an
internal audit department if the external auditors intend to rely on the internal auditors work?
pl
oy
e
34.
challenging
d
es
c
a.
b.
c.
d.
or
ne
r.i
nf
o
31.
challenging
c
What organization establishes auditing standards for internal auditors and what are those
standards commonly called?
w
w
Answer:
Auditing standards for internal auditors are established by the Internal Auditing
Standards Board. They are commonly known as the Red Book.
36.
medium
Arens/Elder/Beasley
50
37.
medium
External auditors typically consider internal auditors effective if they meet three criteria. What
are these criteria?
Answer:
External auditors typically consider internal auditors effective if they are:
Independent of the operating units being evaluated
Competent and well-trained
Have performed relevant audit tests of the internal controls and financial statements
How do the risk and materiality thresholds change in a government audit compared to a
financial statement audit of a public company?
nf
o
38.
medium
39.
medium
or
ne
r.i
Answer:
The Yellow Book recognizes that in government audits the thresholds of acceptable audit
risk and materiality may be lower than in an audit of a commercial enterprise. This is
because of the sensitivity of government activities and their public accountability.
The Institute of Internal Auditors has established Ethical Principles for its members. List each
of the principles.
w
w
40.
medium
.e
m
pl
oy
e
es
c
Answer:
Planning. In the planning phase, the auditor must determine the scope of the
engagement, staff the engagement, obtain background information about the
organizational unit, understand internal control, and decide on the appropriate
evidence to accumulate.
Evidence accumulation and evaluation. In operational auditing, it is common to use
documentation, client inquiry, and observation extensively, while confirmation and
reperformance are used less extensively for most operational audits than for financial
audits.
Reporting and follow-up. The audit report is tailored to address the scope of the audit,
findings, and recommendations and is typically sent only to management. When
recommendations are made to management, follow-up is done to determine whether
the recommended changes were made, and if not, why.
41.
medium
Answer:
The IIAs ethical principles are:
Integrity.
Objectivity.
Confidentiality.
Competency.
Arens/Elder/Beasley
51
42.
medium
43.
medium
or
ne
r.i
nf
o
Answer:
Purpose of the audit. Financial auditing emphasizes whether historical information
was correctly recorded, whereas operational auditing emphasizes effectiveness and
efficiency.
Distribution of the reports. For financial auditing, the report typically goes to many
users of financial statements, such as stockholders and bankers, whereas operational
audit reports are intended primarily for management.
Inclusion of nonfinancial areas in operational auditing. Operational audits cover any
aspect of efficiency and effectiveness in an organization, whereas financial audits are
limited to matters that directly affect the fairness of financial statement presentations.
Operational auditing is the review of an organization for efficiency and effectiveness. Discuss
what is meant by the terms effectiveness and efficiency.
.e
m
44.
medium
pl
oy
e
es
c
Answer:
Functional. A functional audit deals with auditing one or more functions (e.g.,
purchasing) in an organization.
Organizational. An organizational audit deals with an entire organizational unit, such
as a department, branch, or subsidiary.
Special assignments. Special assignments audits arise at the request of management
when there is a need to investigate a particular area, such as investigating the
possibility of fraud in a division, or determining the cause of an ineffective EDP
system.
w
w
Answer:
Effectiveness refers to the degree to which the organizations objectives and goals are
accomplished.
Efficiency refers to the degree to which costs are reduced without reducing
effectiveness.
45.
challenging
Audit tests as required by the Single Audit Act must meet several specific objectives. One
objective is to determine whether the amounts reported as expenditures were for allowable
services. Identify three other specific objectives.
Answer:
Whether the records show that those who received services or benefits were eligible to
receive them.
Whether matching requirements, levels of effort, and earmarking limitations were
met.
Whether federal financial reports and claims for advances and reimbursements
contain information that is supported by the books and records from which the basic
financial statements have been prepared.
Arens/Elder/Beasley
52
46.
challenging
Whether amounts claimed or used for matching were determined in accordance with
OMB Circular A-87 and OMB Circular A-102.
