Auditing The Art and Science of Assurance Engagements Canadian Twelfth Edition Canadian 12th Edition Arens Test Bank

Auditing The Art and Science of
Assurance Engagements Canadian

Twelfth Edition Canadian 12th Edition
Arens Test Bank
Visit to download the full and correct content document: https://testbankdeal.com/dow
nload/auditing-the-art-and-science-of-assurance-engagements-canadian-twelfth-editi
on-canadian-12th-edition-arens-test-bank/
Auditing, 12e (Arens)
Chapter 9 Internal Controls and Control Risk
9.1 State the three primary objectives of effective internal control
1) A system of internal control consists of policies and procedures designed to provide

management with
A) reasonable assurance that the company achieves its objectives.
B) assurance that fraud will be prevented.
C) reasonable assurance that fraud will be detected.
D) assurance that the firm's resources will be used in the optimal way.
Answer: A
Diff: 1 Type: MC Page Ref: 254
Learning Obj.: 9-1 State the three primary objectives of effective internal control
2) Management's objectives with respect to internal control include

A) having reasonable assurance that the financial statements are in accordance with IFRS or
ASPE.
B) ensuring that all policies and procedures are clearly documented to reduce employee training
costs.
C) preventing fraud and illegal activities at all costs.
D) providing reasonable assurance that the goals and objectives important to the entity have been
met.
Answer: D
3) Management safeguards assets by

