1

CHAPTER 10

MULTIPLE CHOICE QUESTIONS

1. Which of the following parties is responsible for establishing an entity’s

internal controls?
A. Management
B. Auditors
C. Management and auditors
D. Committee of Sponsoring Organizations

2. Which of the following is not one of the three primary objectives of effective
internal control?
A. Reliability of financial reporting
B. Efficiency and effectiveness of operations
C. Compliance with laws and regulations
D. Each of the above is a primary objective of effective internal control

3. The PCAOB states that reasonable assurance allows for

A. A nominal likelihood of ineffective internal controls
B. A remote likelihood that material misstatements will not be prevented or
detected by internal control
C. A likelihood that material misstatements will not be prevented or detected
by internal control.
D. A high likelihood that material misstatements will not be prevented or
detected by internal control.

4. Internal controls can never be considered as absolutely effective because

A. Their effectiveness is limited by the competency and dependability of
employees
B. Controls always have inherent weaknesses that can be exploited
C. Controls are designed to prevent and detect only material misstatements
D. None of the above

5. A major control available in a small company, which might not be feasible in a

large company, is
A. A wider segregation of duties
 2

B. A voucher system
C. Fewer transactions to process
D. The owner-manager’s personal interest and close relationship with
personnel.

6. An act of two or more employees to steal assets or misstate records is frequently

referred to as
A. Collusion
B. A material weakness
C. A control deficiency
D. Any of the above

7. When the auditor attempts to understand the operation of the accounting system
by tracing a few transactions through the accounting system, this is referred to
as
A. Tracing
B. Vouching
C. A walk-through
D. Tests of controls

8. Which section of the Sarbanes-Oxley Act requires management to issue an

internal control report?
A. 202
B. 203
C. 404
D. 408

9. Sarbanes-Oxley requires management to issue an internal control report that

includes two specific items. Which of the following is one of these two
requirements?
A. A statement that management is responsible for establishing and maintaining
an adequate internal control structure and procedures for financial reporting.
B. A statement that management and the board of directors are responsible for
establishing and maintaining an adequate internal control structure and
procedures for financial reporting.
 3

C. A statement that management, the board of directors, and the external

auditors for establishing and maintaining an adequate internal control
structure and procedures for financial reporting.
D. None of the above is correct.
10. When management is evaluating the design of internal control, management
evaluates whether the control can do all but which of the following?
A. Prevent material misstatements
B. Detect material misstatements
C. Correct material misstatements
D. None of the above is correct

11. Internal control reports issued by public companies must identify the framework
used to evaluate the effectiveness of internal control. Which of the following is
the most common framework in the US?
A. Effective Internal Control Framework – AICPA
B. Internal Control – Integrated Framework – COSO
C. Enterprise Internal Control – COSO
D. There is no single common framework used in the US

12. Auditor’s tests of operating effectiveness of internal controls might include

which of the following types of procedures?
A. Inspection of relevant documentation
B. Inquiries of personnel
C. Reperformance of the application of controls
D. All of the above

13. With which one of management’s concerns with respect to implementing

internal controls is the auditor primarily concerned?
A. Efficiency of operations
B. Reliability of financial reporting
C. Effectiveness of operations
D. Compliance with applicable laws and regulations

14. Which of the following activities would be least likely to strengthen a

company’s internal control?
A. Separating accounting from other financial operations
B. Maintaining insurance for fire and theft.
 4

C. Fixing responsibility for the performance of employee duties

D. Carefully selecting and training employees

15. Management must disclose material weaknesses in internal control

A. Whenever the weakness is deemed significant to a single class of
transactions.
B. Whenever the weakness is significant to overall financial reporting
objectives
C. Even if just one weakness is found
D. Only if the auditor identifies the weakness as significant

16. When auditing a nonpublic company, the auditor should obtain an

understanding of internal control sufficient
A. To provide reasonable protection against client fraud and defalcations by
client employees.
B. To assess control risk.
C. To provide a basis for constructive suggestions to the client for improving
the accounting system
D. To provide a method for safeguarding assets, checking the accuracy and
reliability of accounting data, promoting operational efficiency, and
encouraging adherence to prescribed managerial policies.

