CHAPTER 10

Multiple-Choice Questions

1. Which of the following parties is responsible for establishing an entity’s internal controls?
easy a. Management.
a c. Auditors.
b. Management and auditors.
d. Committee of Sponsoring Organizations.

2. For an internal audit function to be effective, it is essential that the internal audit staff
easy a. be independent of the operating departments.
d b. be independent of the accounting department.
c. report directly to a high level of authority within the organization such as the audit
committee.
d. achieve all of the above.

3. Management is often unwilling to implement an ideal system of internal controls because

easy a. control failures are infrequent.
b b. such a system is too expensive.
c. sufficient technology does not exist to afford an ideal system.
d. risks are often overstated.

4. Internal controls can never be considered as absolutely effective because

easy a. their effectiveness is limited by the competency and dependability of the company’s
a personnel.
b. controls always have inherent weaknesses that can be exploited.
c. controls are designed to prevent and detect only material misstatements.
d. none of the above.

5. A major control available in a small company, which might not be feasible in a large
easy company, is
D a. a wider segregation of duties.
b. a voucher system.
c. fewer transactions to process.
d. the owner-manager’s personal interest and close relationship with personnel.

6. An auditor’s attempt to gain an understanding of the accounting system is typically

easy accomplished and documented by
d a. a narrative description of the system.
b. a flowchart.
c. a questionnaire.
d. using any of the above.

7. When the auditor attempts to understand the operation of the accounting system by tracing a
easy few transactions through the accounting system, this is referred to as
c a. tracing.
b. vouching.
c. a walk-through.
d. tests of controls.

10-1
8. Control risk is a measure of the auditor’s expectation that the internal controls
easy a. will prevent material misstatements from occurring.
d b. will detect material misstatements.
c. will either prevent material misstatements or detect them.
d. will neither prevent material misstatements nor detect them.

9. The procedures to test effectiveness of control policies and procedures in support of a lower
easy assessment of control risk are called
a a. tests of controls.
b. tests of transactions.
c. analytical tests.
d. a walk-through.

10. The auditor can conclude that control risk is low

easy a. after obtaining an understanding of the control environment and the accounting system at
d a fairly detailed level.
b. after identifying specific controls that will reduce control risk and making an assessment
of control risk.
c. after testing the controls for effectiveness.
d. only after all three steps above are completed.

11. Each key control that the auditor intends to rely on must be supported by sufficient
easy a. tests of transactions.
b b. tests of controls.
c. analytical review procedures.
d. reperformance procedures.

12. If evidence was obtained in the prior year’s audit that indicates a key control was operating
easy effectively,
d a. it will be unnecessary to test that control this year.
b. the tests of that control will be reduced this year.
c. the auditor would not test this area again this year.
d. the extent of tests of that control may be reduced this year if the auditor determines that
the control is still in place.

13. With which one of management’s concerns with respect to implementing internal controls is
easy the auditor primarily concerned?
b a. Efficiency of operations.
b. Reliability of financial reporting.
c. Effectiveness of operations.
d. Compliance with applicable laws and regulations.

14. Which of the following activities would be least likely to strengthen a company’s internal
easy control?
b a. Separating accounting from other financial operations.
b. Maintaining insurance for fire and theft.
c. Fixing responsibility for the performance of employee duties.
d. Carefully selecting and training employees.

15. Which of the following is not a basic component of internal control as defined by COSO?
easy a. Risk assessment.
c b. Control environment.
c. Compensating controls.
d. Monitoring.

16. Which of the following statements best describes the CPA’s primary objective in reviewing
easy internal control?
b a. To provide reasonable protection against client fraud and defalcations by client

10-2
 employees.
b. To provide a basis for reliance on the system and determining the scope of other auditing
procedures.
c. To provide a basis for constructive suggestions to the client for improving the accounting
system.
d. To provide a method for safeguarding assets, checking the accuracy and reliability of
accounting data, promoting operational efficiency, and encouraging adherence to
prescribed managerial policies.

17. Which of the following audit tests would be regarded as a test of a control?
easy a. Tests of the specific items making up the balance in a given general ledger account.
c b. Tests of the inventory pricing to vendors’ invoices.
c. Tests of the signatures on canceled checks to board of directors’ authorizations.
d. Tests of the additions to property, plant, and equipment by physical inspections.