A) having the internal auditors conduct periodic counts of physical assets.
B) controlling access and by comparison of physical items to records.
C) requiring the external auditors to do surprise audits.
D) having management sign a management representation letter.
Answer: B
4) Carrie is the manager of the Bay Street Pharmacy. Carrie is considering implementing a
security tag system to reduce the losses related to stolen goods at their store. The system Carrie is
looking at currently costs $60,000 and is expected to be effective for 5 years. In order to justify
the implementation of the security tag system, average theft per year should be at least
A) $1,000.
B) $12,000.
C) $60,000.
D) theft should be prevented at all costs.
Answer: B
1
© 2013 Pearson Canada Inc.
5) Which one of the following controls would be of concern to management, but not to the
auditor? Controls over the
A) collection of accounts receivable amounts.
B) entry of payroll wage rates into the computer systems.
C) distribution of promotional information to present and potential clients.
D) cost of inventory items as recorded in the perpetual inventory system.
Answer: C
6) To comply with the second examination standard, the auditor need not be concerned with all
areas of internal control that apply to management. The auditor's primary concerns are with the
system's ability to
A) maintain reliable control systems pertaining to financial transactions.
B) promote efficiency and encourage adherence to policy.
C) prevent and detect financial statement fraud and error.
D) provide reliable data and safeguard assets.
Answer: A
7) The accuracy of the results of the accounting system (account balances) is heavily dependent
upon the
A) knowledge and skills of the auditor.
B) adequacy of the entity level controls.
C) accuracy of the inputs and processing (transactions).
D) training provided to the personnel.
Answer: C
8) The auditor may identify some risks that cannot be effectively tested by substantive tests
alone, for example, when there are paperless transactions (perhaps using EDI - electronic data
interchange). Then the auditor is required, to address those risks, to
A) assess the design effectiveness of relevant controls, and test them
B) obtain an understanding of the controls and test them if reliance is intended
C) obtain an understanding of the controls and assess their design effectiveness
D) test the controls that address the paperless aspects of the transactions
Answer: B
2
9) Internal controls can never be regarded as completely effective. Even if systems personnel
could design an ideal system, its effectiveness depends on the
A) adequacy of the computer system.
B) proper implementation by management.
C) ability of the internal audit staff to maintain it.
D) competency and dependability of the people using it.
Answer: D
10) It is important for the public accountant to consider the competence of the audit clients'
employees because their competence bears directly and importantly upon the
A) cost/benefit relationship of internal controls.
B) achievement of the objectives of the system of internal control.
C) comparison of recorded accountability with assets.
D) timing of the tests to be performed.
Answer: B
11) Which of the following best describes the inherent limitations that should be recognized by
an auditor when considering the potential effectiveness of an accounting system?
A) Procedures whose effectiveness depends on segregation of duties can be circumvented by
collusion.
B) The competence and integrity of client personnel provides an environment conducive to
accounting control and provides assurance that effective control will be achieved.
C) Procedures designed to assure the execution and recording of transactions in accordance with
proper authorizations are effective against irregularities perpetrated by management.
D) The benefits expected to be derived from effective accounting system usually do not exceed
the costs of such control.
Answer: A
12) An act of two or more employees to work together to misstate records is called
A) malfeasance.
B) collusion.
C) defalcation.
D) felony.
Answer: B
3
13) Three conditions for fraud are referred to as the "fraud triangle." One of the sides of this
triangle is incentives or pressures. The other two sides are
A) opportunities, a desire to meet debt repayment obligations.
B) opportunities, attitudes or rationalizations.
C) attitudes or rationalizations, the need to maintain stock prices.
D) the need to maintain stock prices and meet debt repayment obligations.
Answer: B
14) Fraud risk factors are examples of factors that increase the risk of fraud. Which of the
following is an example of a management "incentives or pressures" risk factor?
A) Customer demand for a new product line was significantly less than expected.
B) Management and the auditors disagree upon how to value a large contract in progress.
C) There is only one board member who understands financial statements, and she has suffered a
heart attack.
D) There has been significant turnover in the accounting department in the last year.
Answer: A
15) Fraud risk factors are examples of factors that increase the risk of fraud. Which of the
following is an example of a management "opportunities" risk factor?
A) The company has lost a major account and income is falling.
B) Two major competitors have gone bankrupt as margins decline in the industry.
C) The chief executive officer owns forty percent of the outstanding share capital.
D) New accounting standards provide three different methods for valuing financial instruments.
Answer: D
16) Which of the following is a factor that relates to "incentives or pressures" to commit
fraudulent financial reporting?
A) Significant accounting estimates involving subjective judgments
B) Excessive pressure for management to meet debt covenant requirements
C) Management's practice of making overly achievable forecasts
D) High turnover of accounting, internal audit and information technology staff
Answer: B
4
17) Which of the following is a factor that relates to "attitudes or rationalization" to commit
fraudulent financial reporting?
A) Significant accounting estimates involving subjective judgments
B) Excessive pressure for management to meet debt repayment requirements
C) Management's practice of making overly aggressive forecasts
D) High turnover of accounting, internal audit and information technology staff
Answer: C
18) A) Describe the three broad objectives of management when designing an effective system
of internal control.
B) Describe the aspect of internal control with which auditors are primarily concerned with for a
financial statement audit.
Answer:
A) Management typically has the following three broad objectives when designing an internal
control system:
∙ Reliability of financial reporting
∙ Efficiency and effectiveness of operations
∙ Compliance with laws and regulations
B) The aspect of internal control that auditors are primarily concerned with is prevention or
detection of material misstatements in the financial systems, during a financial statement audit.
Diff: 2 Type: ES Page Ref: A: 254-255, B: 256
19) A) Describe the three basic concepts (assumptions) underlying the study of internal control
and assessment of control risk.
B) Describe the inherent limitations of internal control.
Answer:
A) The three basic concepts which underlie the study of internal control and control risk are:
∙ It is management's responsibility to establish and maintain internal controls.
∙ Reasonable but not absolute assurance should be provided because an ideal system cannot be
justified on a cost/benefit basis.
∙ Even the ideal internal control system has inherent limitations because of employee
carelessness, lack of understanding, or management override.
B) The effectiveness of internal controls depends on the competency and dependability of the
people using it. Inherent limitations of internal control include:
∙ Employee carelessness
∙ Lack of understanding or confusion by employees
∙ Management override
- Little or no monitoring for ineffectiveness and change
∙ Collusion
Diff: 2 Type: ES Page Ref: 258
5
20) Joan is the owner of a small manufacturing company. In prior years, your firm has conducted
a review engagement of the company. However, this year, Joan obtained a loan from the federal
business development bank, and is required to have an audit of her financial statements. When
you started asking about controls and procedures at the company, Joan got pretty upset.
"All you need to be concerned about is the numbers! Why are you asking all of these questions?
It takes too much time away from my staff to answer these questions! Just check the numbers
and let us get on with our work!"
You calmed her down a bit, and reminded her about the general discussion that occurred with the
engagement letter. You invited her for coffee to briefly explain the following items:
1. Why auditors are concerned about internal controls
2. Why auditors are required to be concerned about internal controls
3. What you need to do to understand internal controls
4. What you will do once you have documented your understanding of internal controls
Required:
Explain what you would say to Joan.
Answer:
1. Auditors are concerned about internal controls because management uses internal controls to
help ensure that business operations run in accordance with the goals and objectives of the
company. The internal controls are also used to reduce the risk of fraud and illegal acts, and to
help prevent and detect errors in the financial statements.
2. Auditors have rules, called generally accepted auditing standards (GAAS) that require them to
understand and document internal controls so that they can plan the audit. It helps auditors to
know that internal controls are in place to help prevent and detect errors, fraud and illegal acts.
3. Interviews, walkthroughs and documentation examination will be used to document internal
controls so that they can be evaluated for each major transaction cycle and audit objective (such
as completeness and accuracy). This is done for control environment, general controls and
procedures, accounting systems and control procedures.
4. Once the internal controls have been documented, I will decide whether it is cheaper to test
internal controls or to simply do tests of details ("looking at the numbers"). Overall, enough
evidence needs to be gathered to provide a high level of assurance on the financial statements.
Diff: 3 Type: ES Page Ref: 255-256, 294-296
Learning Obj.: 9-1 State the three primary objectives of effective internal control; 9-4 Describe
what the auditor does to obtain an understanding of internal controls
6
21) You, PA, have been assigned as in charge auditor of a long-time audit client of your firm,
Mikla Tool Inc. (MTI). MTI is owned by George Mikla, an experienced machinist. George
established the business over 20 years ago, and it has grown into a $10 million a year business,
with an excellent reputation for high quality machined parts. MTI has regular clients in the
automobile parts sector and in the health care sector. The company has recently begun producing
parts for environmentally friendly products, such as recycling containers. This is due to the
business' versatility in dealing with a variety of metals as well as plastics using both manually
controlled and machine controlled (computerized) equipment. The following description is based
upon your review of prior files, and planning discussions with personnel at MTI.
Equipment suppliers have helped MTI develop efficient operations, by providing sample
programs for standard operations and by providing training to employees. One of the suppliers
unfortunately sent sample programs that had been infected by a virus. George's daughter,
Tiffany, had to cleanse the servers and each of the machines using her copy of the anti-virus
software. When contacted, the supplier did not know that the software was infected, and
apologized profusely!
The company's four CAD/CAM terminals and printers are connected to the company's central
local area network. The local area network is maintained by Toni Lee, the owner of a computer
shop conveniently located three blocks away. All computer equipment, software and supplies are
now purchased from Mr. Lee, who is responsible for attaching and maintaining equipment,
upgrading software, and maintaining user profiles on the network. To reduce the amount of Mr.
Lee's work as network administrator, he has set up passwords by function.
There is one user identification code (userid) and password for accounting (shared by Tiffany,
George and the accounting clerk, Isabel). The plant supervisors share another userid that is used
for production control and to initiate the timekeeping system every morning. A separate userid
and password allowing for only enquiry into the job costing system has also been set up, and can
be used by all employees.
A standard routine has been set up to back up the accounting systems. Either Tiffany or the
accounting clerk inserts one of seven tape cartridges into the system at the end of the day (they
are labelled with the day of the week), so that the company has a full set of accounting
backups for the week. Tiffany keeps these in her office. These are particularly important, since
during the last office move, two years ago, the original software for the accounting system was
misplaced.
The network has two central servers, eleven user stations, and five printers. The user stations are
set up as follows: four CAD/CAM, two time keeping, two production planning and control, two
accounting and one for George.
A good working relationship is extremely important for satisfying some of the company's larger
customers. MTI has paid for computer equipment for each of the supervisors, so that they have
fully functioning computers at home. If a rush job requires weekend work, then these senior
personnel can work at home to get the necessary quoting or design work completed. Since the 'at
home' systems are identical to the office systems Mr. Lee simply copied across the MTI systems
to the home computers. Files can be easily taken home and then brought back to the office using
7
thumb drives. It is understood that when times are slower, a day off can be taken to compensate
for this weekend work.
It is almost ten years ago that Tiffany arranged for the implementation of the network, and the
purchase of the standard integrated accounting packages (general ledger, order entry/accounts
receivable, purchases/payable and payroll), and for the purchase of the job costing and time
keeping systems. A variety of reports are printed daily, weekly, or monthly from the job costing
system which are used for monitoring employee hours, the status of the jobs, the costs
accumulated for particular jobs, and the work in progress inventory.
The weekly report of hours from the job costing system is approved by the production
supervisors, and is used as an input source for hours worked into the payroll system. The
accounting clerk enters the hours into the accounting system, so that weekly payroll cheques and
reports can be produced. The accounting clerk handles most data entry.
Tiffany is really pleased with their accounting clerk, Isabel, who has been with the company for
three years. She insists that fate had a hand in getting Isabel working for MTI. Isabel had been
'pounding the pavement,' having recently immigrated, and had no Canadian business experience.
Her accounting skills were rudimentary, but she quickly learned the accounting software, and has
reorganized the filing systems. Tiffany considers her as indispensable. When Isabel goes on
holiday, many things just don't get done! Tiffany can do the payroll in a pinch, but accounts
payable and cash disbursements are always done by Isabel. If she's away, suppliers are simply
told to wait, or Tiffany issues a manual cheque for recording later. Isabel is very good at clearing
queries from suppliers, and ensuring that new suppliers are set up properly. The purchasing
supervisor and his staff rely on Isabel, for she checks the account allocation of purchases and
makes any necessary corrections.
Tiffany or George are signing officers, although Tiffany realizes that she checks supporting
materials more thoroughly than George, who usually just queries Isabel verbally about larger
purchases.
In the past, MTI's audit has been entirely substantive. However, your partner has decided that
with MTI's growth, it is time for the company to consider adding additional internal controls.
Accordingly, he has asked you to draft a management letter, to be addressed to George and
Tiffany.
Required:
A) Prepare a draft management letter, clearly identifying the weaknesses (W), impact or
implications of the weaknesses (I), and recommendations for improvement (R).
[The following is a theory question that does not require examples from the case, although
examples could be used.]
B) Explain how the control environment and general IT (information technology) controls are
related. Describe the impact of the control environment and of general IT controls upon different
types of application controls and upon the audit process.
8
Answer:
A) Note that W = weakness, I = implication, R = recommendation
1. Virus detection/prevention
W -Although MTI has software that can detect viruses, it seems that the software is not
sufficient to prevent infection of the entire system
-Antivirus software does not seem to be installed on every computer/server
I -Damaging viruses could erase or damage data or programs that could infect machines
without virus protection, and thus could infect the rest of the network
-Viruses that seek to gather data (such as banking passwords) could be accessed by
hackers
R -current memory resident anti-virus software should be loaded onto every machine
(including the home machines) with daily updates
-programs should be automatically scanned before being downloaded
2. Network maintenance/support
W -The network is maintained and configured by an outside vendor (a single person, Mr.
Lee), whose work does not appear to be checked or managed by company personnel
I -In the event of Mr. Lee's unavailability, it may be difficult to maintain or support the
network
-Mr. Lee may not be doing maintenance that is in alignment with the company's