17. Which of the following audit tests would be regarded as a test of a control?
A. Tests of the specific items making up the balance in a given general ledger
account.
B. Tests of the inventory pricing to vendor’s invoices.
C. Tests of the signatures on canceled checks to management’s authorizations.
D. Tests of the additions to property, plant, and equipment by physical
inspections.

18. During which part of an audit examination is the preparation of flowcharts most
appropriate?
A. When performing preliminary analytical procedures.
B. When performing tests of controls.
C. When evaluating the system of administrative control.
D. When reviewing the system of internal control.
 5

19. The __________ consists of the actions, policies, and procedures that reflect the
overall attitudes of top management.
A. Control activities
B. Management philosophy.
C. Control environment
D. Monitoring function

20. An auditor’s primary emphasis is internal controls over

A. Material account balances
B. Classes of transactions
C. Account balances and classes of transactions
D. Immaterial and material account balances

21. The auditor’s study of a nonpublic client’s internal control is

A. Required by GAAP
B. Required by GAAS
C. Required by the IRS
D. Recommended by the AICPA.

22. Internal controls can never be regarded as completely effective. Even if

company personnel could design an ideal system, its effectiveness depends on
the
A. Adequacy of the computer system
B. Proper implementation by management
C. Ability of the internal audit staff to maintain it
D. Competency and dependability of the people using it.

23. Even with the most effectively designed internal control, the auditor must obtain
audit evidence, beyond testing the controls, for every
A. Transaction
B. Financial statement account
C. Material financial statement account
D. Financial statement account that will be relied upon by third parties

24. To express an opinion on internal controls, and auditor obtains an understanding

of and performs tests of controls related to all but which of the following?
 6

A. Account balances
B. Significant account balances
C. Classes of transactions
D. Disclosures and related assertions in the financial statements

25. The essence of an effectively controlled organization lies in the

A. Effectiveness of its independent auditor
B. Effectiveness of its internal auditor
C. Attitude of its employees
D. Attitude of its management.

26. To issue a report on internal control over financial reporting for a public
company, an auditor must
A. Evaluate management’s assessment process
B. Independently assess the design and operating effectiveness of internal
control
C. Evaluate management’s assessment process and independently assess the
design and operating effectiveness of internal control
D. Test controls over significant account balances

27. Which of the stock exchanges require listed companies to have an audit
committee composed entirely independent directors.
A. AMEX and NYSE
B. NASDAQ only
C. AMEX and NASDAQ
D. AMEX, NASDAQ, and NYSE

28. Which of the following factors may increase risks to an organization?

A. Geographic dispersion of company operations
B. Decreasing quality of personnel
C. Presence of new information technologies
D. All of the above

29. Which of the following statements is correct with respect to separation of

duties?
A. Employees should not have temporary and permanent custody of assets.
 7

B. If is desirable to prevent employees who authorize transactions from having

custody of related assets
C. It is permissible to allow an employee to open cash receipts and record those
receipts
D. None of the above is correct

30. Authorizations can be either general or specific. Which of the following is not
an example of a general authorization?
A. Automatic reorder points for raw materials inventory
B. A sales manager’s authorization for a sales return.
C. Credit limits for various classes of customers
D. A sales price list for merchandise

31. The most important type of protective measure for safeguarding assets and
records is
A. Adequate separation of duties among personnel
B. Proper authorization of transactions
C. The use of physical precautions
D. Adequate documentation

32. Which of the following statements is correct with respect to the design and use
of business documents?
A. Only documents used for internal purposes must be prenumbered
B. Documents should be designed for single purposes only to avoid confusion
in their use.
C. Documents should be designed to be understandable only to those
responsible for their use.
D. None of the above statements is correct.

33. The SEC prohibits US stock exchanges from listing securities if a company’s
audit committee is
A. Not comprised of solely independent directors
B. Inadequately funded
C. Not solely responsible for hiring and firing the company’s auditors
D. All of the above are correct.