18. During which part of an audit examination is the preparation of flowcharts most appropriate?
easy a. When performing preliminary analytical procedures.
d b. When performing tests of controls.
c. When evaluating the system of internal administrative control.
d. When reviewing the system of internal accounting control.

19. The ______ consists of the actions, policies, and procedures that reflect the overall attitudes of
easy top management.
c a. control activities.
b. management philosophy.
c. control environment.
d. monitoring function.

20. Which of the following statements regarding audit committees is correct?

medium a. Both the New York Stock Exchange and the American Stock Exchange require that
c listed companies have an audit committee composed entirely of independent directors.
NASDAQ does not state any such requirement.
b. The New York Stock Exchange recommends, and NASDAQ and the American Stock
Exchange require, that listed companies have an audit committee composed entirely of
independent directors.
c. The New York Stock Exchange, the American Stock Exchange, and NASDAQ require
that listed companies have an audit committee composed entirely of independent
directors.
d. Both the New York Stock Exchange and the American Stock Exchange recommend, but
NASDAQ requires, that listed companies have an audit committee composed entirely of
independent directors.

21. The auditor’s study of the client’s internal control is

medium a. required by GAAP.
b b. required by GAAS.
c. required by the IRS.
d. recommended by the AICPA.

22. Internal controls can never be regarded as completely effective. Even if company personnel
medium could design an ideal system, its effectiveness depends on the
d a. adequacy of the computer system.
b. proper implementation by management.
c. ability of the internal audit staff to maintain it.
d. competency and dependability of the people using it.

23. Even with the most effectively designed internal control, the auditor must obtain audit
medium evidence, beyond testing the controls, for every
c a. transaction.
b. financial statement account.

10-3
 c. material financial statement account.
d. financial statement account that will be relied upon by third parties.

24. There are major differences between a simple microcomputer-based accounting system using
medium purchased software for a small service company and a complex IT system for an international
b manufacturing business.
a. Therefore, the general transaction-related audit objectives must be different for each.
b. Nevertheless, the general transaction-related audit objectives are the same for each.
c. Therefore, the general transaction-related audit objectives cannot be compared.
d. Nevertheless, the general transaction-related audit objectives, while different, are still
comparable.

25. The essence of an effectively controlled organization lies in the

medium a. effectiveness of its independent auditor.
d b. effectiveness of its internal auditor.
c. attitude of its employees.
d. attitude of its management.

26. To qualify to be an “outside director” on an audit committee, one must

medium a. not be a part of management.
a b. not own any stock in client company.
c. not receive any remuneration or expense reimbursement.
d. be a state-licensed Certified Public Accountant.

27. After an auditor obtains information about the subcomponents of the control environment, the
medium auditor
a a. uses this understanding to assess management’s attitude about the importance of
controls.
b. uses this understanding to assess control risk.
c. uses this understanding to identify potential areas of concern in assessing control risk.
d. uses this understanding to determine the extent of tests of controls.

28. Which of the following factors may increase risks to an organization?

medium a. Geographic dispersion of company operations.
d b. Quality of personnel.
c. Presence of new information technologies.
d. All of the above.

29. Which of the following statements is correct with respect to separation of duties?
medium a. Employees should not have temporary and permanent custody of assets.
b b. It is desirable to prevent employees who authorize transactions from having custody of
related assets.
c. It is permissible to allow an employee to open cash receipts and record those receipts.
d. None of the above is correct.
30. Authorizations can be either general or specific. Which of the following is not an example of
medium a general authorization?
b a. Automatic reorder points for raw materials inventory.
b. A sales manager’s authorization for a sales return.
c. Credit limits for various classes of customers.
d. A sales price list for merchandise.

31. The most important type of protective measure for safeguarding assets and records is
medium a. adequate separation of duties among personnel.
c b. proper authorization of transactions.
c. the use of physical precautions.
d. adequate documentation.

10-4
32. Which of the following statements is correct with respect to the design and use of business
medium documents?
d a. Only documents used for internal purposes must be prenumbered.
b. Documents should be designed for single purposes only to avoid confusion in their use.
c. Documents should be designed to be understandable only to those responsible for their
use.
d. None of the above statements is correct.

