Auditing and Assurance Services

November 27, 2017 | Author: gilli1tr | Category: Financial Audit, Audit, Financial Statement, Internal Audit, Accounting
Share Embed Donate


Short Description

Chapter 7 - Auditing Internal Control over Financial Reporting Test Bank...

Description

Chapter 07 - Auditing Internal Control over Financial Reporting

Chapter 07 Auditing Internal Control over Financial Reporting True / False Questions

1. All companies must follow the guidelines of AS5. True False

2. Most public companies must follow the guidelines of AS5. True False

3. In a public company, management must assess and report on internal control over financial reporting. True False

4. In a public company, management's report on internal control must be signed by the members of the audit committee. True False

5. Based on PCAOB guidelines, the audit of ICFR and financial statements audit should be conduced as an "integrated audit." True False

6. The PCAOB makes it clear that the CEO and CFO are responsible for the internal control over financial reporting and the preparation of the statements. True False

7. The likelihood of an event is "more than remote" when it is "highly possible." True False

7-1

Chapter 07 - Auditing Internal Control over Financial Reporting

8. When auditing a public company, the auditor must form an opinion on the effectiveness of internal control over financial reporting, or issue a disclaimer in the event of a scope limitation. True False

Multiple Choice Questions

9. In order for an external auditor to complete an audit of a publicly traded entity, the entity's management must comply with all of the following except: A. Accept responsibility for the effectiveness of the entity's internal control over financial reporting B. Evaluate the effectiveness of the entity's internal control over financial reporting using suitable control criteria C. Support its evaluation with sufficient evidence, including documentation D. Present an oral assessment of the effectiveness of the entity's internal control over financial reporting as of the end of the entity's most recent fiscal year

10. An "integrated audit" as stated in Section 404 of the Sarbanes-Oxley Act means A. The auditor must consider the integrated thoughts and ideas of everyone on the audit staff B. The auditor must conduct two audits, one on the effectiveness of internal control and one on the financial statements, in an integrated way C. The auditor must integrate the same objectives whether auditing internal control or auditing the financial statements D. Two independent CPA firms must work together on the audit

11. Section 404 of the Sarbanes-Oxley Act requires the auditor to provide which of the following A. Reasonable assurance on the financial statements, absolute assurance on internal control B. Reasonable assurance on internal control, absolute assurance on the financial statements C. Absolute assurance on both the financial statements and internal control D. Reasonable assurance on both the financial statements and internal control

7-2

Chapter 07 - Auditing Internal Control over Financial Reporting

12. According to the PCAOB, who is responsible for the reliability of the internal controls over financial reporting process of an entity? A. The entity's CEO and/or CFO B. The entity's board of directors C. An internal control specialist D. The external auditor

13. The person in charge of authorizing credit to customers does not properly understand what constitutes a credit risk. This is an example of A. A management deficiency B. A design deficiency C. A deficiency in operation D. This is not an internal control deficiency

14. A deficiency that implies that there is reasonable possibility of misstatement in the financial statements that is significant but not material is A. A material weakness B. A significant deficiency C. An insignificant deficiency D. A probable deficiency

15. Which of the following is not a topic that requires special consideration by management during management's internal control assessment process and by the auditor during the audit of internal control? A. Multiple locations and business units B. Service organizations C. The role of the auditor in internal control D. Safeguarding assets

16. Management documentation should include all of the following except: A. Documentation regarding the auditor's evaluation of internal controls B. Documentation regarding management's testing and evaluation of the controls C. Documentation regarding the safeguarding of assets D. Documentation on the controls designed in all five components of internal control

7-3

Chapter 07 - Auditing Internal Control over Financial Reporting

17. Which of the following is not a primary objective of internal control as established by COSO? A. Efficiency and effectiveness of operations B. Effective purchasing systems C. Compliance with laws and regulations D. Reliable financial reporting

18. The main goal of auditing internal control is: A. To allow the auditor to fix any internal control deficiencies B. To form an opinion on the ability of internal controls to prevent fraud C. To assure management that internal control is preventing all material misstatements on the financial statements D. To evaluate the effectiveness of controls over all relevant financial statement disclosures in the financial statements

19. An auditor performing an audit of internal control over financial reporting would be required to: A. Rely on the work of internal auditors B. Test all of the entity's internal controls C. Form an opinion on the effectiveness of internal control D. Randomly identify accounts for an audit of internal control

20. In determining the extent to which the auditor may use the work of others in the audit of ICFR, the auditor should do all of the following except A. Test some of the work performed by others to evaluate the quality and effectiveness of their work B. Evaluate the nature of the controls subjected to the work of others C. Evaluate the competence and objectivity of the individuals who performed the work D. All of the above are required

7-4

Chapter 07 - Auditing Internal Control over Financial Reporting

21. Which of the following is the least likely to represent a material weakness in internal control for Flynt Corporation? A. Flynt Corporation's computer systems were not working properly for two days; consequently, employees needed to do all reconciliations manually B. Flynt Corporation's CFO was arrested last year for embezzling money from the company C. For the current year, the auditor found a material misstatement in Flynt's sales recognition that was undetected by the internal controls D. Flynt's audit committee is deemed to be ineffective

22. S&H Accounting has just performed an audit of Bob's Bikes. S&H was unable to obtain a written representation from management about internal control. Which of the following is true? A. S&H must still assume that management has assessed the effectiveness of internal control B. Depending on other factors in the audit, S&H can still issue an unqualified opinion C. S&H should consider this situation a limitation on the scope of the audit D. Management does not need to give S&H a letter if they have disclosed all known internal control deficiencies