34. All of the following are substantive tests except

 8

A. Tests of controls
B. Test of details of transactions
C. Tests of details of balances
D. Analytical procedures

35. Most audits of a company are done annually by the same CPA firm. Except for
initial engagements, the auditor begins the audit with a great deal of
information about the internal controls developed in prior years. Because
systems and controls usually do not change often
A. The auditor can skip the evaluation of this area on repeat engagements.
B. This information can be updated and carried forward to the current year’s
audit.
C. It eases the burden on the auditor’s requirement to do a complete study of the
controls this year.
D. It is sufficient for the auditor just to inquire of client whether the controls
have been changed since last year.

36. Narratives, flowcharts, and internal control questionnaires are three common
methods of
A. Testing the internal controls
B. Documenting the auditor’s understanding of internal controls.
C. Designing the audit manual and procedures
D. Documenting the auditor’s understanding of client’s organizational structure

37. Which of the following is not an element of a proper narrative of an accounting

system and related controls?
A. The origin of every document and record in the system should be stated
B. All processing that takes place should be described
C. The disposition of every document and record in the system should be stated
D. There should be an indication of all controls affecting the applicable process

38. Which of the following statements about the internal control questionnaire is not
correct?
A. A questionnaire can lead to a piecemeal view of a client’s control without
providing an overall view
B. The questionnaire can be prepared reasonably quickly
 9

C. A questionnaire is usually applicable to a wide variety of companies,

especially smaller ones
D. Each of the above statements is correct.

39. Specific assessments must be made to arrive at the preliminary assessment of

control risk. Which of the following is not one of these assessments?
A. Is the entity auditable?
B. What is the expectation that internal controls will neither prevent material
misstatements from occurring nor detect and correct them if they have
occurred?
C. Is management committed to internal control?
D. Each of the above is required assessment.
40. Which of the following is not one of the levels of an absence of internal
controls?
A. Internal control weakness
B. Material weakness
C. Significant deficiency
D. None of the above

41. Which of the following is the correct definition of “control deficiency”

A. A control deficiency exists if the design or operation of controls does not
permit company personnel to prevent or detect misstatements on a timely
basis
B. A control deficiency exists if one or more deficiencies exist that adversely
affect a company’s ability to prepare external financial statements reliably
C. A control deficiency exists if the design or operation of controls results in a
more than remote likelihood that controls will not prevent or detect
misstatements.
D. None of the above is a correct definition.

42. The purpose of an entity’s accounting information and communication system is

to ________ .
A. Initiate transactions
B. Record and process transactions
C. Monitor transactions
D. A and B only
 10

43. A procedure that would most likely be used by an auditor in performing tests of
control procedures that involve segregation of functions and that leave no
transaction trail is
A. Inspection
B. Observation
C. Reperformance
D. Reconciliation

44. Internal controls normally include procedures designed to provide reasonable

assurance that
A. Employees act with integrity when performing their assigned tasks.
B. Transactions are executed in accordance with management’s general or
specific authorization.
C. Decision processes leading to management’s authorization of transactions
are sound.
D. Collusive activities would be detected by segregation of employee duties.

45. Which of the following is not a common step used to identify internal control
deficiencies?
A. Decide whether there is a significant deficiency or material weakness
B. Identify existing controls
C. Identify the absence of key controls
D. Each of the above is a common step used to identify internal control
deficiencies.

46. Which of the following is not a component of an entity’s internal control?

A. Control risk
B. Control procedures
C. The accounting system
D. The control environment

47. Before making the final assessment of internal control at the end of an
integrated audit, the auditor must
A. Test controls
B. Perform substantive tests of details
C. A only
D. A and B
 11

48. Significant deficiencies and material weaknesses in internal control of a public

company must be reported to which of the following?
A. The Public Company Accounting Oversight Board
B. Members of management who are responsible for the related area of the
company
C. Audit committee of the company’s board of director
D. None of the above

49. Of the following statements about internal controls, which one is not valid?
A. No one person should be responsible for the custodial responsibility and the
recording responsibility for an asset.
B. Transactions must be properly authorized before such transactions are
processed.
C. Because of the cost benefit relationship, a client may apply control
procedures on a test basis.
D. Control procedures reasonably ensure that collusion among employees
cannot occur.