33. The SEC prohibits national stock exchanges from listing any security from a company whose
medium audit committee is
d a. not comprised of solely independent directors.
b. inadequately funded.
c. not solely responsible for hiring and firing the company’s auditors.
d. All of the above are correct.

34. All of the following are substantive tests except

medium a. tests of controls.
a b. tests of details of transactions.
c. tests of details of balances.
d. analytical procedures.

35. Most audits of a company are done annually by the same CPA firm. Except for initial
medium engagements, the auditor begins the audit with a great deal of information about the client’s
b internal controls developed in prior years. Because systems and controls usually don’t change
frequently,
a. the auditor can skip the evaluation of this area on repeat engagements.
b. this information can be updated and carried forward to the current year’s audit.
c. it eases the burden on the auditor’s requirement to do a complete study of the controls
this year.
d. it is sufficient for the auditor just to inquire of client whether the controls have been
changed since last year.

36. Narratives, flowcharts, and internal control questionnaires are three common methods of
medium a. testing the internal controls.
b b. documenting the study of internal controls.
c. designing the audit manual and procedures.
d. documenting the auditor’s understanding of client’s organizational structure.

37. Which of the following statements is not correct?

medium a. It would be unusual to use both a narrative and a flowchart to describe the same system.
c b. The use of both questionnaires and flowcharts on the same engagement is highly
desirable for understanding the client’s system.
c. The advantage of the narrative description is the ease of describing the details of the
internal controls.
d. When reliable and understandable narratives, flowcharts, and questionnaires are
available from client, it is desirable to use them rather than have the auditor prepare his/
her own documents.

38. Which of the following statements about the internal control questionnaire is not correct?
medium a. The primary advantage of the questionnaire approach is the relative completeness of
d coverage of each audit area that a good instrument affords.
b. The questionnaire can be prepared reasonably quickly, and at the beginning of the audit.
c. The primary disadvantage of the questionnaire approach is that individual parts of the
system are examined without providing an overall view.
d. It is unacceptable for the auditor to rely on an internal control questionnaire that has
been filled out by client’s personnel.

10-5
39. When the auditor identifies significant deficiencies in the design or operation of internal
medium controls, it should be communicated to the client’s audit committee in
d a. the audit report.
b. the engagement letter.
c. the management letter.
d. some manner, whether oral or written.

40. When the auditor identifies opportunities for the client to make operational improvements in
medium the internal controls, it will be communicated to client’s audit committee in the
a a. management letter.
b. significant deficiency letter.
c. engagement letter.
d. audit report.

41. When controls leave no documentary evidence or trail,

medium a. it is impossible for the auditor to verify them so he/she will have to rely on substantive
c tests.
b. the only thing available as verification of their effectiveness is inquiry of management.
c. the auditor generally observes them being applied.
d. it is impossible to audit that area of client’s system.

42. The purpose of an entity’s accounting information and communication system is to ______.
medium a. initiate transactions.
d b. record and process transactions.
c. monitor transactions.
d. a and b only.

43. A procedure that would most likely be used by an auditor in performing tests of control
medium procedures that involve segregation of functions and that leave no transaction trail is
b a. inspection.
b. observation.
c. reperformance.
d. reconciliation.

44. Internal controls normally would include procedures that are designed to provide reasonable
medium assurance that
b a. employees act with integrity when performing their assigned tasks.
b. transactions are executed in accordance with management’s general or specific
authorization.
c. decision processes leading to management’s authorization of transactions are sound.
d. collusive activities would be detected by segregation of employee duties.

45. A secondary objective of the auditor’s study and evaluation of internal control is that the study
medium and evaluation provide
b a. a basis for reliance on the system of internal accounting control.
b. a basis for constructive suggestions concerning improvements in internal control.
c. a basis for the determination of the resultant extent of the tests to which auditing
procedures are to be restricted.
d. an assurance that the records and documents have been maintained in accordance with
existing company policies and procedures.

46. Which of the following is not a component of an entity’s internal control?

medium a. Control risk.

10-6
a b. Control procedures.
c. The accounting system.
d. The control environment.

47. Understanding components of internal control and assessing the level of control risk are
medium primarily used by the auditor to
d a. determine whether procedures and records concerning the safeguarding of assets are
reliable.
b. ascertain whether the opportunities to allow any person to both perpetrate and conceal
irregularities are minimized.
c. modify the initial assessments of inherent risk and preliminary judgments about
materiality.
d. determine the nature, timing, and extent of substantive tests for financial statement
assertions.