23. Public reporting on the effectiveness of internal control over financial reporting, as required by the Sarbanes-Oxley Act, includes: A. A statement that the public accounting firm that audited the financial statements has provided input on the design of internal controls B. A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting C. An explicit statement as to whether management agrees with the public accounting firm's assessment of internal controls D. A detailed statement describing changes or additions to the internal control environment that occurred in the current year

7-5

Chapter 07 - Auditing Internal Control over Financial Reporting

24. Which of the following concerning the auditor's report on internal control over financial reporting is correct? A. The auditor's report contains an opinion on the effectiveness of internal control over financial reporting based on the auditor's independent work B. In the report on internal control over financial reporting, the auditor can issue only a qualified or an unqualified opinion C. The auditor needs to state management's assessment of internal control over financial reporting, but does not necessarily need to comment on whether he or she agrees D. An unqualified opinion is required if a material weakness is identified

25. Prior to issuing a report on internal controls over financial reporting, an auditor is required to: A. Perform procedures sufficient to identify all control deficiencies B. Communicate to management, in writing, all control deficiencies previously included in written communication from the internal auditors C. Communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made D. Represent that no significant deficiencies were noted during the audit of internal control

26. Which of the following is not true? A. The auditor should not communicate with management at all until the audit of internal control over financial reporting is finished B. Written communication between the auditor and management about internal control over financial reporting should include the definitions of control deficiencies, significant deficiencies, and material weaknesses C. The auditor should not include in the audit report that no significant deficiencies were noted during an audit of internal control over financial reporting D. If fraud is discovered, the auditor must report it to the appropriate level of management

27. An "integrated audit" A. Will, in most cases, lead to a substantive audit strategy B. Denies the auditor access to information about the client's controls C. May be performed by two separate audit firms D. Is comprised of audits of internal control over financial reporting and of financial statements

7-6

Chapter 07 - Auditing Internal Control over Financial Reporting

28. The primary purpose of a generalized computer audit program is to allow the auditor to A. Use the client's employees to perform routine audit checks of the electronic data processing records that otherwise would be done by the auditor's staff accountants B. Test the logic of computer programs used in the client's electronic data processing systems C. Select larger samples from the client's electronic data processing records than would otherwise be selected without the generalized program D. Independently process client electronic data processing records

29. Which of the following audit procedures would an auditor be least likely to perform using a generalized computer audit program? A. Searching records of accounts receivable balances for credit balances B. Investigating inventory balances for possible damaged goods C. Selecting accounts receivable for positive and negative confirmation D. Listing of unusually large inventory balances

30. The auditor is least likely to use generalized audit software to A. Perform analytical procedures on the client's data B. Access information stored on the client's IT files C. Identify material weaknesses in the client's IT controls D. Test the accuracy of the client's computations

31. The five step process in the audit of ICFR includes A. Form an opinion on the safeguarding of the entity's assets B. Identify controls to test using a top-down, risk-based approach C. Form an opinion on the fairness of the presentation of the financial statements D. Form an opinion on the effectiveness of internal controls in meeting operational goals

32. Which of the following is an advantage of generalized computer audit packages? A. They are all written in one identical computer language B. They can be used for audits of clients that use differing IT equipment and file formats C. They have reduced the need for the auditor to study input controls for IT-related procedures D. Their use can be substituted for a relatively large part of the required compliance testing

7-7

Chapter 07 - Auditing Internal Control over Financial Reporting

33. ACL is an example of A. An EDI software package B. An IT software package C. Software that allows auditors to retrieve and evaluate data from client systems D. A type of networking

34. The PCAOB's definition of internal control over financial reporting specifically mentions all of the following control activities, except A. The maintenance of asset records B. The segregation of duties C. The authorization by management of receipts and expenditures D. The safeguarding of assets

35. Which of the following is not an element of management's assessment process for the effectiveness of internal control? A. Evaluate the likelihood that failure of a control could result in a misstatement B. Determining the locations and business units to include in the evaluation C. Determining significant deficiencies and material weaknesses in controls D. Obtaining the auditor's assessment of the internal control effectiveness

36. Which of the following is true regarding management's documentation of internal controls? A. Some documentation should focus on controls designed to detect fraud B. Documentation should focus on controls over the interim financial reporting process C. Documentation must be done on paper D. Inadequate documentation is usually considered an insignificant deficiency in internal control

37. Which of the following statements is false? A. The PCAOB focuses on the financial reporting objective of internal controls B. Management is required to base internal controls on a recognized control framework C. Most United States entities use the internal control framework developed by COSO in the early 1990s D. All controls relevant to financial reporting are accounting controls

7-8

Chapter 07 - Auditing Internal Control over Financial Reporting

38. To obtain an understanding of significant processes and relevant subprocesses, auditors would be least likely to use which of the following techniques: A. Reviewing management documentation B. Inquiry C. Scanning D. Transaction walkthroughs

39. Management's written representations concerning internal control are: A. Addressed to the users of the financial statements B. Normally drafted by management C. Included in the auditor's final report D. Signed by the CEO and CFO

