AUDITING THEORY
AT.0107-Understanding the Entity’s Internal Control
LECTURE NOTES
Understanding The Entity’s Internal Control
Internal control is the process designed, implemented and
maintained by those charged with governance,
management and other personnel to address risks that are
present between the entity and the accomplishment of its
objectives. Its purpose is to address identified business
risks that threaten the achievement of the entity’s
objectives about:
 the reliability of the entity’s financial reporting
(auditor’s primary concern);
 the effectiveness and efficiency of its operations; and
 its compliance with applicable laws and regulations.
Internal control structure varies with an entity’s size and
complexity. Smaller entities may use less structured
means and simpler processes and procedures.
An understanding of internal control assists the auditor in
identifying types of potential misstatements and factors
that affect the ROMM, and in designing the nature, timing,
and extent of FAP (ToC and SP).
Components of Internal Control
The following are the components of an effective internal
control:
a. Control environment
b. Risk assessment process
c. Information system and communication
d. Control activities
e. Monitoring
Control Environment
Control environment is the governance and management
functions and the attitudes, awareness, and actions of
those charged with governance and management
concerning the entity’s internal control and its importance
in the entity. It is the foundation of internal control, and
sets the tone of an organization that influences the control
consciousness of its people.
The seven elements of the control environment are:
a. Communication and enforcement of integrity and
ethical values
b. Commitment to competence
c. Human resource policies and practices
d. Assignment of authority and responsibility
e. Management's philosophy and operating style
f. Participation of those charged with governance
g. Organizational structure
The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, the
auditor shall evaluate whether:
a. Management, with the oversight of those charged with
governance, has created and maintained a culture of
honesty and ethical behavior; and
b. The strengths in the control environment elements
collectively provide an appropriate foundation for the
other components of internal control, and whether
those other components are not undermined by control
environment weaknesses.
Page 1 of 6
MAY 2020
Relevant audit evidence may be obtained through a
combination of inquiries and other risk assessment
procedures such as corroborating inquiries through
observation or inspection of documents. For example,
through inquiries of management and employees, the
auditor may obtain an understanding of how management
communicates to employees its views on business
practices and ethical behavior and considering whether
management has a written code of conduct and whether it
acts in a manner that supports the code.
Risk Assessment Process
The entity’s risk assessment process refers to the entity’s
process for identifying business risks relevant to financial
reporting objectives and deciding about actions to address
those risks, and the results thereof. If that process is
appropriate to the circumstances, including the nature,
size and complexity of the entity, it assists the auditor in
identifying ROMM. Whether the entity’s risk assessment
process is appropriate is a matter of judgment.
The auditor shall obtain an understanding of whether the
entity has a process for:
a. Identifying business risks relevant to financial
reporting objectives;
b. Estimating the significance of the risks;
c. Assessing the likelihood of their occurrence; and
d. Deciding about actions to address those risks.
Information System and Communication
Information and communication relates to the
identification, capture, and exchange of information that
enables individuals to carry out their responsibilities. It
includes information system and communication relevant
to financial reporting system which consists of the
procedures and records established to initiate, record,
process and report entity transactions (as well as events
and conditions) and to maintain accountability for the
related assets, liabilities and equity.
Information system and communication consists of
infrastructure (physical and hardware components),
software, people, procedures, and data.
The auditor shall obtain an understanding of the
information system, including the related business
processes, relevant to financial reporting.
The auditor shall obtain an understanding of how the entity
communicates financial reporting roles and responsibilities
and significant matters relating to financial reporting,
including:
a. Communications between management and those
charged with governance; and
b. External communications, such as those with
regulatory authorities.
Control Activities
Control activities are policies and procedures of the entity
that help ensure that management directives are carried
out.
AT.0107
CPART GETS GMRC CPA REVIEW CENTER
Examples of control activities include policies and
procedures on:
 Authorization
 Performance reviews
 Information processing
 Physical controls
 Segregation of duties
The auditor shall obtain an understanding of control
activities relevant to the audit.
Control activities that are relevant to the audit are:
 Those that are required to be treated as such, being
control activities that relate to significant risks and
those that relate to risks for which substantive
procedures alone do not provide sufficient appropriate
audit evidence; or
 Those that are considered to be relevant in the
judgment of the auditor, being those necessary in
order to assess the ROMM at the assertion level and
design FAP responsive to assessed risks
Risks arising from, and control activities in, IT
In understanding the entity’s control activities, the auditor
shall obtain an understanding of how the entity has
responded to risks arising from IT. This topic will be
discussed separately in “Auditing in a computerized
information system (CIS) environment.”