48. With respect to each class of transactions, the accounting system must satisfy transaction-
medium related audit objectives
a a. regardless of the materiality of the class of transactions.
b. only for those classes of transaction that are material.
c. that management deem to be critical to achieving their objectives.
d. none of the above.

49. Of the following statements about internal controls, which one is not valid?
medium a. No one person should be responsible for the custodial responsibility and the recording
d responsibility for an asset.
b. Transactions must be properly authorized before such transactions are processed.
c. Because of the cost benefit relationship, a client may apply control procedures on a test
basis.
d. Control procedures reasonably ensure that collusion among employees cannot occur.

50. Which of the following best describes the inherent limitations that should be recognized by an
medium auditor when considering the potential effectiveness of a system of internal accounting
control?
a a. Procedures whose effectiveness depends on segregation of duties can be circumvented
by collusion.
b. The competence and integrity of client personnel provides an environment conducive to
accounting control and provides assurance that effective control will be achieved.
c. Procedures designed to assure the execution and recording of transactions in accordance
with proper authorizations are effective against irregularities perpetrated by
management.
d. The benefits expected to be derived from effective internal accounting control usually do
not exceed the costs of such control.

51. Which of the following is not one of the subcomponents of the control environment?
medium a. Human resource policies and procedures.
c b. Organizational structure.
c. Adequate separation of duties.
d. Commitment to competence.
52. It is important for the CPA to consider the competence of the audit clients’ employees
medium because their competence bears directly and importantly upon the
b a. cost/benefit relationship of the system of internal control.
b. achievement of the objectives of internal control.
c. comparison of recorded accountability with assets.
d. timing of the tests to be performed.

53. Effective internal control in a small company that has an insufficient number of employees to
medium permit proper division of responsibilities can best be enhanced by
b a. employment of temporary personnel to aid in the separation of duties.
b. direct participation by the owner of the business in the record-keeping activities of the

10-7
 business.
c. engaging a CPA to perform monthly “write-up” work.
d. delegation of full, clear-cut responsibility to each employee for the functions assigned to
each.

54. Evidential matter concerning proper segregation of duties ordinarily is best obtained by
medium a. direct personal observation of the employee who applies control procedures.
a b. making inquiries of co-workers about the employee who applies control procedures.
c. preparation of a flowchart of duties performed and available personnel.
d. inspection of third-party documents containing the initials of who applied control
procedures.

55. Proper segregation of functional responsibilities calls for separation of the functions of
medium a. authorization, execution, and payment.
b b. authorization, recording, and custody.
c. custody, execution, and reporting.
d. authorization, payment, and recording.

56. When considering the objectivity of internal auditors, an independent auditor should
medium a. evaluate the quality control program in effect for the internal auditors.
d b. examine documentary evidence of the work performed by the internal auditors.
c. test a sample of the transactions and balances that the internal auditors examined.
d. determine the organizational level to which the internal auditors report.

57. Internal controls are not designed to provide reasonable assurance that
medium a. all frauds will be eliminated.
a b. transactions are executed in accordance with management’s authorization.
c. access to assets is permitted only in accordance with management’s authorization.
d. the recorded accountability for assets is compared with the existing assets at reasonable
intervals.

58. Which of the following statements regarding auditor documentation of the client’s internal
medium controls is correct?
d a. Documentation must include flow charts.
b. Documentation must include procedural write-ups.
c. No documentation is necessary although it is desirable.
d. No one particular form of documentation is necessary, and the extent of documentation
may vary.

10-8
59. Significant deficiencies are matters that come to an auditor’s attention, which should be
medium communicated to an entity’s audit committee because they represent
b a. material frauds perpetrated by high-level management.
b. internal control deficiencies that could adversely affect the ability to properly initiate,
record, process, and report financial data.
c. flagrant violations of the entity’s documented conflict-of-interest policies.
d. intentional attempts by client personnel to limit the scope of the auditor’s field work.

60. Which of the following statements, if any, is correct?

challenging a. The NASDAQ market requires listed companies to have audit committees that have only
a independent directors.
b. The NASDAQ market requires listed companies to have audit committees that have a
minority of the positions held by independent directors.
c. The NASDAQ market recommends, but does not require, listed companies to have audit
committees.
d. The NASDAQ market recommends, but does not require, listed companies to have audit
committees that have a minority of the positions held by independent directors.