40. In the context of an audit of internal controls, the auditor must document all of the following except A. The extent to which he or she relied upon work performed by others B. The auditor's understanding and evaluation of the design of each of the components of the entity's internal control over financial reporting C. Transcripts of the auditor's discussion with management concerning the points at which misstatements could occur D. The evaluation of any deficiencies discovered that could result in a modification of the auditor's report

41. Examples of company-level controls include: A. Management's risk assessment process B. Controls to monitor results of operations C. The period-end financial reporting process D. All of the above are examples of company-level controls

7-9

Chapter 07 - Auditing Internal Control over Financial Reporting

42. Which of the following statements included in management's assessment of the effectiveness of internal control over financial reporting would be considered acceptable for issuing an unqualified opinion? A. Nothing has come to management's attention to suggest that the company's internal control is less than effective B. Statements suggesting only negative assurance C. A conclusion that the company's internal control over financial reporting is effective when a material weakness exists at the end of the reporting period D. Disclosure of material weaknesses corrected during the period

43. A modification of the standard report is required for all of the following conditions, except: A. There is a restriction on the scope of the engagement B. There is other information contained in management's report on internal control C. Management has concluded that internal controls are not effective D. A significant subsequent event has occurred since the date being reported on

44. AAA Accounting recently finished auditing LinktheEarth Corporation's internal control over financial reporting. AAA found a number of material weaknesses in the company's internal control. LinktheEarth's management remediated all of the weaknesses that AAA found. However, the auditors did not have sufficient time to retest the controls. What report should AAA issue with regards to internal control over financial reporting at year end? A. Unqualified report B. Adverse report C. Qualified report D. Disclaimer on opinion

45. According to the COSO definition of safeguarding of assets: A. Controls over financial reporting are effective if they provide reasonable assurance that asset losses will not occur B. Controls over financial reporting are effective if they provide reasonable assurance that losses are properly reflected in the financial statements C. Both A and B D. Neither A nor B

7-10

Chapter 07 - Auditing Internal Control over Financial Reporting

46. An auditor will use the IT test data method in order to gain certain assurances with respect to the A. Input data B. Machine capacity C. Procedures contained within the program D. Degree of keypunching accuracy

47. Which of the following is true of generalized audit software packages? A. They can be used only in auditing on-line computer systems B. They can be used on any computer without modification C. They each have their own characteristics which the auditor must carefully consider before using in a given audit situation D. They enable the auditor to perform all manual test procedures less expensively

48. The advantages of generalized audit software include all of the following except A. It involves auditing while the data are being processed (real-time) B. It is easy to use C. The time to develop the application is usually short D. An entire population can be examined in some instances

49. Section 404 of the Sarbanes-Oxley Act includes which of the following? A. A requirement that management of a publicly traded company issues an assessment of internal control that covers the entire year B. Specific guidance on what constitutes adequate internal control C. A requirement that management of a publicly traded company accepts responsibility for establishing and maintaining adequate internal controls D. A requirement that management of a publicly traded company issues an assessment regarding the efficiency of internal control for the year

7-11

Chapter 07 - Auditing Internal Control over Financial Reporting

50. For which of the following internal controls would an auditor be least likely to perform tests of internal controls closer to the "as of" date? A. Withdrawals from Federal Bank of more than $5 million must include a manager's signature B. At the end of each day at Federal Bank, the total cash in the vault is reconciled with daily registers of deposits and withdrawals C. Federal Bank has just started establishing trusts for its customers and it has only set up ten. Before making an investment for a trust, bank employees must verify that the investment is in accordance with stated investment policies D. On an annual basis, Federal Bank management performs credit checks on its loan customers before determining the value of loans it will not be able to collect on

51. Which of the following is false? A. Regardless of the achieved level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures B. The absence of misstatements in financial statements is considered convincing evidence that existing controls are effective C. The audit of internal control is intended to draw conclusions about the effectiveness of internal control over financial reporting as of a specific date D. The auditor is required by AS5 to evaluate the implications of the financial statement audit for the effectiveness of internal control over financial reporting

52. When testing a computerized accounting system, which of the following is false regarding the test data approach? A. The test data need to consist of only those valid and invalid conditions in which the auditor is interested B. Only one transaction of each type need be tested C. Test data are processed by the client's computer programs under the auditor's control D. The test data must consist of all possible valid and invalid conditions

7-12

Chapter 07 - Auditing Internal Control over Financial Reporting

53. When an auditor tests a computerized accounting system, which of the following is true of the test data approach? A. Test data are processed by the client's computer programs under the auditor's control B. Test data must consist of all possible valid and invalid conditions C. Testing a program at year end provides assurance that the client's processing was accurate for the full year D. Several transactions of each type must be tested

Short Answer Questions

54. You are an experienced audit senior. The new staff accountant on your audit team does not understand what a control deficiency is. Give him a definition of "control deficiency." Include examples of two types of control deficiencies.

55. You are performing an audit on North South Natural Gas (NSNG). Alana, an NSNG employee, has responsibility for reconciling bank statements with the company's cash records. You determine, however, that Alana has never been taught how to reconcile statements. In effect, the statements have not been properly reconciled for two years. How would you judge the significance of this control deficiency? How would you classify this deficiency?

7-13

Chapter 07 - Auditing Internal Control over Financial Reporting

56. CBA Accounting is auditing a large publicly traded company. The audit of internal controls over financial reporting has been properly planned and the auditors have already identified controls to test using a top-down, risk-based approach. What is the next step? Give three examples of procedures that may be completed in the next step in the audit.