business objectives or that provide the most effective control systems
R -Mr. Lee should be requested to properly document the nature of his work, and have a
copy of this documentation held by MTI
-Tiffany (and possible George) should periodically reassess what Mr. Lee is doing for
the company and whether changes should be made
3.and 4. Passwords/access controls
W -Common passwords are used by multiple individuals, based on function
I -Unauthorized actions or errors could be entered into the network, and could not be traced
to specific individuals
-it is easier to 'overhear' or 'uncover' common passwords, so the password could be used
by unauthorized individuals
R -unique user identification codes and passwords should be established for every user
of the system
-user identification codes and passwords should be tailored to the specific functions
required by individual users to complete their work
-new users should be approved in writing (with the appropriate functional allocation)
and the set up of the users verified by someone other than Mr. Lee
-privacy violations could occur (unauthorized access to private data)
W -passwords are maintained by an external party (Mr. Lee), and may not be changed or
removed on a timely basis
I -In the event that an employee leaves or is terminated, his/her access codes may still be
valid, allowing that employee continued access to the system
R -someone at MTI should be trained in the process of removing passwords, so that if an
employee leaves, MTI personnel can remove that person's access codes (This should
likely be Tiffany)
9
5.and 6. Backup/Disaster Recovery
W -all copies of the backups are kept at MTI premises
I -in the event of physical problems (such as fire or theft) all backup could be damaged
or removed, making it difficult or impossible for the company to resume operations
R -an additional copy of the backups should be taken periodically (as a minimum
weekly) and taken offsite, or the regular daily tapes should be cycled so that at least two
are kept offsite
W -it appears that only the accounting systems are backed up
-original licenced software for the accounting systems cannot be found
I -as indicated above, in the event of physical problems (or even a hard disk crash), the
company may be unable to resume operations of its non-accounting systems
R -all systems, not just accounting systems should be backed up on a daily basis, and at
least two copies kept off site in a secure location
-the company should contact the accounting software supplier and determine whether
replacement software CDs can be obtained at reasonable cost
7. Copyright Violation
W -Mr. Lee copied MRI's software onto several home computers for employee use
I -this copying may have violated software licence agreements, exposing the company
to potential copyright violation charges
R -additional software licences should be acquired, where necessary, for home machines
8. and 9. Potential Payroll errors
W -payroll hours are recorded twice: once into the timekeeping/job cost system, and again by
means of data entry into the payroll software package
I -data entry errors could arise due to the information being entered twice
-excess labour costs are incurred (i.e. the work to enter the hours)
R -the job costing system should be examined to determine whether data files can be created
in a form that can be automatically read into the payroll system to reduce data entry costs
-hours entered into the payroll system should be reconciled to hours worked according
to the job costing system to help eliminate potential data entry errors
W -no independent verification/reconciliation of payroll hours entered to hours worked
I -the payroll clerk could enter inaccurate payroll data (accidentally or deliberately)
R -after hours are entered into the payroll system, they should be independently
checked (likely by Tiffany) to the approved list signed by the supervisors
10. Segregation of duties
W -the accounting clerk handles data entry, supplier master file set up, account allocations for
purchasing, and cheque preparation
I -unauthorized or inaccurate transactions could be recorded in the accounts payable system
R -Master file should be handled by Tiffany OR
-periodic printouts of the master files should be independently printed and reviewed
11. Accounts payable payments
W - supporting documents for payments are not always carefully reviewed when
cheques are signed
I -unauthorized suppliers could be set up or money stole by the accounting clerk
R -supporting documents should be carefully reviewed (including account allocations)
by someone independent of the preparer (i.e. Tiffany should likely do this)
10
12. IT Governance (could also be discussed as an IT dependency issue)
W - IT governance controls over IT hardware and software acquisitions are weak given
all computer equipment, software and supplies are purchased by Mr. Lee who may not
follow SDLC controls such as vetting user requirements or finding the most cost
beneficial solution
I - IT hardware or software procured may be suboptimal in terms of cost or meeting user
Requirements
R - any IT hardware or software purchases should be governed by SDLC controls
including gaining an understanding of user requirements, costing comparisons, user
acceptance
testing and training of employees
13. Control Environment
W - Isabel has very basic accounting skills and may not be competent in ensuring that
transactions are properly accounted for and there is little oversight of her work
I - Increased risk of material misstatement if Isabel's lack of accounting knowledge causes
her to book entries incorrectly
R -Ensure all of Isabel's work is reviewed in depth by a Tiffany or have it reviewed by
someone with an accounting designation periodically.
-have Isabel take accounting courses
B) General IT controls (ITGC - IT general controls) are a subset of the control environment, so
ITGC enable effective control environment over the organizations use of IT
Strong controls:
-the control environment affects ITGC controls, so a strong control environment enables strong
ITGC
-a strong control environment and strong ITGC (specifically good SDLC controls or good
acquisition and maintenance controls) means that the auditor will likely be able to rely upon
automated (programmed) application controls
-this would also enable reliance upon the automated portion of interdependent application
controls
-if the auditor plans reliance upon automated application controls (programs), then they should
be tested
-being able to rely upon specific programs (automated application controls) would allow the
auditor to reduce control risk (CR) for the assertions that those programs are associated with (e.g.
accuracy of a calculation)
-a strong control environment and strong ITGC over access controls means that the auditor will
be able to rely upon IT to enforce segregation of duties
Weak controls:
- If the control environment is weak, this would mean that the ITGCs are also weak
- If ITGCs are weak, then likely all application controls would also be weak and generally cannot
be relied upon for the auditor's work (the exception would be automated controls in a software
package, where the client is unable to change programs)
- If ITGCs are weak, then potentially SDLC controls cannot be relied upon and therefore changes
to applications may not have been fully tested and could increase the risk of material
misstatement due to potential programming errors
- If ITGCs over SDLC are poor, then application controls may not be reliable and auditor will
need to look for compensating manual controls to test or perform substantive testing
11
- If the control environment and ITGCs are weak, then all application controls cannot be relied
upon, and control risk will be assessed as high
- If all application controls cannot be relied upon, then more substantive approach and detailed
tests of balances or testing are required in order to gain assurance
- If the control environment and manual entity level controls are sound, if automated application
controls cannot be relied upon, may still be able to rely upon manual application controls that are
not directly related to the company's information system.
- The cost of the audit will probably increase as testing of manual controls and substantive
testing will take more time than if the auditor could rely on application controls.
- Qualification or scope limitation could arise if controls cannot be tested and alternative audit
procedures are no t available
Diff: 3 Type: ES Page Ref: uses material from the entire chapter
Learning Obj.: 9-1 State the three primary objectives of effective internal control; 9-2 Explain
the five components of the COSO internal control framework and relate these to the audit
process; 9-3 Define information technology governance. Describe the attributes of good IT
governance; 9-4 Describe what the auditor does to obtain an understanding of internal controls;
9-5 Identify important risks and controls in small businesses
9.2 Explain the five components of the COSO internal control framework and relate these to the
audit process
1) The essence of an effectively controlled organization lies in the