61. Which of the following is not typically one of management’s concerns in designing effective
challenging internal controls?
d a. Reliability of financial reporting.
b. Efficiency and effectiveness of operations.
c. Compliance with applicable laws and regulations.
d. Obtaining the best internal control possible.

62. The Sarbanes-Oxley Act of 2002 requires

challenging a. all public companies to issue an internal control report.
a b. all public companies to define adequate internal controls.
c. the auditor of public companies to design effective internal controls over financial
reporting.
d. provides for all three of the above.

63. When considering internal control, an auditor should be aware of the concept of reasonable
challenging assurance, which recognizes that the
d a. segregation of incompatible functions is necessary to ascertain that internal control is
effective.
b. employment of competent personnel provides assurance that the objectives of internal
control will be achieved.
c. establishment and maintenance of internal control is an important responsibility of the
management and not of the auditor.
d. cost of internal control should not exceed the benefits expected to be derived from
internal control.

64. To comply with the second standard of fieldwork, the auditor need not be concerned with all
challenging five areas of internal control that apply to management. The auditor’s primary concerns are
a with the internal control’s ability to
a. ensure reliability of financial reporting.
b. provide reliable data and promote efficiency.
c. promote efficiency and encourage adherence to policy.
d. provide reliable data, safeguard assets, and comply with the Sarbanes-Oxley Act of
2002.

10-9
65. The financial statements are not likely to correctly reflect generally accepted accounting
challenging principles if
a a. the controls affecting the reliability of financial reporting are inadequate.
b. the company’s controls do not promote efficiency.
c. the company’s controls do not promote effectiveness.
d. all three of the above are true.

66. The primary emphasis by auditors is on controls over

challenging a. classes of transactions.
a b. account balances.
c. both a and b, because they are equally weighted.
d. both a and b, because they vary from client to client.

67. The three key concepts that underlie the study of internal control and the assessment of
challenging control risk do not include a criterion that
c a. the internal controls provide reasonable, but not absolute, assurance that the financial
statements are fairly stated.
b. management, not the auditor, must establish and maintain the entity’s controls.
c. the control risk may range from zero to 100%.
d. the internal controls can never be regarded as completely effective.

68. Having an audit committee composed of outside directors is a requirement of

challenging a. all public and private companies.
c b. all private companies.
c. all companies that are listed on the NYSE, AMEX, and NASDAQ.
d. all companies that are audited by members of the AICPA.

69. An auditor should consider two key issues when obtaining an understanding of a client’s
challenging internal controls. These issues are
c a. the effectiveness and efficiency of the controls.
b. the frequency and effectiveness of the controls.
c. the design and utilization of the controls.
d. none of the above.

70. The independent auditor should acquire an understanding of the internal audit function as it
challenging relates to the independent auditor’s study and evaluation of internal accounting control
because
c a. the audit programs, working papers, and reports of internal auditors can often be used as
a substitute for the work of the independent auditor’s staff.
b. the procedures performed by the internal audit staff may eliminate the independent
auditor’s need for an extensive study and evaluation of internal control.
c. the work performed by internal auditors may be a factor in determining the nature,
timing, and extent of the independent auditor’s procedures.
d. the understanding of the internal audit function is an important substantive test to be
performed by the independent auditor.

71. Taylor Sales Corp. maintains a large full-time internal audit staff that reports directly to the
challenging chief accountant. Audit reports prepared by the internal auditors indicate that the system is
d functioning as it should and that the accounting records are reliable. The independent auditor
will probably
a. eliminate tests of controls.
b. increase the depth of the study and evaluation of administrative controls.
c. avoid duplicating the work performed by the internal audit staff.
d. place limited reliance on the work performed by the internal audit staff.

72. When planning an audit, the auditor’s assessed level of control risk is
challenging a. determined by using actuarial tables.

10-10
c b. calculated by using the audit risk model.
c. an economic issue, trading off the costs of testing controls against the cost of testing
balances.
d. calculated by using the formulas provided in the AICPA’s Statements on Auditing
Standards.