50. Which of the following best describes the inherent limitations that should be
recognized by an auditor when considering the potential effectiveness of
internal control?
A. Procedures whose effectiveness depends on segregation of duties can be
circumvented by collusion.
B. The competence and integrity of client personnel provides an environment
conducive to accounting control and provides assurance that effective control
will be achieved.
C. Procedures designed to assure the execution and recording of transactions in
accordance with proper authorizations are effective against irregularities
perpetrated by management
D. The benefits expected to be derived from effective internal accounting
control usually do not exceed the costs of such control.

51. Which of the following is not one of the subcomponents of the control
environment?
A. Management’s philosophy and operating style.
B. Organizational structure
 12

C. Adequate separation of duties

D. Commitment to competence

52. It is important for the CPA to consider the competence of the audit client’s
employees because their competence bears directly and importantly upon the
A. Cost/benefit relationship of the system of internal control
B. Achievement of the objectives of internal control
C. Comparison of recorded accountability with assets
D. Timing of the tests to be performed

53. Effective internal control in a small company that has an insufficient number of
employees to permit proper division of responsibilities can best be enhanced by
A. Employment of temporary personnel to aid in the separation of duties
B. Direct participation by the owner of the business in the record-keeping
activities of the business
C. Engaging a CPA to perform monthly “write-up” work
D. Delegation of full, clear-cut responsibility to each employee for the functions
assigned to each.

54. Evidential matter concerning proper segregation of duties ordinarily is best

obtained by
A. Direct personal observation of the employee who applies control procedures
B. Making inquiries of co-workers about the employee who applies control
procedures
C. Preparation of a flowchart of duties performed and available personnel
D. Inspection of third-party documents containing the initials of who applied
control procedures

55. Proper segregation of functional responsibilities calls for separation of the

functions of
A. Authorization, execution, and payment
B. Authorization, recording and custody
C. Custody, execution, and reporting
D. Authorization, payment and recording

56. When considering the objectivity of internal auditors, an independent auditor

should
 13

A. Evaluate the quality control program in effect for the internal auditors
B. Examine documentary evidence of the work performed by the internal
auditors
C. Test a sample of the transactions and balances that the internal auditors
examined
D. Determine the organizational level to which the internal auditors report

57. Internal controls are not designed to provide reasonable assurance that
A. All frauds will be eliminated
B. Transactions are executed in accordance with management’s authorization
C. Access to assets is permitted only in accordance with management’s
authorization
D. The recorded accountability for assets is compared with the existing assets at
reasonable intervals.

58. Which of the following statements regarding auditor documentation of the

client’s internal controls is correct?
A. Documentation must include flow charts
B. Documentation must include procedural write-ups
C. No documentation is necessary although it is desirable
D. No one particular form of documentation is necessary

59. Significant deficiencies are matters that come to an auditor’s attention, which
should be communicated to an entity’s audit committee because they represent
A. Material frauds perpetrated by high-level management
B. Internal control deficiencies that could adversely affect a company’s ability
to initiate, record, process, or report external financial statements reliably
C. Flagrant violations of the entity’s documented conflict-of-interest policies
D. Intentional attempts by client personnel to limit the scope of the auditor’s
field work.

60. Which of the following statements, if any, is correct?

A. The NASDAQ market requires listed companies to have audit committees
that have only independent directors.
B. The NASDAQ market requires listed companies to have audit committees
that have a minority of the positions held by independent directors.
 14

C. The NASDAQ market recommends, but does not require, listed companies
to have audit committees
D. The NASDAQ market recommends, but does not require, listed companies
to have audit committees that have a minority of the positions held by
independent directors.