The auditing standards of the Yellow Book are consistent with the ten generally accepted
auditing standards of the AICPA. There are, however, important additions/modifications in the
Yellow Book. For example, the Yellow Book recognizes that materiality and risk are lower due
to the nature of the government enterprise. Discuss the other additions/modifications.
In addition to an opinion on whether the financial statements are in accordance with GAAP,
identify four other reports required by the OMB Circular A-133.
es
c
47.
challenging
or
ne
r.i
nf
o
Answer:
Quality control. Auditors of government entities must have an appropriate system of
internal quality control and participate in an external quality control review program.
Compliance auditing. The audit should be designed to provide reasonable assurance
of detecting material misstatements resulting from noncompliance with provisions of
contracts or grant agreements that have a material and direct effect on the financial
statements.
Reporting. The report on financial statements must describe the scope of the auditors
testing of compliance with laws and regulations and internal controls and present the
results of those tests, or refer to a separate report containing that information.
Answer:
The following reports are required:
pl
oy
e
.e
m
w
w
48.
medium
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
Compliance audit
Economy and efficiency audit
Effectiveness
Efficiency
Functional audit
Government Auditing Standards
Government audit
Institute of Internal Auditors
Operational auditing
Organizational audit
Program audit
Single Audit Act
Special assignment
IIA Practice Standards
Arens/Elder/Beasley
53
o.
2.
3.
4.
5.
6.
Federal legislation that provides for a single coordinated audit to satisfy the
audit requirements of all federal funding agencies.
7.
or
ne
r.i
nf
o
50.
easy
b
Current professional auditing standards prohibit external auditors from using internal auditors
for direct assistance on external audits.
a. True
b. False
51.
easy
b
Current professional auditing standards require external auditors to use internal auditors for
direct assistance on external audits.
a. True
b. False
pl
oy
e
.e
m
The objectives of internal auditors are considerably broader than the objectives of external
auditors.
a. True
b. False
w
w
52.
easy
a
es
c
49.
easy
b
53.
easy
a
For financial auditing, the audit report typically goes to many users of financial statements,
whereas operational audit reports are intended primarily for management.
a. True
b. False
54.
easy
a
55.
easy
b
56.
easy
Effectiveness refers to the degree to which costs are reduced without reducing efficiency.
a. True
Arens/Elder/Beasley
54
b.
57.
easy
a
Efficiency refers to the degree to which costs are reduced without reducing effectiveness.
a. True
b. False
58.
easy
b
59.
easy
a
60.
easy
a
Effectiveness is concerned with whether defined goals are achieved, whereas efficiency is
concerned with whether the goals are achieved with a minimum use of resources.
a. True
b. False
61.
easy
b
Operational audits may be performed by internal auditors and government auditors, but not by
external auditors.
a. True
b. False
Benchmarking is one source of evaluation criteria for completing an operational audit.
a. True
b. False
or
ne
r.i
es
c
62.
easy
a
False
nf
o
The two most important qualities for an internal auditor to possess are independence and
competence.
a. True
b. False
64.
easy
b
Program audits are primarily focused on inefficient uses of federal funds in sponsored
programs.
a. True
b. False
.e
m
w
w
65.
easy
a
pl
oy
e
63.
easy
a
66.
medium
a
Professional guidelines for performing internal audits for companies are not as well-defined as
for external audits.
a. True
b. False
67.
medium
b
To help them remain independent of the operations they audit, internal auditors should report
directly to the controller.
a. True
b. False
68.
medium
a
69.
The Internal Auditing Standards Board issues Statements on Internal Auditing Standards.
Arens/Elder/Beasley
55
a.
b.
True
False
70.
medium
a
71.
medium
b
Internal auditors should have the authority to require implementation of suggestions for
improvement.
a. True
b. False
72.
medium
b
The Red Book specifies all auditing standards issued by the U.S. General Accounting Office.
a. True
b. False
73.
challenging
a
w
w
.e
m
pl
oy
e
es
c
or
ne
r.i
nf
o
medium
a
Arens/Elder/Beasley
56