73. When a compensating control exists, a weakness in the system

challenging a. is no longer a concern because the potential for misstatement has been sufficiently
reduced.
a b. is reduced but not removed; therefore, it is still of concern to the auditor.
c. could cause a material loss, so it must be tested using substantive procedures.
d. is magnified and must be removed from the sampling process and examined in its
entirety.

74. After considering a client’s internal controls, an auditor has concluded that it is well designed
challenging and is functioning as intended. Under these circumstances the auditor would most likely
c a. perform tests of controls to the extent outlined in the audit program.
b. determine the control procedures that should prevent or detect errors and irregularities.
c. not increase the extent of predetermined substantive tests.
d. determine whether transactions are recorded to permit preparation of financial statements
in conformity with generally accepted accounting principles.

75. An internal control narrative indicates that an approved voucher is required to support every
challenging check request for payment of merchandise. Which of the following procedures provides the
a greatest assurance that this control is operating effectively?
a. Select and examine canceled checks and ascertain that the related vouchers are dated no
later than the checks.
b. Select and examine vouchers and ascertain that the related canceled checks are dated no
earlier than the vouchers.
c. Select and examine canceled checks and ascertain that the related vouchers are dated no
earlier than the checks.
d. Select and examine vouchers and ascertain that the related canceled checks are dated no
later than the vouchers.

76. When obtaining an understanding of an entity’s control environment, an auditor should

challenging concentrate on the substance of management’s policies and procedures rather than their form
a because
a. management may establish appropriate policies and procedures but not act on them.
b. the board of directors may not be aware of management’s attitude toward the control
environment.
c. the auditor may believe that the policies and procedures are inappropriate for that
particular entity.
d. the policies and procedures may be so weak that no reliance is contemplated by the
auditor.

Essay Questions

77. With which aspect of internal control are auditors primarily concerned?
easy
Answer:
The aspect of internal control that auditors are primarily concerned with is the reliability
of financial reporting.

78. An effective accounting information and communication system must satisfy six transaction-
easy related objectives. One of these objectives is that transactions are recorded on the correct
dates (timing). Identify the five remaining objectives.

Answer:

10-11
 The five remaining objectives are:
• Recorded transactions exist (existence).
• Existing transactions are recorded (completeness).
• Recorded transactions are stated at the correct amounts (accuracy).
• Transactions are properly classified (classification).
• Recorded transactions are properly included in the master files and correctly
summarized (posting and summarization).

79. There are four steps in the auditor’s process of understanding internal control and assessing
medium control risk. Step one is obtain understanding of internal control: design and operation. What
are the remaining three steps?

Answer:
The remaining three steps are:
• Assess control risk.
• Test controls.
• Decide planned detection risk and substantive tests.

80. Management’s identification and analysis of risk is an ongoing process and is a critical
medium component of effective internal control. An important first step is for management to identify
factors that may increase risk. Identify at least five factors, observable by management, that
may lead to increased risk in a typical business organization.

Answer:
There are many factors that may lead to increased risk in an organization. Some
examples include:
• failure to meet prior objectives.
• decreasing quality of personnel.
• increasing geographic dispersion of company operations.
• increasing significance and complexity of core business processes.
• introduction of new information technologies.
• entrance of new competitors.

81. Three steps must be completed by the auditor before he/she can conclude that control risk is
medium low. Discuss these three steps.

Answer:
The three steps that must be completed by the auditor before he/she can conclude that
control risk is low are:
1. obtain an understanding of the control environment, risk assessment procedures,
accounting information and communication system, and monitoring methods at a
fairly detailed level;
2. identify specific controls that will reduce control risk and make an assessment of
control risk; and
3. test the controls for effectiveness.

82. Auditors are required by GAAS to obtain an understanding of internal control for every audit.
medium What are the reasons for this requirement?
Answer:
There are four reasons:
• Assess the auditability of the company’s financial statements.
• Identify the types of potential misstatements.
• To allow an assessment of detection risk.

10-12
 • To design effective tests of the financial statement balances.

83. A proper narrative of an accounting system and related controls should possess several key
medium characteristics. What are three such characteristics?

Answer:
The characteristics are:
• The origin of every document and record in the system.
• All processing that takes place.
• The disposition and every document and record in the system.
• An indication of the controls relevant to the assessment of control risk.