57. Trumpeter Corporation is a small publicly traded company that specializes in the restoration and sale of fine musical instruments. The audit committee is made up of a CEO from a technology company, a college accounting professor, and a local marketing executive. All are sufficiently independent from management. The audit committee meets three times a year. Each time they meet, a different member, who chooses the topics to discuss, leads each meeting. The audit committee then sends the minutes of their meetings to the company's CFO. Solely from this information, what are your conclusions about this audit committee's role within the control environment?

58. Identify indicators of a material weakness in internal control over financial reporting.

7-14

Chapter 07 - Auditing Internal Control over Financial Reporting

59. AS5 requires that the auditor appropriately document the processes, procedures, judgments, and results relating to the audit of internal control. Specifically, what must this documentation include?

7-15

Chapter 07 - Auditing Internal Control over Financial Reporting

60. What is wrong with the following report on internal control over financial reporting for AB Corporation? The auditor believes an unqualified opinion on the effectiveness of internal control over financial reporting is warranted. Report of Registered Public Accounting Firm We have audited AB Corporation's internal control over financial reporting as of December 31, 2009, based on criteria established in Internal Control - Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ABC's management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on the company's internal control over financial reporting based on our audit. We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. In our opinion, ABC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2009, based on criteria established in Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated financial statements of ABC, and our report dated February 20, 2010 expressed an unqualified opinion. Protzman & Hull Morgan Hill, CA February 10, 2010

7-16

Chapter 07 - Auditing Internal Control over Financial Reporting

61. On the audit of Technology Unlimited, a leading manufacturer of computer chips, the external audit staff discovers that the internal audit staff has performed extensive evaluation and testing on the control environment. What should the external auditors do to determine the extent to which they may use the work of the internal audit staff? Can the external audit staff rely on the internal audit staff for evaluating and testing the control environment?

62. Information Nation has two hundred locations spread across the fifty states. Twenty of the locations are considered to be individually important, but fifty of the locations are not important even when aggregated from the others. Five locations deal with foreign exchange trading. These locations are not considered important, but they are important when aggregated with the other locations. As an auditor, discuss the considerations involved in testing multiple locations and group the locations accordingly (provide how many locations are included in each group). Include the treatment that each group should receive from the auditor.

63. Discuss the differences between a control deficiency, a significant deficiency, a material weakness, and the two dimensions of the control deficiency - likelihood and magnitude.

7-17

Chapter 07 - Auditing Internal Control over Financial Reporting

64. Discuss entity-level controls and provide examples of these types of controls.

7-18

Chapter 07 - Auditing Internal Control over Financial Reporting

Chapter 07 Auditing Internal Control over Financial Reporting Answer Key

True / False Questions

1. All companies must follow the guidelines of AS5. FALSE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 1

2. Most public companies must follow the guidelines of AS5. TRUE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 1

3. In a public company, management must assess and report on internal control over financial reporting. TRUE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 1

7-19

Chapter 07 - Auditing Internal Control over Financial Reporting

4. In a public company, management's report on internal control must be signed by the members of the audit committee. FALSE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 1

5. Based on PCAOB guidelines, the audit of ICFR and financial statements audit should be conduced as an "integrated audit." TRUE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 2

6. The PCAOB makes it clear that the CEO and CFO are responsible for the internal control over financial reporting and the preparation of the statements. TRUE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 3

7. The likelihood of an event is "more than remote" when it is "highly possible." FALSE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 4

7-20

Chapter 07 - Auditing Internal Control over Financial Reporting

8. When auditing a public company, the auditor must form an opinion on the effectiveness of internal control over financial reporting, or issue a disclaimer in the event of a scope limitation. TRUE

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 6

Multiple Choice Questions

9. In order for an external auditor to complete an audit of a publicly traded entity, the entity's management must comply with all of the following except: A. Accept responsibility for the effectiveness of the entity's internal control over financial reporting B. Evaluate the effectiveness of the entity's internal control over financial reporting using suitable control criteria C. Support its evaluation with sufficient evidence, including documentation D. Present an oral assessment of the effectiveness of the entity's internal control over financial reporting as of the end of the entity's most recent fiscal year

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 1

7-21

Chapter 07 - Auditing Internal Control over Financial Reporting

10. An "integrated audit" as stated in Section 404 of the Sarbanes-Oxley Act means A. The auditor must consider the integrated thoughts and ideas of everyone on the audit staff B. The auditor must conduct two audits, one on the effectiveness of internal control and one on the financial statements, in an integrated way C. The auditor must integrate the same objectives whether auditing internal control or auditing the financial statements D. Two independent CPA firms must work together on the audit

AACSB: Communications AICPA BB: Legal AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 2

11. Section 404 of the Sarbanes-Oxley Act requires the auditor to provide which of the following A. Reasonable assurance on the financial statements, absolute assurance on internal control B. Reasonable assurance on internal control, absolute assurance on the financial statements C. Absolute assurance on both the financial statements and internal control D. Reasonable assurance on both the financial statements and internal control

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 2

12. According to the PCAOB, who is responsible for the reliability of the internal controls over financial reporting process of an entity? A. The entity's CEO and/or CFO B. The entity's board of directors C. An internal control specialist D. The external auditor

AACSB: Communications AICPA BB: Legal AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 3

7-22

Chapter 07 - Auditing Internal Control over Financial Reporting

13. The person in charge of authorizing credit to customers does not properly understand what constitutes a credit risk. This is an example of A. A management deficiency B. A design deficiency C. A deficiency in operation D. This is not an internal control deficiency

AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Application Difficulty: Easy Learning Objective: 10 Learning Objective: 4

14. A deficiency that implies that there is reasonable possibility of misstatement in the financial statements that is significant but not material is A. A material weakness B. A significant deficiency C. An insignificant deficiency D. A probable deficiency

AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Easy Learning Objective: 10 Learning Objective: 4

15. Which of the following is not a topic that requires special consideration by management during management's internal control assessment process and by the auditor during the audit of internal control? A. Multiple locations and business units B. Service organizations C. The role of the auditor in internal control D. Safeguarding assets

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 5

7-23

Chapter 07 - Auditing Internal Control over Financial Reporting

16. Management documentation should include all of the following except: A. Documentation regarding the auditor's evaluation of internal controls B. Documentation regarding management's testing and evaluation of the controls C. Documentation regarding the safeguarding of assets D. Documentation on the controls designed in all five components of internal control

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 5

17. Which of the following is not a primary objective of internal control as established by COSO? A. Efficiency and effectiveness of operations B. Effective purchasing systems C. Compliance with laws and regulations D. Reliable financial reporting

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Easy Learning Objective: 5

18. The main goal of auditing internal control is: A. To allow the auditor to fix any internal control deficiencies B. To form an opinion on the ability of internal controls to prevent fraud C. To assure management that internal control is preventing all material misstatements on the financial statements D. To evaluate the effectiveness of controls over all relevant financial statement disclosures in the financial statements

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Easy Learning Objective: 6

7-24

Chapter 07 - Auditing Internal Control over Financial Reporting

19. An auditor performing an audit of internal control over financial reporting would be required to: A. Rely on the work of internal auditors B. Test all of the entity's internal controls C. Form an opinion on the effectiveness of internal control D. Randomly identify accounts for an audit of internal control

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Easy Learning Objective: 6

20. In determining the extent to which the auditor may use the work of others in the audit of ICFR, the auditor should do all of the following except A. Test some of the work performed by others to evaluate the quality and effectiveness of their work B. Evaluate the nature of the controls subjected to the work of others C. Evaluate the competence and objectivity of the individuals who performed the work D. All of the above are required

AACSB: Communications AICPA BB: Resource Management AICPA FN: Decision Making Bloom's: Application Difficulty: Easy Learning Objective: 7

7-25

Chapter 07 - Auditing Internal Control over Financial Reporting

21. Which of the following is the least likely to represent a material weakness in internal control for Flynt Corporation? A. Flynt Corporation's computer systems were not working properly for two days; consequently, employees needed to do all reconciliations manually B. Flynt Corporation's CFO was arrested last year for embezzling money from the company C. For the current year, the auditor found a material misstatement in Flynt's sales recognition that was undetected by the internal controls D. Flynt's audit committee is deemed to be ineffective

AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Application Difficulty: Easy Learning Objective: 7

22. S&H Accounting has just performed an audit of Bob's Bikes. S&H was unable to obtain a written representation from management about internal control. Which of the following is true? A. S&H must still assume that management has assessed the effectiveness of internal control B. Depending on other factors in the audit, S&H can still issue an unqualified opinion C. S&H should consider this situation a limitation on the scope of the audit D. Management does not need to give S&H a letter if they have disclosed all known internal control deficiencies

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Application Difficulty: Easy Learning Objective: 12

7-26

Chapter 07 - Auditing Internal Control over Financial Reporting

23. Public reporting on the effectiveness of internal control over financial reporting, as required by the Sarbanes-Oxley Act, includes: A. A statement that the public accounting firm that audited the financial statements has provided input on the design of internal controls B. A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting C. An explicit statement as to whether management agrees with the public accounting firm's assessment of internal controls D. A detailed statement describing changes or additions to the internal control environment that occurred in the current year

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 14

24. Which of the following concerning the auditor's report on internal control over financial reporting is correct? A. The auditor's report contains an opinion on the effectiveness of internal control over financial reporting based on the auditor's independent work B. In the report on internal control over financial reporting, the auditor can issue only a qualified or an unqualified opinion C. The auditor needs to state management's assessment of internal control over financial reporting, but does not necessarily need to comment on whether he or she agrees D. An unqualified opinion is required if a material weakness is identified

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 10 Learning Objective: 14

7-27

Chapter 07 - Auditing Internal Control over Financial Reporting

25. Prior to issuing a report on internal controls over financial reporting, an auditor is required to: A. Perform procedures sufficient to identify all control deficiencies B. Communicate to management, in writing, all control deficiencies previously included in written communication from the internal auditors C. Communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made D. Represent that no significant deficiencies were noted during the audit of internal control

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 15

26. Which of the following is not true? A. The auditor should not communicate with management at all until the audit of internal control over financial reporting is finished B. Written communication between the auditor and management about internal control over financial reporting should include the definitions of control deficiencies, significant deficiencies, and material weaknesses C. The auditor should not include in the audit report that no significant deficiencies were noted during an audit of internal control over financial reporting D. If fraud is discovered, the auditor must report it to the appropriate level of management

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 15

7-28

Chapter 07 - Auditing Internal Control over Financial Reporting

27. An "integrated audit" A. Will, in most cases, lead to a substantive audit strategy B. Denies the auditor access to information about the client's controls C. May be performed by two separate audit firms D. Is comprised of audits of internal control over financial reporting and of financial statements