Monitoring
Monitoring is a process that assesses the effectiveness of
internal control performance over time. It includes
assessing the design and operation of controls on a timely
basis and taking necessary corrective actions modified for
changes in conditions.
The types of monitoring activities are:
 ongoing monitoring activities - often built into the
normal recurring activities of an entity and include
regular management and supervisory activities.
 separate evaluations - often performed by internal
auditors or company employees and provide feedback
on the effectiveness of other internal control
processes.
 a combination of the two above.
Internal auditing is often considered a highly effective
monitoring control.
The auditor shall obtain an understanding of the major
activities that the entity uses to monitor internal control
over financial reporting, including those related to those
control activities relevant to the audit, and how the entity
initiates corrective actions to its controls.
Inter-relationship of Components of Internal Control
Internal control consists of five interrelated components
designed to work together as a process in order to address
entity’s business risks and help it accomplish the it’s
objectives.
Inherent Limitations of Internal Control
Internal control can only provide reasonable assurance
that the entity’s objectives are met because of the
following inherent limitations:
 Cost-benefit considerations
 Human errors or mistakes
 Management override or circumvention
 Collusion among employees or outside parties
 Usually directed only at routine transactions, rather
than non-routine transactions
 May become inadequate due to changes in entity’s
circumstances
Page 2 of 6
Understanding Entity’s Internal Controls Through
Transaction Cycles
Transaction cycles refer to certain business processes, or
segments into which related transactions can be
conveniently grouped and for which specific accounting
procedures and control activities are established by an
entity's management.
The common divisions of transaction cycles are:
 Revenue and receipt cycle
 Purchasing and disbursement cycle
 Payroll and personnel cycle
 Production or conversion (Inventory and warehousing)
cycle
 Investing and financing cycle
Note that cycles have no beginning or end except at the
origin and final disposition of a company.
Relevant Controls: Nature and Extent of the
Auditor’s Understanding
The auditor shall obtain an understanding of internal
control relevant to the audit, not all controls that relate to
financial reporting are relevant to the audit. It is a matter
of the auditor’s professional judgment whether a control, is
relevant to the audit.
When obtaining an understanding of controls that are
relevant to the audit, the auditor shall evaluate the design
of those controls and determine whether they have been
implemented, by performing procedures in addition to
inquiry of the entity’s personnel.
Design and Implementation of Relevant Controls
Risk assessment procedures to obtain audit evidence about
the design and implementation of relevant controls may
include:
 Inquiring of entity personnel
 Observing the application of specific controls.
 Inspecting documents and reports.
 Tracing transactions through the information system
relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes.
Evaluating the design of a control involves considering
whether the control is capable of effectively preventing, or
detecting and correcting, material misstatements.
Implementation of a control means that the control exists
and that the entity is using it. There is little point in
assessing the implementation of a control that is not
effective, and so the design of a control is considered first.
An improperly designed control may represent a material
weakness in the entity’s internal control.
Obtaining an understanding of an entity’s controls is not
sufficient to test their operating effectiveness (which is
determined through test of controls), unless there is some
automation that provides for the consistent operation of
the controls.
Documentation
The auditor shall document the key elements of each of
the internal control components, including the sources of
information from which the understanding was obtained.
The auditor may document its understanding through any
or combination of the following techniques:
a. Narratives – A narrative is a written description of a
client’s internal controls.
b. Flowcharts – An internal control flowchart is a diagram
of the client’s documents and their sequential flow in
the organization. Flowcharts have two advantages over
narratives: typically they are easier to read and easier
to update. It is unusual to use both a narrative and a
AT.0107
CPART GETS GMRC CPA REVIEW CENTER
flowchart to describe the same system because both
present the same information.
c. Internal Control Questionnaires (ICQ) – An ICQ asks a
series of questions about the controls in each audit
area as a means of identifying internal control
deficiencies. Most questionnaires require a “yes” or a
“no” response, with “no” responses indicating potential
internal control deficiencies. The two main
disadvantages of questionnaires are their inability to
provide an overview of the system and their
inapplicability for some audits, especially smaller ones.
Performing a Transaction Walkthrough Test
Walkthrough test involves tracing a few transactions
through the financial reporting system. This test is
normally done after the auditor has initially documented its
understanding of the transaction cycles and significant
business processes. It should be done every year.