A) effectiveness of its auditor.
B) effectiveness of its internal auditor.
C) attitude of its employees.
D) attitude of its management.
Answer: D
Learning Obj.: 9-2 Explain the five components of the COSO internal control framework and
relate these to the audit process
2) The control environment consists of actions, policies and procedures that

A) reflect the overall attitudes of top management, the directors and the owners of an entity
about control and its importance.
B) govern access to particular applications, such as how employees use passwords to change
master file payroll rates.
C) are recorded on the web site, for example, access policies to data.
D) help implement the ethical attitudes at the organization, such as a computer usage policy.
Answer: A
12
3) The board of directors is essential for effective corporate governance because it has ultimate
responsibility to
A) make sure management implements proper internal control and financial reporting processes.
B) assist management in the preparation of the financial statements.
C) test internal controls and ensure they are working properly.
D) provide a report to the auditor confirming that internal controls are working properly.
Answer: A
4) To help with corporate governance and a positive "tone at the top," the board of directors and
its committees, such as the audit committee, should
A) rubber stamp the financial statements once per year.
B) consist of all members of executive management.
C) follow the policies and procedures approved by management.
D) take an active role in overseeing the company.
Answer: D
5) A well-designed organizational structure at an entity

A) has operations and programming personnel tasks combined.
B) clearly defines authority and responsibility assignments.
C) requires that wage rates are recorded and tracked by the human resources department.
D) has the internal audit department report to the Chief Financial Officer.
Answer: B
6) The methods that management uses to supervise the entity's activities are called
A) personnel practices.
B) management control methods.
C) methods of assigning authority and responsibility.
D) management's operating style.
Answer: B
13
7) External auditor Mary Smith may not rely on the work of internal auditor Ray Jones unless
A) Jones is certified (CA, CGA or CMA).
B) Jones is independent of the client.
C) Jones is supervised by Smith.
D) Smith obtains evidence that supports the competence, integrity, and objectivity of Jones.
Answer: D
8) The first step for management in the risk assessment process is to identify factors that may
increase risk, for example failure to meet prior objectives. Then, management will
A) assess the likelihood of the risk occurring.
B) make sure that procedures are developed to eliminate the risk.
C) estimate the significance of that risk.
D) develop specific actions to reduce the risk to an acceptable level.
Answer: C
9) Management assesses risks as a part of designing and operating internal controls to minimize
fraud and errors. Auditors assess risks to
A) decide the evidence needed in the audit.
B) fully implement the audit risk model.
C) enable them to assess the completeness of internal controls.
D) make sure that the company will continue to operate over the next year.
Answer: A
10) FiddleWare Limited uses purchased packaged application software to handle the processing
of its transactions. An important control that management should implement with respect to
information systems is the
A) use of a formal systems development methodology.
B) evaluation of potential new systems against organizational objectives.
C) use of appropriate checkpoints and milestones during development.
D) tracking of routine program maintenance changes.
Answer: B
14
11) An example of general computer control systems that provide reasonable assurance of
authorization of application systems is
A) operations and information systems support.
B) systems, acquisition, development and maintenance controls.
C) organization and management controls.
D) application system control procedures.
Answer: B
12) Which of the following duties would indicate a weakness in internal controls? The
A) accounting function is under the controller.
B) custodianship of cash is the responsibility of the treasurer's function.
C) internal auditor reports to the board of directors.
D) custodianship of buildings and equipment is the responsibility of the controller's function.
Answer: D
13) The operational responsibility and the recording of transactions are normally kept separate
A) to centralize activities in order to be more cost efficient.
B) to ensure unbiased information is recorded.
C) because operational personnel rarely has the necessary accounting skills to record
transactions.
D) to avoid confusion of responsibilities and duplication of efforts.
Answer: B
14) Why is it important to separate systems development (or acquisition) and program
maintenance activities from accounting?
A) Accounting personnel have the expertise to evaluate program changes that have been
implemented.
B) Custody of media is important to help ensure ongoing operations.
C) This allows accounting to reconcile transaction totals to transaction details.
D) Lack of separation could result in unauthorized changes to programs and systems.
Answer: D
15
15) Which one of the following is an example of a general authorization?
A) The highest credit limit allowed for accounts receivable is $50,000.
B) ABC Company has a credit limit of $25,000.
C) Each supervisory wage rate must be approved by the executive manager.
D) Grocery supervisors approve each transaction reversal over five dollars.
Answer: A
16) Which one of the following is an example of a specific authorization?

A) The computer systems automatically reorder inventory when quantities fall below the
economic order quantity.
B) The highest credit limit allowed for accounts receivable customers is $100,000.
C) Each sales transaction that exceeds the credit limit of a customer must be approved by the
controller.
D) Grocery sales clerks may approve returns of goods less than ten dollars in value.
Answer: C
17) The chart of accounts is an important control because it provides the framework for
determining the information presented to management and other financial statement users. What
type of errors is the chart of accounts helpful in preventing? It helps prevent errors of
A) occurrence.
B) completeness.
C) accuracy.
D) classification.
Answer: D
18) An important type of protective measure for safeguarding assets and records is
A) adequate segregation of duties among personnel.
B) proper authorization of transactions.
C) the use of physical precautions.
D) adequate documentation.
Answer: C
16
19) An essential characteristic of the persons performing internal check procedures is
A) independence from the original data preparer.
B) a thorough knowledge of accounting.
C) an analytical and inquisitive mind.
D) competence in data entry skills.
Answer: A
20) A major control available in a small company, which might not be feasible in a large
company, is
A) a wider segregation of duties.
B) use of sequentially numbered documents.
C) fewer transactions to process.
D) the owner-manager's personal interest and close relationship with the personnel.
Answer: D
21) Effective internal control in a small company that has an insufficient number of employees to
permit proper division of responsibilities can best be enhanced by
A) employment of temporary personnel to aid in the segregation of duties.
B) direct participation by the owner of the business in the record-keeping activities of the
business.
C) engaging a public accountant to perform monthly "write-up" work.
D) delegation of full, clear-cut responsibility to each employee for the functions assigned to
each.
Answer: B
17
22) A) The COSO internal control framework consists of five components. Describe each of
these components.
B) Custody of assets and reconciliation should be separated to contribute to strong internal

