Chapter (6)

Understanding and Auditing

Internal Control
 True or false
1) Internal control consists of six components.
False
Internal control as defined by the COSO Framework consists of five components:
∙ Control Environment.
∙ Entity’s Risk Assessment.
∙ Control Activities.
∙ Information and Communication.
∙ Monitoring Activities.
 True or false
2) One of the risks associated with internal control from IT is potential loss of data.
True
For more explanation
The extent of an entity’s use of information technology (IT) can affect internal control because
IT affects the way transactions are initiated, authorized, recorded, processed, and reported.
. For example, “cloud computing” and storage of data in the “cloud” bring specific risks and the need
for corresponding controls.

Table 6–1 lists some of the benefits and risks of using IT for an entity’s internal control. The
risks to internal control vary depending on the nature and characteristics of the entity’s information
system. For example, where multiple users may access a common database, a lack of control at a
single user entry point may compromise the security of the entire database. This may result in
improper changes to or destruction of data. When IT personnel or users can gain access to privileges
beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can
occur, resulting in unauthorized transactions or changes to programs or data.
 MCQ
1) Proper monitoring within an internal control framework may include all of the following
except:
• A. An external auditor.

• B. An effective audit committee

• C. An internal audit function

• D. The internal revenue service.

• Answer D. The internal revenue service.

 MCQ
2)Potential benefits of an entity's controls in an IT environment include all of the following
except:
A. Reduction in the risk that controls will be circumvented.

B. More accurate accounting estimates.

C. Consistent application of predefined business rules.

D. More timely information.

Answer b More accurate accounting estimates.
Information technology environment has not any awareness of accounting estimates
MCQ
• 3)Which of the following audit tests would be regarded as a test of controls?
• A. Tests of the specific items making up the balance in a given general ledger account.
• B. Tests comparing inventory pricing to vendors' invoices.
• C. Tests of the signatures on cancelled checks to the board of directors' authorizations
• D. Tests of the additions to property, plant, and equipment by physical inspections.

• ANSWER C. Tests of the signatures on cancelled checks to the board of directors'

authorizations
 MCQ
• 4)The independent auditor selects several transactions in each functional area and traces
them through the entire system, paying special attention to evidence about whether or not
the control activities are in operation. This is an example of a(n).
A. Analytical procedure
. B. Test of controls.
C. Substantive procedure.
D. Functional test.
ANSWER B TEST OF CONTROL
As the above situation implies that the auditor is trying to check the effectiveness and the
efficiency of the control processes used internally. And test of controls is a process of audit
that describes the steps for the internal; control of the company. Therefore it is an example
of test of control. Hence the correct answer is option b.
MCQ
5) An auditor's primary consideration regarding an entity's internal controls is
whether the policies and procedures
A.Affect the financial statement assertions.
B. Prevent management override.
C. Relate to the control environment.
D. Reflect management's philosophy and operating style.

ANSWER A.Affect the financial statement assertions.

 MCQ
6)Assessing control risk at a lower level involves all of the following except:
A. Identifying specific controls to rely on.
B. Concluding that controls are ineffective.
C. Performing tests of controls.
D. Analysing the achieved level of control risk after performing tests of controls.

ANSWER B Concluding that controls are ineffective.

For more explanation:- To set control risk below high (e.g., at moderate or low),
the auditor must
∙ Identify specific controls that will be relied upon.
∙ Perform tests of the identified controls.
∙ Conclude on the achieved level of control risk given results of testing.
 Continue….
Identifying Specific Controls That Will Be Relied Upon
The auditor’s understanding of internal control is used to identify the controls that are likely to
prevent, or detect and correct, material misstatement in specific assertions.

Performing Tests of Controls

. Tests of controls directed toward the effectiveness of the design of a control are concerned
with evaluating whether that control is suitably designed to prevent, or detect and correct,
material misstatements. Tests of controls directed toward operating effectiveness are
concerned with assessing how the control was applied, the consistency with which it was applied
during the audit period,

.
Continue….
• Concluding on the Achieved Level of Control Risk
the auditor should reach a conclusion on the achieved level of control risk

• Documenting the Achieved Level of Control Risk

The auditor should document the achieved level of control risk for the controls evaluated.
The auditor’s assessment of the level of control risk can be documented using a structured
working paper, an internal control questionnaire, or a memorandum.
MCQ
• Which of the following procedures most likely would be included as part of an
auditor's tests of controls?
• A. Inspection.

• B. Reconciliation.

• C. Confirmation.

• D. Analytical procedures.
• Answer A