The auditor shall perform walkthroughs to achieve the
following objectives:
 Confirm understanding, as identified in during process
documentation, of the flow of significant classes of
transactions within significant processes or sources
and preparation of information resulting in significant
disclosures, including how these transactions are
initiated, authorized, recorded, processed and
reported: and
 Verify the identified “what can go wrongs” (WCGWs)
that have the potential to materially affect relevant
financial statement assertions related to significant
accounts and disclosures within each significant class
of transactions.
What is a Material Weakness in Internal Control?
Material weakness in internal control is deficiency, or a
combination of deficiencies, in internal control over
financial reporting, such that there is a reasonable
possibility that a material misstatement of the company’s
MULTIPLE CHOICE
The Entity’s Internal Control
1. The process designed and effected by those charged
with governance, management, and other personnel to
provide reasonable assurance about the achievement
of the entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and
regulations.
a. Internal Control c. Administrative control
b. Accounting control d. Control environment
2. Which of the following is not true of internal control as
defined by Committee of Sponsoring Organizations of
the Treadway Commission (COSO) – Integrated
Framework?
a. it is a process that includes all elements of internal
control working together.
b. it includes all the people in the organization.
c. it starts at the top of the organization in setting a
tone.
d. it is narrower than internal control over financial
reporting.
3. The primary responsibility for designing, implementing
and maintaining internal control, and the tone of
internal control typically originates, rests with
a. Internal auditors c. The external auditor
b. The CFO d. The management/TCWG
4. What is management’s primary purpose of effective
internal control in an organization?
a. Obtaining high-quality data for making good
business decisions providing reasonable assurance
that the entity’s objectives are achieved.
Page 3 of 6
annual or interim financial statements will not be
prevented or detected on a timely basis.
Deficiency in internal control exists when:
a. A control is designed, implemented or operated in such
a way that it is unable to prevent, or detect and
correct, misstatements in the financial statements on a
timely basis; or
b. A control necessary to prevent, or detect and correct,
misstatements in the financial statements on a timely
basis is missing.
The auditor shall evaluate whether, on the basis of the
audit work performed, the auditor has identified a material
weakness in the design, implementation or maintenance of
internal control.
The types of material weaknesses in internal control that
the auditor may identify when obtaining an understanding
of the entity and its internal controls may include:
 ROMM that the auditor identifies and which the entity
has not controlled, or for which the relevant control is
inadequate.
 A weakness in the entity’s risk assessment process
that the auditor identifies as material, or the absence
of a risk assessment process in those cases where it
would be appropriate for one to have been established.
The auditor shall communicate material weaknesses in
internal control identified during the audit on a timely basis
to management at an appropriate level of responsibility
and with those charged with governance
What is Significant Deficiency in Internal Control?
Significant deficiency in internal control—A deficiency or
combination of deficiencies in internal control that, in the
auditor’s professional judgment, is of sufficient importance
to merit the attention of those charged with governance.
Significant deficiency is less severe than a material
weakness.
- done -
b. Completion of a successful audit for the entity.
c. Shareholder involvement in the company’s
success.
d. Obtaining profitability and financial strength.
Components of Internal Control
5. Control environment component of internal control
a. Consists of the policies and procedures that help
ensure that management directives are carried
out.
b. Includes the governance and management
functions and the attitudes, awareness, and
actions of those charged with governance and
management concerning the entity’s internal
control and its importance in the entity.
c. Is the entity’s process for identifying business risks
relevant to financial reporting objectives and
deciding about actions to address those risks, and
the results thereof.
d. Consists of the procedures and records established
to initiate, record, process, and report entity
transactions (as well as events and conditions) and
to maintain accountability for the related assets,
liabilities, and equity.
6. Which of the following factors are included in an
entity’s control environment?
a b c d
Commitment to competence Yes Yes No Yes
Integrity and ethical values Yes No Yes Yes
Organizational structure No Yes Yes Yes
Human resources policies
and procedures Yes No Yes Yes
AT.0107
CPART GETS GMRC CPA REVIEW CENTER
7. Management philosophy and operating style most
likely would have a significant influence on an entity's
control environment when
a. The internal auditor reports directly to
management.
b. Management is dominated by one individual.
c. Accurate management job descriptions delineate
specific duties.
d. The audit committee actively oversees the financial
reporting process.