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 2

28. The primary purpose of a generalized computer audit program is to allow the auditor to A. Use the client's employees to perform routine audit checks of the electronic data processing records that otherwise would be done by the auditor's staff accountants B. Test the logic of computer programs used in the client's electronic data processing systems C. Select larger samples from the client's electronic data processing records than would otherwise be selected without the generalized program D. Independently process client electronic data processing records

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Easy Learning Objective: 18

29. Which of the following audit procedures would an auditor be least likely to perform using a generalized computer audit program? A. Searching records of accounts receivable balances for credit balances B. Investigating inventory balances for possible damaged goods C. Selecting accounts receivable for positive and negative confirmation D. Listing of unusually large inventory balances

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Easy Learning Objective: 18

7-29

Chapter 07 - Auditing Internal Control over Financial Reporting

30. The auditor is least likely to use generalized audit software to A. Perform analytical procedures on the client's data B. Access information stored on the client's IT files C. Identify material weaknesses in the client's IT controls D. Test the accuracy of the client's computations

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Easy Learning Objective: 18

31. The five step process in the audit of ICFR includes A. Form an opinion on the safeguarding of the entity's assets B. Identify controls to test using a top-down, risk-based approach C. Form an opinion on the fairness of the presentation of the financial statements D. Form an opinion on the effectiveness of internal controls in meeting operational goals

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Easy Learning Objective: 6

32. Which of the following is an advantage of generalized computer audit packages? A. They are all written in one identical computer language B. They can be used for audits of clients that use differing IT equipment and file formats C. They have reduced the need for the auditor to study input controls for IT-related procedures D. Their use can be substituted for a relatively large part of the required compliance testing

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Easy Learning Objective: 18

7-30

Chapter 07 - Auditing Internal Control over Financial Reporting

33. ACL is an example of A. An EDI software package B. An IT software package C. Software that allows auditors to retrieve and evaluate data from client systems D. A type of networking

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Easy Learning Objective: 18

34. The PCAOB's definition of internal control over financial reporting specifically mentions all of the following control activities, except A. The maintenance of asset records B. The segregation of duties C. The authorization by management of receipts and expenditures D. The safeguarding of assets

AACSB: Communications AICPA BB: Legal AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Moderate Learning Objective: 3

35. Which of the following is not an element of management's assessment process for the effectiveness of internal control? A. Evaluate the likelihood that failure of a control could result in a misstatement B. Determining the locations and business units to include in the evaluation C. Determining significant deficiencies and material weaknesses in controls D. Obtaining the auditor's assessment of the internal control effectiveness

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Moderate Learning Objective: 5

7-31

Chapter 07 - Auditing Internal Control over Financial Reporting

36. Which of the following is true regarding management's documentation of internal controls? A. Some documentation should focus on controls designed to detect fraud B. Documentation should focus on controls over the interim financial reporting process C. Documentation must be done on paper D. Inadequate documentation is usually considered an insignificant deficiency in internal control

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Knowledge Difficulty: Moderate Learning Objective: 5

37. Which of the following statements is false? A. The PCAOB focuses on the financial reporting objective of internal controls B. Management is required to base internal controls on a recognized control framework C. Most United States entities use the internal control framework developed by COSO in the early 1990s D. All controls relevant to financial reporting are accounting controls

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Moderate Learning Objective: 5

38. To obtain an understanding of significant processes and relevant subprocesses, auditors would be least likely to use which of the following techniques: A. Reviewing management documentation B. Inquiry C. Scanning D. Transaction walkthroughs

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 9

7-32

Chapter 07 - Auditing Internal Control over Financial Reporting

39. Management's written representations concerning internal control are: A. Addressed to the users of the financial statements B. Normally drafted by management C. Included in the auditor's final report D. Signed by the CEO and CFO

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Knowledge Difficulty: Moderate Learning Objective: 12

40. In the context of an audit of internal controls, the auditor must document all of the following except A. The extent to which he or she relied upon work performed by others B. The auditor's understanding and evaluation of the design of each of the components of the entity's internal control over financial reporting C. Transcripts of the auditor's discussion with management concerning the points at which misstatements could occur D. The evaluation of any deficiencies discovered that could result in a modification of the auditor's report

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's:Application Difficulty: Moderate Learning Objective: 13

41. Examples of company-level controls include: A. Management's risk assessment process B. Controls to monitor results of operations C. The period-end financial reporting process D. All of the above are examples of company-level controls

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Moderate Learning Objective: 6

7-33

Chapter 07 - Auditing Internal Control over Financial Reporting

42. Which of the following statements included in management's assessment of the effectiveness of internal control over financial reporting would be considered acceptable for issuing an unqualified opinion? A. Nothing has come to management's attention to suggest that the company's internal control is less than effective B. Statements suggesting only negative assurance C. A conclusion that the company's internal control over financial reporting is effective when a material weakness exists at the end of the reporting period D. Disclosure of material weaknesses corrected during the period

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Application Difficulty: Moderate Learning Objective: 14

43. A modification of the standard report is required for all of the following conditions, except: A. There is a restriction on the scope of the engagement B. There is other information contained in management's report on internal control C. Management has concluded that internal controls are not effective D. A significant subsequent event has occurred since the date being reported on

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Application Difficulty: Moderate Learning Objective: 14