control. List the general categories of activities that should be separated.
Answer:
A) Five components of internal control are:
∙ The control environment: The control environment consists of the actions, policies, and
procedures that reflect the overall attitudes of top management about control and its importance
to the company.
∙ Risk assessment: Management's identification and analysis of risks relevant to the preparation
of financial statements in conformity with an applicable financial reporting framework.
∙ Control activities: Policies and procedures that management has established to meet its
objectives for financial reporting.
∙ Information and communication: Includes the process to initiate, record, process and report the
entity's transactions and to maintain accountability for the related assets.
∙ Monitoring: Management's ongoing and periodic assessment of the quality of internal control
performance to determine that controls are operating as intended and modified when needed
B) The six general categories of activities are:
∙ Custody of assets.
∙ Recording or data entry of transactions.
∙ Systems development/acquisition and maintenance.
∙ Computer operations.
∙ Reconciliation.
∙ Authorization of transactions and activities.
Diff: 2 Type: ES Page Ref: A: 262-273, B: 268-269
18
23) A) Discuss what is meant by the term "control environment" and identify four control
environment subcomponents that the auditor should consider.
B) List the steps that management follows in assessing risks relevant to the preparation of
financial statements in conformity with an applicable financial reporting framework.
C) How does the auditor obtain knowledge about management's risk assessment process?
D) Explain how management's risk assessment process differs from the auditor's risk assessment
process.
E) What is the relationship between management's risk assessment process and audit evidence?
Answer:
A) The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about control and its
importance to the entity. Subcomponents include:
1. Active integrity and promotion of ethical values
2. Commitment to competence
3. The board of directors and audit committee
4. Management philosophy and operating style
5. Organizational structure
6. Human resource policies and practices
7. Methods of assigning authority and responsibility
8. Management control methods
9. Systems development methodology
10. Management reaction to external influences
11. Internal audit
B) Management's steps include:
∙ Identify factors that may increase risk.
∙ Estimate the significance of risks.
∙ Assess the likelihood that risks would occur.
∙ Develop specific actions that need to be taken to reduce the risk to an acceptable level.
C) The auditor:
∙ Determines how management identifies risk relevant to financial reporting
∙ Evaluates the significance of these risks
∙ Evaluates the likelihood of the risks occurring
∙ Decides whether actions (not already undertaken by management) are needed to address the
risks
Questionnaries and discussions with management are the most common ways to obtain this
understanding.
D) Management's risk assessment process is focused upon the identification and analysis of risks
relevant to the preparation of financial statements in conformity with an applicable financial
reporting framework. Management assesses risks as a part of designing and operating internal
controls to minimize errors and fraud.
Auditors assess risks to decide the evidence needed in the audit.
19
E) There is an inverse relationship: if management effectively assesses and responds to risks, the
auditor will typically accumulate less evidence than when management fails to identify or
respond to significant risks.
Diff: 2 Type: ES Page Ref: 262-267
24) A) List the three types of general computer control systems.
B) Adequate segregation of duties is an important control procedure. Describe the specific