8. An auditor should consider the competence of a client's
employees because their competence bears directly
and importantly on the
a. Cost benefit relationship of internal control.
b. Achievement of the objectives of internal control.
c. Comparison of recorded accountability with assets
on hand.
d. Timing of the tests to be performed.
9. Control activities constitute one of the five components
of internal control. Control activities do not encompass
a. Performance reviews.
b. Information processing.
c. Physical controls and authorization procedures.
d. An internal audit function.
10. Proper segregation of functional responsibilities calls
for separation of the functions of
a. Authorization, execution, and recording.
b. Authorization, execution, and payment.
c. Custody, execution, and reporting.
d. Authorization, payment, and recording.
11. Controls that enhance the reliability of the financial
statements may be classified as prevention controls
and detection controls. Which of the following is
primarily a detection control?
a. Separation of duties between recording cash
receipts and depositing cash.
b. Bank accounts are reconciled monthly by persons
independent of cash recording and cash custody.
c. The human resources department authorizes the
hiring of only those persons for accounting
positions that meet the written job requirements
specified by the corporate controller.
d. An accounting manual, accompanied by a detailed
chart of accounts, carefully and clearly describes
each type of transaction affecting the entity.
12. A component of COSO’s internal control system
concerns the process that provides feedback on the
effectiveness of the other components of internal
control. This component is called:
a. Information & communication c. Monitoring
b. Control activities d. Risk assessment
13. An entity's ongoing monitoring activities often include
a. Periodic audits by the audit committee.
b. Reviewing the purchasing function.
c. The audit of the annual financial statements.
d. Control risk assessment in conjunction with
quarterly reviews.
Inherent Limitations of Internal Control
14. The following are the inherent limitations of internal
control, except
a. Employees’ collusion c. Errors by personnel
b. Management override d. Incompatible duties
15. When considering internal control, an auditor must be
aware of the concept of reasonable assurance, which
recognizes that
a. Employment of competent personnel provides
assurance that the objectives of internal control
will be achieved.
Page 4 of 6
b. Establishment and maintenance of internal control
is an important responsibility of the management
and not of the auditor.
c. Cost of internal control procedures should not
exceed the benefits expected to be derived from
the control.
d. Segregation of incompatible functions is necessary
to ascertain that the control procedures are
effective.
Procedures to Understand Internal Controls
16. An auditor obtains evidence of the internal control over
the accounting system by all of the following except:
a. walkthroughs of the accounting system.
b. making inquiries of banks and attorneys.
c. reviewing system flowcharts.
d. taking plant and operational tours.
17. Which of the following is not useful for obtaining an
understanding of internal controls?
a. Make inquiries of the client’s personnel.
b. Examine documents and records.
c. Read industry trade magazines and re-
performance of internal control.
d. Observe client activities and operations.
Understanding Relevant Controls
18. PSAs require the auditor to obtain understanding of the
entity’s internal control structure
a. For first time audit clients.
b. For every audit.
c. Whenever the auditor wishes or sees necessary.
d. Sufficient to find any frauds that may exist.
19. Which of the following is not a reason that the auditor
must gain an understanding of the client’s internal
control system?
a. to better understand the client, its risks, and how
it manages those risks.
b. to assess control risk and identify the types of
financial statement misstatements that are most
likely to occur affecting relevant financial
statement assertions.
c. to plan direct tests of account balances to
determine if misstatements have occurred.
d. all are reasons why auditors must gain an
understanding of the client’s internal control
system.
20. Reasons to evaluate internal control would not include
a. basis for planning the audit.
b. determining the nature, timing, and extent of
substantive procedures.
c. basis for type of opinion to be rendered.
d. formulating constructive suggestions for
improvements.
21. An auditor should consider two key issues when
obtaining an understanding of a client’s internal
controls. These issues are:
a. the effectiveness and efficiency of the controls.
b. the frequency and effectiveness of the controls.
c. the design (by considering whether the control,
individually or in combination with other controls,
is capable of effectively preventing or detecting
and correcting, material misstatements) and
utilization (by tracing transactions through the
information system relevant to financial reporting)
of the controls.
d. The implementation and efficiency of the controls.
22. To obtain an understanding of an entity’s control
environment, an auditor should concentrate on the
substance of management’s policies and procedures
rather than their form because:
a. management may establish appropriate policies
and procedures but not act on them.