61. Which of the following is not typically one of management’s concerns in

designing effective internal controls?
A. Reliability of financial reporting
B. Efficiency and effectiveness of operations
C. Compliance with applicable laws and regulations
D. Obtaining the best internal control possible

62. The Sarbanes-Oxley Act requires

A. All public companies to issue an internal control report
B. All public companies to define adequate internal controls
C. The auditor of public companies to design effective internal controls over
financial reporting
D. Provides for all three of the above

63. When considering internal control, an auditor should be aware of the concept of
reasonable assurance, which recognizes that the
A. Segregation of incompatible functions is necessary to ascertain that internal
control is effective
B. Employment of competent personnel provides assurance that the objectives
of internal control will be achieved
C. Establishment and maintenance of internal control is an important
responsibility of the management and not of the auditor
D. Costs of internal control should not exceed the benefits expected to be
derived from internal control.

64. To comply with the second standard of fieldwork, the auditor need not be
concerned with all five areas of internal control that apply to management. The
auditor’s primary concerns are with the internal control’s ability to
A. Ensure reliability of financial reporting for external purposes
 15

B. Provide reliable data and promote efficiency

C. Promote efficiency and encourage adherence to policy
D. Provide reliable data, safeguard assets, and comply with the Sarbanes-Oxley
Act of 2002.

65. The financial statements are not likely to correctly reflect generally accepted
accounting principles if
A. The controls affecting the reliability of financial reporting are inadequate
B. The company’s controls do not promote efficiency
C. The company’s controls do not promote effectiveness
D. All three of the above are true

66. The primary emphasis by auditors is on controls over

A. Classes of transactions
B. Account balances
C. Both A and B, because they are equally important
D. Both A and B, because they are vary from client to client.

67. The most important difference in a nonpublic company in assessing control risk
is the ability to assess control risk at ____________ for any or all control-
related objectives.
A. Low
B. Medium
C. High
D. None of the above

68. Having an audit committee composed of outside directors is a requirement of

A. All public and private companies
B. All private companies
C. All companies that are listed on the NYSE, AMEX, and NASDAQ.
D. All companies that are audited by members of the AICPA.

69. An auditor should consider two key issues when obtaining an understanding of
a client’s internal controls. These issues are
A. The effectiveness and efficiency of the controls
B. The frequency and effectiveness of the controls
C. The design and utilization of the controls
 16

D. None of the above

70. The independent auditor should acquire an understanding of the internal audit
function as it relates to the independent auditor’s study and evaluation of
internal accounting control because
A. The audit programs, working papers, and reports of internal auditors can
often be used as substitute for the work of the independent auditor’s staff.
B. The procedures performed by the internal audit staff may eliminate the
independent auditor’s need for an extensive study and evaluation of internal
control.
C. The work performed by internal auditors may be a factor in determining the
nature, timing, and extent of the independent auditor’s procedures.
D. The understanding of the internal audit function is an important substantive
test to be performed by the independent auditor.

71. Taylor Sales Corp. maintains a large full-time internal audit staff that reports
directly to the chief accountant. Audit reports prepared by the internal auditors
indicate that the system is functioning as it should and that the accounting
records are reliable. The independent auditor will probably
A. Eliminate tests of controls
B. Increase the depth of the study and evaluation of administrative controls
C. Avoid duplicating the work performed by the internal audit staff
D. Place limited reliance on the work performed by the internal audit staff.

72. When planning an audit, the auditor’s assessed level of control risk is
A. Determined by using actuarial tables
B. Calculated by using the audit risk model
C. An economic issue, trading off the costs of testing controls against the cost
of testing balances
D. Calculated by using the formulas provided in the AICPA’s auditing
standards

73. When a compensating control exists, the absence of a key control

A. Is no longer a concern because there is no longer a significant deficiency or
material weakness
B. Is a slight concern to the auditor
 17

C. Could cause a material loss, so it must be tested using substantive procedures

D. Is magnified and must be removed from the sampling process and examined
in its entirety.

74. An internal control narrative indicates that an approved voucher is required to

support every check request for payment of merchandise. Which of the
following procedures provides the greatest assurance that this control is
operating effectively?
A. Select and examine canceled checks and ascertain that the related vouchers
are dated no later than the checks
B. Select and examine vouchers and ascertain that the related canceled checks
are dated no earlier than the vouchers.
C. Select and examined canceled checks and ascertain than the related
vouchers are dated no earlier than the checks
D. Select and examine vouchers and ascertain that the related canceled checks
are dated no later than the vouchers.
75. When obtaining an understanding of an entity’s control environment, an auditor
should concentrate on the substance of management’s policies and procedures
rather than their form because
A. Management may establish appropriate policies and procedures but not act
on them.
B. The board of directors may not be aware of management’s attitude toward
the control environment
C. The auditor may believe that the policies and procedures are inappropriate
for that particular entity.
D. The policies and procedures may be so weak that no reliance is contemplated
by the auditor.