functions that should be separated for segregation of duties to prevent both intentional and
unintentional misstatements that are of significance to auditors.
C) Adequate documents and records are important for effective internal control. Five principles
dictate the proper design and use of documents and records. One principle is that documents and
records should be prenumbered consecutively to facilitate control over missing documents, and
to aid in locating documents when they are needed at a later date. Discuss each of the other four
principles of adequate documents and records.
Answer:
A) The three types of general computer control systems are:
∙ Organization and management controls.
∙ Systems acquisition, development and maintenance controls.
∙ Operations and information systems support.
B) The general guidelines are:
∙ Custody of assets should be separated from accounting.
∙ Operational responsibility should be separated from recording or data entry of transactions.
∙ Separation of systems development or acquisition and maintenance from accounting.
∙ Separation of computer operations from programming and accounting.
∙ Separation of reconciliation from data entry.
∙ Proper authorization of transactions and activities from control over assets.
C) Documents and records should be:
∙ Prepared at the time a transaction takes place, or as soon thereafter as possible.
∙ Pre-numbered or automatically numbered.
∙ Sufficiently simple to ensure that they are clearly understood.
∙ Designed for multiple use whenever possible, to minimize the number of different forms.
∙ Constructed in a manner that encourages correct preparation, such as providing a degree of
internal check within the form or record.
20
25) Dimple Leather is a chain of retail stores that sells leather clothing and accessories across
Canada. Each store has point of sale equipment that is linked to a local server. At night, local
accounting information is transmitted to the head office computer and any updates to prices or
other adjustments are transferred to the local office.
Required:
Define the control environment. List the components of the control environment. For each
component, provide an example of a control that might exist at Dimple Leather.
Answer: Definition: The control environment consists of the actions, policies and procedures
that reflect the overall attitudes of top management, the directors, and the owners of an entity
about control and its importance to the entity.
Components of the control environment with an example:
(Note that many examples are possible; the following are illustrative examples.)
1. Active integrity and Promotion of Ethical Values: Employees are required to sign and live by a
corporate code of ethics.
2. Commitment to Competence: Employees are assigned to jobs that match their skills, and
receive regular, on-the-job training.
3. The Board of Directors and the Audit Committee: The Audit Committee should be active in its
involvement with management and the auditors, following up to determine why management
letter points have not been acted upon.
4. Management philosophy and operating style: Management of Dimple Leather should illustrate
ethical behaviour, and have an ethical statement available on their web site.
5. Organizational structure: The organizational structure should support adequate segregation of
duties, illustrated in an organization chart and written job descriptions.
6. Human resource policies and practices: Employees should be interviewed and references
checked prior to hiring.
7. Methods of assigning authority and responsibility: Management should have clear policies on
software copyright and information systems usage that are monitored and enforced.
8. Management control methods: Passwords should be required to access all accounting
information systems, with clear policies on allocation of user identification codes and password
change.
9. Systems development methodology: User approval should be required for all maintenance
program changes.
10. Management reaction to external influences: The company should monitor price and design
changes in the industry, and respond accordingly.
11. Internal audit: Internal audit should submit a plan of audits to be conducted, that is in
accordance with perceived risks of error.
21
26) Porterville, Ontario, is the home of the largest leather tanning operation in Canada. Hides
from various animals are stretched and treated, then cut into shapes for shipment to wholesalers.
Computer assisted operations are important in maintaining temperature, humidity, and proper
mix proportions in chemical solutions used for the tanning process. Computer assistance has
helped improve the quality of the tanning process, as well as provide a safer environment for
employees. Computer operations and backup is supported by the warehouse manager, Joe.
Individual hides are tagged with a bar code and tracked for quality control purposes. The
HomeTown Tanning Company uses a centralized microcomputer based system for its
manufacturing and accounting operations. The two owners of the company are active in the
business, and approve all new hardware and software acquisitions.
The controller is responsible for network upgrades as well as maintaining passwords and user
identification codes on the network. Accounting transactions are entered by accounting staff,
although the controller has the ability to review and correct transactions.
Required:
List the six categories of functions that need to be separated from each other. Does HomeTown
Tanning have these functions separated? For any functions that are not separated, indicate the
potential impact upon controls and upon the audit.
Answer:
1. Separation of custody of assets from accounting: Yes. Warehousing and manufacturing
operations are separate from the accounting department.
2. Separation of operational responsibility from recording or data entry of transactions: Yes.
Same as #1.
3. Separation of systems development or acquisition and maintenance from accounting: Yes. The
owners approve new systems. The owners are not in the accounting department.
4. Separation of computer operations from programming and accounting:
Yes for backup and recovery. The warehouse manager is responsible for computer operations
(backup), which is separate from accounting.
No for password control and security. The controller is responsible for maintaining security
passwords, and is also involved in accounting. The impact of this upon the audit is that the
controller could record erroneous transactions and hide this fact since she has access to the whole
system. The auditor will need to look for compensating controls (such as increased owner
involvement).
5. Separation of reconciliation from data entry: No. It is not stated who is responsible for
reconciliation. However, all individuals in the accounting department, including the controller,
have data entry capability. This means that one or more of these individuals could enter incorrect
or incomplete information, and hide the fact. The auditor will need to look for compensating
controls (such as increased owner involvement), or may need to increase the amounts of tests of
details.
22
6. Separation of authorization from control over assets: Yes. Controller and owners are
responsible for authorization, while the warehouse manager has custody of assets.
9.3 Define information technology governance. Describe the attributes of good IT governance
1) Jenny is the information technology support manager at CMH. Jenny is considered to be a

super-user at CMH since she can circumvent normal controls. In order to address the risk of
super-users, management should
A) remove the super-user.
B) establish effective compensating controls.
C) update the background check on the super-user on a yearly basis.
D) ensure that the super-user is familiar with the code of conduct of the company.
Answer: B
Learning Obj.: 9-3 Define information technology governance. Describe the attributes of good
IT governance
2) Bravo Design had IMB consulting design a custom software to record the job costs and sales
in progress. What acquisition process did Bravo design follow?
A) In-house development
B) Systems acquisition
C) Turnkey software development
D) Outsourcing
Answer: C
Learning Obj.: 9-3 Define information technology governance. Describe the attributes of good
IT governance
23
9.4 Describe what the auditor does to obtain an understanding of internal controls
1) When the auditor attempts to determine the operation of the accounting system by tracing one
or a few transactions through the accounting system, this is referred to as
A) tracing.
B) vouching.
C) tests of controls.
D) a walk-through.
Answer: D
Learning Obj.: 9-4 Describe what the auditor does to obtain an understanding of internal
controls
2) Once an understanding of internal controls is obtained that is sufficient for audit planning,
then the auditor must first assess
A) whether a lower level of control risk could be supported.
B) whether the financial statements are auditable.
C) the level of control risk supported by the understanding obtained.
D) the level of control risk to use.
Answer: B
controls
3) Control risk is a measure of the auditor's expectation that internal controls will
A) prevent material misstatements from occurring.
B) detect and correct material misstatements.
C) either prevent material misstatements or detect and correct them.
D) neither prevent material misstatements nor detect and correct them.
Answer: D
controls
4) When planning the audit, the auditor's decision on the appropriate assessed level of control
risk to use is
A) an economic issue, trading off the costs of testing controls against the cost of testing balances.
B) calculated by using the audit risk model.
C) calculated by using a standard formula.
D) determined by using actuarial tables.
Answer: A
controls
24
5) The procedures to test effectiveness of control policies and procedures in support of a reduced
assessed control risk are called
A) tests of details of balances.
B) tests of controls.
C) analytical procedures.
D) a walk-through.
Answer: B
controls
6) Narratives, flowcharts, and internal control questionnaires are three commonly used methods
of
A) documenting the auditor's understanding of internal controls.
B) testing internal controls.
C) designing the audit manual and procedures.
D) documenting the auditor's understanding of client's organizational structure.
Answer: A
controls
7) Paul is in the process of performing procedures to obtain the necessary understanding of the
client's internal controls. As part of this process, Paul received from the client completed
narratives, flowcharts and internal control questionnaires. Paul can use this information from the
client
A) if the entity level controls and tone at the top were found to be effective.
B) if there has not been any significant change in the internal controls since the prior year.
C) as long as any subsequent reliance on controls is adequately substantiated with testing.
D) since it was prepared by management who are unbiased.
Answer: C
controls
8) When a compensating control exists, a weakness in the system