AT.0107
CPART GETS GMRC CPA REVIEW CENTER
b. the board of directors may not be aware of
management’s attitude toward the control
environment.
c. the auditor may believe that the policies and
procedures are inappropriate for that particular
entity.
d. the policies and procedures may be so weak that
no reliance is contemplated by the auditor.
23. When auditing a company, the auditor should obtain
an understanding of internal control sufficient to:
a. provide reasonable protection against client fraud
and defalcations by client employees.
b. assess control risk.
c. provide a basis for suggestions to the client for
improving the accounting system.
d. provide a method for safeguarding assets,
checking the accuracy and reliability of accounting
data, promoting operational efficiency, and
encouraging adherence to prescribed managerial
policies.
Documentation of Internal Control
24. Which of the following is not a medium that can
normally be used by an auditor to record information
concerning a client's internal control policies and
procedures?
a. Narrative memorandum. c. Flowchart.
b. Procedures manual. d. Questionnaire.
25. Which of the following statements about auditor
documentation of the client’s internal controls is
correct?
a. Documentation must include flow charts.
b. Documentation must include procedural write-ups.
c. No documentation is necessary although it is
desirable.
d. No one particular form of documentation is
necessary, and the extent of documentation may
vary.
26. The auditor's review of the client's internal control is
documented in order to substantiate
a. Conformity of the accounting records with GAAP.
b. Compliance with generally accepted auditing
standards.
c. Adherence to requirements of management.
d. The fairness of the financial statement
presentation.
Performing a Walkthrough Test
27. Which of the following statements is incorrect about
walk-through tests?
a. The nature and extent of walk-through tests
performed by the auditor are such that they alone
DO-IT-YOURSELF (DIY) DRILL
1. When evaluating a client's system of internal control to
determine whether the necessary procedures are
prescribed and have been implemented satisfactorily,
an auditor must
a. Develop questionnaires and checklists.
b. Obtain an understanding of internal control.
c. Perform tests of internal control procedures.
d. Evaluate administrative policies.
2. The quality of an organization's internal controls
affects
a. the reliability of financial data.
b. the ability of management to make good decisions.
c. the ability to sustain an effective business.
d. all of the above.
3. Which of management’s concerns with respect to
implementing internal controls is the auditor primarily
concerned?
a. Efficiency of operations.
Page 5 of 6
would provide sufficient appropriate audit evidence
to support a control risk assessment which is less
than high.
b. A procedure that involves tracing a transaction
from its origination through the company's
information systems until it is reflected in the
company's financial report.
c. This procedure may be treated as part of tests of
control.
d. This procedure is performed to evaluate the
effectiveness of the design of controls and
determine (confirm) whether the controls are
implemented (placed in operation) by the client.
28. Which of the following best represents a walk-through?
a. The controller reviews the bank reconciliation
prepared by the accountant and its resulting
journal entries.
b. The auditor walks the production line to find
inefficiencies in the inventory process and reports
them to management.
c. The controller takes a sample of write-offs to
ensure they have been adequately documented
and recorded.
d. The auditor traces three purchasing transactions
from the purchase order to the financial statement
for observation and understanding.
29. In considering internal control, what is the purpose of
a transaction walk through?
a. To assure that employees are performing assigned
functions accurately.
b. To confirm the auditor's understanding of the
internal control structure.
c. To select documents for detailed tests of controls.
d. To verify the results of the auditor's sampling plan.
Deficiency in Internal Control
30. During the audit the independent auditor identified the
existence of a weakness in the client's internal control
and communicated this finding in writing to the client's
senior management and those charged with
governance. The auditor should
a. Consider the weakness a scope limitation and
therefore disclaim an opinion.
b. Consider the effects of the condition on the audit.
c. Suspend all audit activities pending directions from
the client's audit committee.
d. Withdraw from the engagement.
- now do the DIY drill -
b. Reliability of financial reporting, i.e., the entity’s
ability to process and summarize financial data.
c. Effectiveness of operations.
d. Compliance with applicable laws and regulations.
4. An effective system of internal control
a. Eliminates risks and potential loss to the
organization
b. Can prevent collusion among employees
c. Can reduce the cost of an external audit
d. Cannot be circumvented by management
5. Which of the following statements about internal
control is correct?
a. Properly maintained internal controls reasonably
assure that collusion among employees cannot
occur.
b. Establishing and maintaining internal control is the
internal auditor's responsibility.
AT.0107
CPART GETS GMRC CPA REVIEW CENTER
c. Exceptionally strong control allows the auditor to
eliminate substantive tests of details.
d. The cost benefit relationship should be considered
in designing internal controls.