84. Describe three inherent limitations of internal control.

medium
Answer:
The effectiveness of internal controls depends on the competency and dependability of
the people using it. Inherent limitations of internal control include:
• employee carelessness,
• lack of understanding,
• management override, and
• collusion.

85. Internal control includes five categories of controls which are called the components of
medium internal control. Discuss each of these five components of internal control.

Answer:
Five components of internal control are:
• The control environment. The control environment consists of the actions, policies,
and procedures that reflect the overall attitudes of top management about control
and its importance to the company.
• Risk assessment. This is management’s identification and analysis of risks relevant
to the preparation of financial statements in accordance with GAAP.
• Information and communication. This is the set of manual and/or computerized
procedures that identifies, assembles, classifies, analyzes, records, and reports a
company’s transactions and maintains accountability for the related assets.
• Control activities. These are the policies and procedures that help ensure necessary
actions are taken to address risks in the achievement of the company’s objectives.
• Monitoring. This is management’s ongoing and periodic assessment of the quality of
internal control performance to determine that controls are operating as intended and
modified when needed.

86. Discuss what is meant by the term “control environment” and identify four control
medium environment subcomponents that the auditor should consider.

Answer:
The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about control and
its importance to the entity. Subcomponents include:
• Integrity and ethical values.

10-13
 • Commitment to competence.
• Board of directors or audit committee.
• Management’s philosophy and operating style.
• Organizational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.

87. Control activities, one of the five components of internal control, are defined as “the policies
medium and procedures, in addition to those included in the other four components, that help ensure
necessary actions are taken to address risks in the achievement of the entity’s objectives.”
There are five categories of control activities. Please describe the five categories of control
activities.

Answer:
The five categories of control activities are:
• Adequate separation of duties.
a. Custody of assets should be separated from accounting.
b. Authorizing transactions should be separated from custody of related assets.
c. Operational responsibility should be separated from record-keeping.
d. Duties within IT should be separated.
• Proper procedures for authorization of transactions.
a. General authorization is given for transactions meeting established criteria.
b. Specific authorization is required for individual transactions that don’t confirm
to the criteria.
• Adequate document and records.
a. Documents should be prenumbered and simple to understand and use.
b. A chart of accounts should be available.
c. Systems manuals should be available.
• Physical control over assets and records. These should include fireproof safes and
limited access storerooms.
• Independent checks on performance by internal verification should be used.

88. Adequate documents and records are important for effective internal control. There are five
medium principles that dictate the proper design and use of documents and records. One principle is
that documents and records should be prenumbered consecutively to facilitate control over
missing documents, and as an aid in locating documents when they are needed at a later date.
Please discuss each of the other four principles of adequate documents and records.

Answer:
Documents and records should be:
• Prepared at the time a transaction takes place, or as soon thereafter as possible.
• Sufficiently simple to ensure that they are clearly understood.
• Designed for multiple use whenever possible, to minimize the number of different
forms.
• Constructed in a manner that encourages correct preparation, such as providing a
degree of internal check within the form or record.
89. What are the four types of procedures used to support the operation of internal controls?
medium Answer:
The four procedures are:
• Make inquiries of client personnel.
• Examine documents, records, and reports.
• Observe control-related activities.
• Re-perform client procedures.

90. Once the auditor has an understanding of internal control, but prior to testing controls, four

10-14
medium specific assessments must be made. One is the assessment of whether the financial statements
are auditable. Discuss each of the remaining three assessments that must be made prior to
testing controls.

Answer:
The remaining three assessments are:
• Assessment of control risk supported by the understanding obtained.
• Assess whether it is likely that a lower assessment of control risk could be supported.
• Decide on the appropriate assessment of control risk.

91. Describe five common procedures an auditor can use to obtain an understanding of internal
medium control design.

Answer:
The five procedures used to obtain an understanding of the client’s internal control
design are:
• Update and evaluate auditor’s previous experience with the client company.
• Make inquiries of client personnel.
• Read client’s policy and systems manuals.
• Examine documents and records.
• Observe activities and operations at the client’s place of business.

92. Adequate separation of duties is an important control activity. Please discuss the four general
challenging guidelines for separation of duties to prevent both intentional and unintentional misstatements
that are of significance to auditors.

Answer:
The general guidelines are:
• Custody of assets should be separated from accounting.
• Authorizing transactions should be separated from custody of related assets.
• Operational responsibility should be separated from record-keeping.
• Duties within IT should be separated.