A) is no longer a concern because the potential for misstatement has been sufficiently reduced.
B) is reduced but not removed; therefore, it is still of concern to the auditor.
C) could cause a material loss, so it must be tested using substantive procedures.
D) is magnified and must be removed from the sampling process and examined in its entirety.
Answer: A
controls
25
9) When the auditor identifies opportunities for the client to make operational improvements in
the internal control system, it will be communicated to the client's audit committee in the
A) management letter.
B) reportable conditions letter.
C) engagement letter.
D) audit report.
Answer: A
controls
10) A secondary objective of the auditor's study and evaluation of internal control is that the
study and evaluation provide
A) a basis for constructive suggestions concerning improvements in internal control.
B) a basis for reliance on the accounting system.
C) an assurance that the records and documents have been maintained in accordance with
existing company policies and procedures.
D) an indication that management and employees are trustworthy.
Answer: A
Diff: 2 Type: MC Page Ref: 292-293
controls
11) Each key control that the auditor intends to rely on must be supported by sufficient
A) tests of details of balances.
B) tests of controls.
C) analytical review procedures.
D) reperformance procedures.
Answer: B
controls
12) A procedure that would most likely be used by an auditor in performing tests of control
procedures that involve segregation of functions and that leave no transaction trail is
A) inspection.
B) observation.
C) reperformance.
D) reconciliation.
Answer: B
controls
26
13) Ideally, tests of controls should be applied to controls
A) at the balance sheet date.
B) at each quarterly interim period.
C) for the entire period under audit.
D) at the beginning of the fiscal period.
Answer: C
controls
14) After considering a client's internal controls, an auditor has concluded that it is well designed
and is functioning as intended. Under these circumstances, the auditor would most likely
A) perform tests of controls to the extent outlined in the audit program.
B) determine the control procedures that should prevent or detect errors and irregularities.
C) use a combined audit approach that includes tests of controls and substantive tests.
D) determine whether transactions are recorded to permit preparation of financial statements in
accordance with generally accepted accounting principles.
Answer: C
controls
15) A) Step one in the auditor's study and evaluation of internal control is obtain understanding
of internal control for audit planning purposes. List each of the remaining steps.
B) Once the auditor has an understanding of internal control, two assessments are made. List
each assessment that must be made prior to testing controls.
C) Describe five common procedures an auditor can use to obtain an understanding of internal
control design.
Answer:
A) The remaining steps are:
2. Evaluate the design effectiveness of controls.
3. Assess control risk.
4. Identify and assess risk of material misstatement.
5. Design tests of control.
6. Test controls
7. Evaluate results of tests of controls.
B) The assessments are:
• Assess whether the financial statements are auditable.
• Consider design effectiveness of controls.
C) The five procedures used to obtain an understanding of the client's internal control design are:
• Update and evaluate the auditor's previous experience with the entity.
• Make inquiries of client personnel.
• Read the client's policy and systems manuals.
• Examine documents and records.
27
• Observe activities and operations at the client's place of business.
controls
16) You have just finished documenting your understanding of cycle controls at an audit
engagement.
Required:
A) Explain how you will identify the controls that will be tested.
B) What process will you follow for weakness in internal controls?
Answer:
A) First, the controls will be organized by transaction-related audit objectives. Then, the controls
will be considered as to their importance and quality. Those controls that are well designed and
are most important for satisfying the transaction-related audit objectives will be considered for
testing. A control risk matrix could be used to assist with this process.
B) After identifying the controls that are present for transaction-related audit objectives, we will
be able to see which audit objectives do not have controls. The absence of controls for a
transaction-related audit objective is defined as a weakness.
Then, the potential misstatement that could occur for each of these absences is identified. We
would discuss with the client whether any compensating controls exist for each weakness. If yes,
then the compensating control would be considered for testing. The weakness should be noted in
a letter issued to management and the audit committee.
If there are no compensating controls for weak areas, then additional substantive testing may
need to be designed for those audit objectives.
controls
28
9.5 Identify important risks and controls in small businesses
1)
A)
B)
C)
D)
Answer: A
Diff: 1 Type: MC
Learning Obj.: 9-5 Identify important risks and controls in small businesses
29

Auditing The Art and Science of Assurance Engagements Canadian Twelfth Edition Canadian 12th Edition Arens Test Bank

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing The Art and Science of Assurance Engagements Canadian Twelfth Edition Canadian 12th Edition Arens Test Bank

Uploaded by

Copyright:

Available Formats

Auditing The Art and Science of

Assurance Engagements Canadian

9.1 State the three primary objectives of effective internal control

1) A system of internal control consists of policies and procedures designed to provide

2) Management's objectives with respect to internal control include

3) Management safeguards assets by

1) The essence of an effectively controlled organization lies in the

2) The control environment consists of actions, policies and procedures that

5) A well-designed organizational structure at an entity

16) Which one of the following is an example of a specific authorization?

B) Custody of assets and reconciliation should be separated to contribute to strong internal

24) A) List the three types of general computer control systems.

B) Adequate segregation of duties is an important control procedure. Describe the specific

1) Jenny is the information technology support manager at CMH. Jenny is considered to be a

8) When a compensating control exists, a weakness in the system

B) What process will you follow for weakness in internal controls?

You might also like