6. When assessing the client which of the following
factors is considered pervasive and creates both an
attitude and culture that affects the client‘s reporting
system, the process of recording transactions, and the
process of making estimates and adjustments.
a. The control environment.
b. Audit testing of processes and controls.
c. Design and operation of controls.
d. Inherent and control risk.
7. The essence of an effectively controlled organization
lies in the:
a. effectiveness of its independent auditor.
b. effectiveness of its internal auditor.
c. attitude of its employees.
d. attitude of its management.
8. Incompatible duties most likely would not be
considered an inherent limitation of the potential
effectiveness of an entity’s internal control.
Mistakes in judgment most likely would not be
considered an inherent limitation of the potential
effectiveness of an entity’s internal control.
Collusion among employees most likely would not be
considered an inherent limitation of the potential
effectiveness of an entity’s internal control.
a. first statement is not correct; the second and third
statements are correct.
b. all above statements are correct.
c. first statement is correct; the second and third
statements are not correct.
d. second statement is correct; the first and third
statements are not correct.
9. Internal control procedures are not designed to provide
reasonable assurance that
a. Transactions are executed in accordance with
management's authorization.
b. Irregularities (frauds) will be eliminated.
c. Access to assets is permitted only in accordance
with management's authorization.
d. The recorded accountability for assets is compared
with the existing assets at reasonable intervals.
10. _____ deal with ongoing or periodic assessment of the
quality of internal control by management.
a. Quality monitoring activities
b. Monitoring activities
c. Oversight activities
d. Management activities
11. Which statement is correct concerning the relevance of
various types of controls to a financial audit?
a. An auditor may ordinarily ignore a consideration of
controls when a substantive audit approach is
taken.
b. Controls over the reliability of financial reporting
are ordinarily most directly relevant to an audit,
but other controls may also be relevant.
c. Controls over safeguarding of assets and liabilities
are of primary importance, while controls over the
reliability of financial reporting may also be
relevant.
d. All controls are ordinarily relevant to an audit.
12. The auditor observes client employees in order to
a. Prepare a flowchart.
b. Update information contained in the organization
and procedure manuals.
c. Corroborate the information obtained during the
initial review of the system.
Page 6 of 6
d. Determine the extent of compliance with quality
control standards.
13. A company with a strong control environment
demonstrates which of the following:
a. a culture of high integrity and ethics.
b. a commitment to financial reporting competencies.
c. an independent, active, and knowledgeable audit
committee.
d. all of the above.
14. Physical controls to safeguard assets would include:
a. hiring only trustworthy cashiers
b. segregation of duties
c. locks on the warehouse doors
d. safety audits on the production-line
15. A proper segregation of duties requires
a. An individual maintaining custody of an asset be
entitled to access the accounting records for the
asset.
b. An individual authorizing a transaction records it
c. An individual recording a transaction not compare
the accounting record of the asset with the asset
itself
d. An individual authorizing a transaction maintain a
custody of the asset that resulted from a
transaction
16. Which of the following components of an entity’s
internal control structure includes the development of
employee promotion and training policies?
a. Control environment c. Control activities
b. Information & communication d. Monitoring
17. Which of the following is not done by an auditor when
obtaining an understanding of an entity's internal
controls?
a. Identify the types of potential misstatements that
can occur.
b. Consider the operating effectiveness of the internal
controls.
c. Design substantive tests.
d. Consider factors that affect the risk of material
misstatements.
18. The primary objective of procedures performed to
obtain an understanding of internal control is to
provide an auditor with
a. Evidential matter to use in reducing detection risk.
b. Knowledge necessary to plan the audit.
c. A basis from which to modify tests of controls.
d. Information necessary to prepare flowcharts.
19. Which of the following will an auditor perform to better
understand a client's internal control over accounting
systems?
a. An auditor will re-test subsequent year working
papers.
b. An auditor will review previous year working
papers.
c. An auditor will copy previous year working papers.
d. An auditor will re-draft subsequent year working
papers.
20. A secondary purpose of the auditor's consideration of
internal control is to provide
a. A basis for constructive suggestions about
improvements in internal control structure.
b. A basis for assessing control risk.
c. An assurance that the records and documents have
been maintained in accordance with existing
company policies and procedures.
d. A basis for the determination of the resultant
extent of the tests to which auditing procedures
are to be restricted.
 - end of AT.0107- 
AT.0107