7-34

Chapter 07 - Auditing Internal Control over Financial Reporting

44. AAA Accounting recently finished auditing LinktheEarth Corporation's internal control over financial reporting. AAA found a number of material weaknesses in the company's internal control. LinktheEarth's management remediated all of the weaknesses that AAA found. However, the auditors did not have sufficient time to retest the controls. What report should AAA issue with regards to internal control over financial reporting at year end? A. Unqualified report B. Adverse report C. Qualified report D. Disclaimer on opinion

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Application Difficulty: Moderate Learning Objective: 14

45. According to the COSO definition of safeguarding of assets: A. Controls over financial reporting are effective if they provide reasonable assurance that asset losses will not occur B. Controls over financial reporting are effective if they provide reasonable assurance that losses are properly reflected in the financial statements C. Both A and B D. Neither A nor B

AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Moderate Learning Objective: 17

7-35

Chapter 07 - Auditing Internal Control over Financial Reporting

46. An auditor will use the IT test data method in order to gain certain assurances with respect to the A. Input data B. Machine capacity C. Procedures contained within the program D. Degree of keypunching accuracy

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Moderate Learning Objective: 18

47. Which of the following is true of generalized audit software packages? A. They can be used only in auditing on-line computer systems B. They can be used on any computer without modification C. They each have their own characteristics which the auditor must carefully consider before using in a given audit situation D. They enable the auditor to perform all manual test procedures less expensively

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Moderate Learning Objective: 18

48. The advantages of generalized audit software include all of the following except A. It involves auditing while the data are being processed (real-time) B. It is easy to use C. The time to develop the application is usually short D. An entire population can be examined in some instances

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Knowledge Difficulty: Moderate Learning Objective: 18

7-36

Chapter 07 - Auditing Internal Control over Financial Reporting

49. Section 404 of the Sarbanes-Oxley Act includes which of the following? A. A requirement that management of a publicly traded company issues an assessment of internal control that covers the entire year B. Specific guidance on what constitutes adequate internal control C. A requirement that management of a publicly traded company accepts responsibility for establishing and maintaining adequate internal controls D. A requirement that management of a publicly traded company issues an assessment regarding the efficiency of internal control for the year

AACSB: Communications AICPA BB: Legal AICPA FN: Decision Making Bloom's: Knowledge Difficulty: Hard Learning Objective: 1

50. For which of the following internal controls would an auditor be least likely to perform tests of internal controls closer to the "as of" date? A. Withdrawals from Federal Bank of more than $5 million must include a manager's signature B. At the end of each day at Federal Bank, the total cash in the vault is reconciled with daily registers of deposits and withdrawals C. Federal Bank has just started establishing trusts for its customers and it has only set up ten. Before making an investment for a trust, bank employees must verify that the investment is in accordance with stated investment policies D. On an annual basis, Federal Bank management performs credit checks on its loan customers before determining the value of loans it will not be able to collect on

AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Application Difficulty: Hard Learning Objective: 9

7-37

Chapter 07 - Auditing Internal Control over Financial Reporting

51. Which of the following is false? A. Regardless of the achieved level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures B. The absence of misstatements in financial statements is considered convincing evidence that existing controls are effective C. The audit of internal control is intended to draw conclusions about the effectiveness of internal control over financial reporting as of a specific date D. The auditor is required by AS5 to evaluate the implications of the financial statement audit for the effectiveness of internal control over financial reporting

AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Hard Learning Objective: 6

52. When testing a computerized accounting system, which of the following is false regarding the test data approach? A. The test data need to consist of only those valid and invalid conditions in which the auditor is interested B. Only one transaction of each type need be tested C. Test data are processed by the client's computer programs under the auditor's control D. The test data must consist of all possible valid and invalid conditions

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Hard Learning Objective: 18

7-38

Chapter 07 - Auditing Internal Control over Financial Reporting

53. When an auditor tests a computerized accounting system, which of the following is true of the test data approach? A. Test data are processed by the client's computer programs under the auditor's control B. Test data must consist of all possible valid and invalid conditions C. Testing a program at year end provides assurance that the client's processing was accurate for the full year D. Several transactions of each type must be tested

AACSB: Technology AICPA BB: Leveraging Technology AICPA FN: Leveraging Technology Bloom's: Application Difficulty: Hard Learning Objective: 18

Short Answer Questions

54. You are an experienced audit senior. The new staff accountant on your audit team does not understand what a control deficiency is. Give him a definition of "control deficiency." Include examples of two types of control deficiencies. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when (1) a control necessary to meet the relevant control objective is missing; or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. Specific examples of control deficiencies will vary.

AACSB: Communications AICPA BB: Industry AICPA FN: Risk Analysis Bloom's: Comprehension Difficulty: Easy Learning Objective: 10 Learning Objective: 4

7-39

Chapter 07 - Auditing Internal Control over Financial Reporting

55. You are performing an audit on North South Natural Gas (NSNG). Alana, an NSNG employee, has responsibility for reconciling bank statements with the company's cash records. You determine, however, that Alana has never been taught how to reconcile statements. In effect, the statements have not been properly reconciled for two years. How would you judge the significance of this control deficiency? How would you classify this deficiency? To judge the materiality of a control deficiency, the auditor could consider the problem in terms of magnitude and likelihood. The likelihood of an event must be either reasonably possible or probable to be a significant deficiency or a material weakness. This deficiency is obviously probable, because the auditor knows the control has not operated for two years. After the likelihood is determined, the auditor could consider the magnitude of a possible misstatement. A misstatement is not material if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would be clearly immaterial to the financial statements. A remote likelihood and insignificant magnitude would result in an insignificant deficiency. A significant deficiency occurs when there is reasonable possibility that a misstatement in the financial statements is not material but significant. A material weakness is a significant deficiency that results when the likelihood is reasonably possible and material. Note: Students should then make and defend a judgment on whether this problem is an insignificant deficiency, significant deficiency, or material weakness.