ESSAY QUESTIONS

76. With which aspect of internal control are auditors primarily concerned?
ANSWER:
The aspect of internal control that auditors are primarily concerned with is the
reliability of financial reporting.
 18

77. An effective accounting information and communication system must satisfy six
transaction-related objectives. One of these objectives is that transactions are
recorded on the correct dates (timing). Identify the five remaining objectives.
ANSWER:
The five remaining objectives are:
 Recorded transactions exist (existence)
 Existing transactions are recorded (completeness)
 Recorded transactions are stated at the correct amounts (accuracy).
 Transactions are properly classified (classification.)
 Recorded transactions are properly included in the master files and
correctly summarized (posting and summarization).

78. There are four steps in the auditor’s process of understanding internal control
and assessing control risk for a public company. Step one is obtain and
document an understanding of internal control: design and operation. What are
the remaining three steps?

ANSWER:
The remaining three steps are:
 Assess control risk
 Design, perform and evaluate tests of controls
 Decide planned detection risk and substantive tests.

79. Management’s identification and analysis of risk is an ongoing process and is a

critical component of effective internal control. An important first step is for
management to identify factors that may increase risk. Identify at least five
factors, observable by management, that may lead to increased risk in a typical
business organization.
ANSWER:
There are many factors that may lead to increase risk in an organization. Some
examples include:
 Failure to meet prior objectives
 Decreasing quality of personnel
 Increasing geographic dispersion of company operations
 Increasing significance and complexity of core business processes
 Introduction of new information technologies.
 19

 Entrance of new competitors.

80. During a financial statement audit of a non-public company, three steps must be
completed by the auditor before he/she can conclude that control risk is low.
Discuss these three steps.
ANSWER:
The three steps that must be completed by the auditor before he/she can
conclude that control risk is low are:
1. Obtain and understanding of the control environment, risk assessment
procedures accounting information and communication system, and
monitoring methods at a fairly detailed level.
2. Identify specific controls that will reduce control risk and made an
assessment of control risk; and
3. Test the controls for effectiveness

81. In addition to understanding the design of internal control, the auditor must also
evaluate whether the designed controls are actually placed in operation. List
four common methods auditors use to fulfill this requirement during the audit
of a public company.
ANSWER:
There are five common procedures listed below. Students were asked to list four
common methods:
 Update and evaluate auditors’ previous experience with the entity
 Make inquiries of client personnel
 Examine documents and records
 Observe entity activities and operations
 Perform walkthroughs of the accounting system
 Read client’s policy and systems manual

82. A proper narrative of an accounting system and related controls should possess
several key characteristics. What are three such characteristics?
ANSWER:
The characteristics are:
 The origin of every document and record in the system
 All processing that takes place.
 20

 The disposition of every document and record in the system

 An indication of the controls relevant to the assessment of control risk.

83. Describe three inherent limitations of internal control.

ANSWER:
The effectiveness of internal controls depends on the competency and
dependability of the people using it. Inherent limitations of internal control
include.
 Employee carelessness
 Lack of understanding
 Management override, and
 Collusion

84. The internal control framework developed by COSO includes five so-called
“components” of internal control. Discuss each of these five components.