10-15
Other Objective Answer Format Questions
93. Match seven of the terms (a-i) with the definitions provided below (1-7):
medium
a. Control environment
b. Control activities
c. Independent checks on performance
d. Internal control
e. Monitoring
f. Separation of duties
g. General authorization
h. Specific authorization
i. Risk assessment

e 1. Management’s ongoing and periodic assessment of the quality of internal

control performance to determine that controls are operating as intended and
modified when needed.

g 2. Company-wide policies for the approval of all transactions within stated

limits.

a 3. The actions, policies, and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about control and its
importance to the entity.

f 4. Segregation of the following activities in an organization: custody of assets,

accounting, authorization, and operational responsibility.

i 5. Management’s identification and analysis of risks relevant to the preparation

of financial statements in accordance with generally accepted accounting
principles.

b 6. Policies and procedures that help ensure necessary actions are taken to
address risks in the achievement of the entity’s objectives.

d 7. A process designed to provide reasonable assurance regarding the

achievement of management’s objectives in the following categories: (1)
reliability of financial reporting, (2) effectiveness and efficiency of
operations, and (3) compliance with applicable laws and regulations.

94. If, when obtaining an understanding of control activities of a relatively small client, the
easy auditor identified no control activities, the auditor would probably set a low assessment of
b control risk.
a. True
b. False

95. When internal controls are not effective, then substantive audit tests are less reliable; thus, the
easy extent of substantive tests should be reduced.
b a. True
b. False

96. The less control risk there is, the smaller the amount of planned substantive evidence required.
easy a. True
a b. False

10-16
97. As a client’s information system becomes more complex, it is likely that an auditor will
easy decrease reliance on controls and increase substantive tests to support a control risk
b assessment.
a. True
b. False

98. When a company designs and implements an internal control system, cost of the system is not
easy a valid consideration.
b a. True
b. False

99. One benefit of effective internal control is the reduced cost of an external audit.
easy a. True
a b. False

100. Adequate documents and records is a subcomponent of the control environment.

easy a. True
b b. False

101. For proper internal control, there should be adequate separation of duties. However, the extent
easy of separation of duties considered “adequate” depends heavily on the size of the organization.
a a. True
b. False

102. The auditor’s assessment of control risk and the extent of tests of controls are inversely
easy related; that is, if the auditor’s assessment of control risk decreases, more extensive tests of
a controls are applied.
a. True
b. False

103. It is more common for the auditor’s assessment of control risk to be low when auditing larger
medium clients than smaller clients.
a a. True
b. False

104. The Sarbanes-Oxley Act of 2002 requires that private and public companies issue an internal
medium control report.
b a. True
b. False

105. The most important aspect of internal control is the control environment.
medium a. True
b b. False

106. Because the auditor’s main responsibility is to express an opinion on financial statements,
medium which are comprised of account balances, the primary emphasis by auditors when evaluating
b and testing internal control is on controls over account balances rather than controls over
classes of transactions.
a. True
b. False

107. When internal controls over a given financial statement account are assessed by the auditor as
medium highly effective, the auditor need not obtain audit evidence for that account beyond testing the
b controls.
a. True
b. False
108. The chart of accounts is a control and is closely related to the controls related to adequate
medium documents and records controls.

10-17
a a. True
b. False

109. For proper internal control, the custodianship of cash, including receipts and disbursements,
medium should be the responsibility of the accounting department.
b a. True
b. False

110. Auditing standards prohibit reliance on the work of internal auditors due to the lack of
medium independence of the internal auditors.
b a. True
b. False

111. Procedures used to obtain an understanding of internal control are normally performed on
medium fewer transactions than procedures used to test controls.
a a. True
b. False

112. For most uses, flowcharts are superior to narratives as a method of communicating the
medium characteristics of a system of internal control.
a a. True
b. False

113. When documenting their understanding of a client’s internal controls, auditors are required to
medium use narratives and may optionally also use flowcharts and/or internal control questionnaires.
b a. True
b. False

114. The two primary determinants of an entity’s auditability are the integrity of management and
medium the competency of personnel.
b a. True
b. False

115. When control risk is assessed at the maximum level for a specific transaction-related audit
medium objective, the auditor will not perform tests of controls for that objective.
a a. True
b. False

10-18