ANSWER:
Five components of internal control are:
 The control environment. The control environment consists of the actions,
policies, and procedures that reflect the overall attitudes of top management,
directors and owners, about internal control and its importance to the
company.
 Risk assessment. This is management’s identification and analysis of risks
relevant to the preparation of financial statements in accordance with GAAP.
 Information and communication. This is the set of manual and/or
computerized procedures that identifies, assembles, classifies, analyzes
records, and reports a company’s transactions and maintains accountability
for the related assets.
 Control activities. These are the policies and procedures that help ensure
necessary actions are taken to address risks in the achievement of the
company’s objectives.
 Monitoring. This is management’s ongoing and periodic assessment of the
quality of internal control performance to determine that controls are
operating as intended and modified when needed.
 21

85. Discuss what is meant by the term “control environment” and identify four
control environment subcomponents that the auditor should consider.
ANSWER:
The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an
entity about control and its importance to the entity. Subcomponents include:
 Integrity and ethical values
 Commitment to competence
 Board of directors or audit committee participation
 Management’s philosophy and operating style
 Organizational structure
 Assignment of authority and responsibility
 Human resource policies and practices

86. Control activities, one of the five components of internal control, are defined as
“the policies and procedures, in addition to those included in the other four
components, that help ensure necessary actions are taken to address risks in the
achievement of the entity’s objective.” There are five categories of control
activities. Please describe the five categories of control activities:
ANSWER:
The five categories of control activities are:
 Adequate separation of duties
a) Custody of assets should be separated from accounting
b) Authorizing transactions should be separated from custody of related
assets
c) Operational responsibility should be separated from record-keeping
d) Duties within IT should be separated from user departments.
 Proper authorization of transactions and activities:
a) General authorization is given for transactions meeting established
criteria.
b) Specific authorization is required for individual transactions that don’t
confirm to the criteria.
 Adequate document and records
a) Documents should be prenumbered and simple to understand and use
b) A chart of accounts should be available
c) Systems manuals should be available
 22

 Physical control over assets and records. These should include fireproof
safes and limited access storerooms.
 Independent checks on performance by internal verification should be used.

87. Adequate documents and records are important for effective internal control.
There are five principles that dictate the proper design and use of documents
and records. One principle is that documents and records should be
prenumbered consecutively to facilitate control over missing documents, and as
an aid in locating documents when they are needed at a later date. Please
discuss each of the other four principles of adequate documents and records.
ANSWER:
Documents and records should be:
 Prepared at the time a transaction takes place, or as soon thereafter as
possible.
 Sufficiently simple to ensure that they are clearly understood
 Designed for multiple use whenever possible, to minimize the number of
different forms.
 Constructed in a manner that encourages correct preparation, such as
providing a degree of internal check within the form or record.

88. Describe each of the three broad objectives management typically has for
internal control.
ANSWER:
The three objectives are:
 Reliability of financial reporting. Management has both a legal and
professional responsibility to be sure that the information is fairly presented
in according with reporting requirements such as GAAP.
 Efficiency and effectiveness of operations. Controls within an organization
are meant to encourage efficient and effective use of its resources to
optimize the company’s goals.
 Compliance with laws and regulations. Public and non-public organizations
are required to follow many laws and regulations. “Some relate to
accounting only indirectly, such as environmental protection and civil rights
laws. Others are closely related to accounting, such as income tax regulations
and fraud.
 23

89. Auditors of financial statements issued by a public company are required to

report on internal control over financial reporting. Briefly describe the auditor’s
responsibility.
ANSWER:
The report on internal control over financial reporting must include the auditor’s
opinion as to whether management’s assessment of the design and operating
effectiveness of internal control over financial reporting is fairly stated in all
material respects. This involves an evaluation of management’s assessment
process to determine whether internal controls are effective and the auditor’s
independent assessment of the internal control’s design and operating
effectiveness.

90. What two specific assessments must be made to arrive at the preliminary
assessment of control risk during the audit of a public company?
ANSWER:
The two specific assessments are:
 Assessment of whether the entity is auditable
 Determine assessed control risk supported by the understanding obtained
assuming the controls are being followed

91. Adequate separation of duties is an important control activity. Please discuss

the four general guidelines for separation of duties to prevent both international
and unintentional misstatements that are of significance to auditors.
ANSWER:
The general guidelines are:
 Custody of assets should be separated from accounting
 Authorizing transactions should be separated from custody of related assets
 Operational responsibility should be separated from record-keeping
 Duties within IT should be separated from user departments

OTHER OBJECTIVE ANSWER FORMAT QUESTIONS

92. Match seven of the terms (A-I) with the definitions provided below (1-7):
A. Control environment
B. Control activities
 24

C. Independent checks on performance

D. Internal control
E. Monitoring
F. Separation of duties
G. General authorization
H. Specific Authorization
I. Risk assessment

E _______ 1. Management’s ongoing and periodic assessment of the quality of

internal control performance to determine that controls are operating
as intended and modified when needed.
G _______ 2. Company-wide policies for the approval of all transactions within
stated limits.
A _______ 3. The actions, policies, and procedures that reflect the overall attitudes
of top management, directors, and owners of an entity about internal
control and its importance to the entity.
F _______ 4. Segregation of the following activities in an organization: custody of
assets, accounting authorization, and operational responsibility.
I _______ 5. Management’s identification and analysis of risks relevant to the
preparation of financial statements in accordance with generally
accepted accounting principles.
B _______ 6. Policies and procedures that help ensure necessary actions are taken
to address risks in the achievement of the entity’s objectives.
D _______ 7. A process designed to provide reasonable assurance regarding the
achievement of management’s objectives in the following categories:
(1) reliability of financial reporting, (2) effectiveness and efficiency
of operations; and (3) compliance with applicable laws and
regulations.
93. If, when obtaining an understanding of control activities of a relatively small
client, the auditor identified no control activities, the auditor would probably
set a low assessment of control risk.
A. True
B. False

94. When internal controls are not effective, then substantive audit tests are less
reliable; thus, the extent of substantive tests should be reduced.
A. True
B. False
 25

95. In an audit of a non-public company, the less control risk there is, the smaller
the amount of planned substantive evidence required.
A. True
B. False

96. As a client’s information system becomes more complex, it is likely that an

auditor will decrease reliance on controls and increase substantive tests to
support a control risk assessment.
A. True
B. False

97. When a company designs and implements internal controls, cost of the controls
is not a valid consideration.
A. True
B. False

98. PCAOB Standard 2 requires auditors to perform walkthroughs to assist in

understanding internal control.
A. True
B. False

99. Adequate documents and records is a subcomponent of the control environment.

A. True
B. False

100. For proper internal control, there should be adequate separation of duties.
However, the extent of separation of duties considered “adequate” depends
heavily on the size of the organization.
A. True
B. False

101. In an audit of a non-public company, the auditor’s assessment of control risk

and the extent of tests of controls are inversely related; that is, if the auditor’s
assessment of control risk decreases, more extensive tests of controls are
applied.
A. True
B. False
 26

102. Smaller companies usually have more extensive internal controls than larger
companies which result in fewer frauds being committed at small companies.
A. True
B. False

103. The Sarbanes-Oxley Act of 2002 requires that private and public companies
issue an internal control report.
A. True
B. False

104. The most important component of internal control is risk assessment

A. True
B. False

105. The primary emphasis by auditors when evaluating and testing internal control
is on controls over account balances rather than controls over classes of
transactions.
A. True
B. False

106. When internal controls over a given financial statement account are assessed by
the auditor as highly effective, the auditor need not obtain audit evidence for
that account beyond testing the controls.
A. True
B. False

107. The chart of accounts is a control and is closely related to the controls related
to adequate documents and records.
A. True
B. False

108. For proper internal control, the custodianship of cash, including receipts and
disbursements, should be the responsibility of the accounting department.
A. True
B. False
 27

109. Auditing standards prohibit reliance on the work of internal auditors due to the
lack of independence of the internal auditors.
A. True
B. False

110. Procedures used to obtain an understanding of internal control are normally

performed on fewer transactions than procedures used to test controls.
A. True
B. False

111. For most uses, flowcharts are superior to narratives as a method of

communicating the characteristics of internal control.
A. True
B. False

112. When documenting their understanding of a client’s internal controls, auditors

are required to use narratives.
A. True
B. False

113. The two primary determinants of an entity’s auditability are the integrity of
management and the competency of personnel.
A. True
B. False