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 10 Learning Objective: 4

7-40

Chapter 07 - Auditing Internal Control over Financial Reporting

56. CBA Accounting is auditing a large publicly traded company. The audit of internal controls over financial reporting has been properly planned and the auditors have already identified controls to test using a top-down, risk-based approach. What is the next step? Give three examples of procedures that may be completed in the next step in the audit. The next step is testing the design and operating effectiveness of selected controls. For a public company, the auditor must obtain an understanding of the design of controls related to each component of internal control. The procedures the auditor can perform to test the design of specific controls include • inquiring of appropriate management, supervisory, and staff personnel, • inspecting company documents, • observing the application of specific controls, and • tracing a sample of transactions through the information system.

AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 6

7-41

Chapter 07 - Auditing Internal Control over Financial Reporting

57. Trumpeter Corporation is a small publicly traded company that specializes in the restoration and sale of fine musical instruments. The audit committee is made up of a CEO from a technology company, a college accounting professor, and a local marketing executive. All are sufficiently independent from management. The audit committee meets three times a year. Each time they meet, a different member, who chooses the topics to discuss, leads each meeting. The audit committee then sends the minutes of their meetings to the company's CFO. Solely from this information, what are your conclusions about this audit committee's role within the control environment? An effective audit committee sets the overall tone for a company's internal control. While it is independent from management, the auditor would probably consider the audit committee to be ineffective. First, there appears to be no clear articulation or understanding of the audit committee's responsibilities. In fact, it is not even clear that the committee discusses relevant topics and issues. There is apparently little interaction with key members of financial management; the only interaction consists of delivering a report of each meeting. In addition, there is no apparent interaction with the internal audit function, if there is one. The auditor would probably consider this lack of control as a significant deficiency and a strong indicator of a material weakness.

AACSB: Communications AICPA BB: Legal AICPA FN: Risk Analysis Bloom's: Analysis Difficulty: Easy Learning Objective: 10 Learning Objective: 4 Learning Objective: 6

7-42

Chapter 07 - Auditing Internal Control over Financial Reporting

58. Identify indicators of a material weakness in internal control over financial reporting. Indicators of a material weakness in ICFR include (see Table 7-7): • Identification of fraud, whether or not material, committed by senior management; • Restatement of previously issued financial statements to reflect the correction of a material misstatement; • Identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company's ICFR; and • Ineffective oversight of the company's external financial reporting and ICFR by the company's audit committee.

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Easy Learning Objective: 10 Learning Objective: 4

59. AS5 requires that the auditor appropriately document the processes, procedures, judgments, and results relating to the audit of internal control. Specifically, what must this documentation include? The auditor's documentation must include the auditor's understanding and evaluation of the design of each of the components of the entity's internal control over financial reporting. The auditor also documents the process used to determine and the points at which misstatements could occur within, significant accounts, disclosures, and major classes of transactions. The auditor must justify and document the extent to which he or she relied upon work performed by others. Finally, the auditor must describe the evaluation of any deficiencies discovered, as well as any other findings that could result in a modification to the auditor's report.

AACSB: Communications AICPA BB: Legal AICPA FN: Reporting Bloom's: Knowledge Difficulty: Moderate Learning Objective: 13

7-43

Chapter 07 - Auditing Internal Control over Financial Reporting

60. What is wrong with the following report on internal control over financial reporting for AB Corporation? The auditor believes an unqualified opinion on the effectiveness of internal control over financial reporting is warranted. Report of Registered Public Accounting Firm We have audited AB Corporation's internal control over financial reporting as of December 31, 2009, based on criteria established in Internal Control - Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ABC's management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on the company's internal control over financial reporting based on our audit. We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. A company's internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements. In our opinion, ABC maintained, in all material respects, effective internal control over financial reporting as of December 31, 2009, based on criteria established in Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). We have also audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated financial statements of ABC, and our report dated February 20, 2010 expressed an unqualified opinion. Protzman & Hull Morgan Hill, CA February 10, 2010

7-44

Chapter 07 - Auditing Internal Control over Financial Reporting

First, the title of the report should include the word "independent." Second, the report should include a paragraph stating that, because of inherent limitations, internal control over financial reporting may not prevent or detect misstatements and that projections of any evaluation of effectiveness to future periods are subjected to certain risks and uncertainties. Finally, the date of both the auditor's report on the company's financial statements and the auditor's report on the company's internal control over financial reporting should be the same.

AACSB: Communications AICPA BB: Industry AICPA FN: Reporting Bloom's: Analysis Difficulty: Moderate Learning Objective: 14

7-45

Chapter 07 - Auditing Internal Control over Financial Reporting

61. On the audit of Technology Unlimited, a leading manufacturer of computer chips, the external audit staff discovers that the internal audit staff has performed extensive evaluation and testing on the control environment. What should the external auditors do to determine the extent to which they may use the work of the internal audit staff? Can the external audit staff rely on the internal audit staff for evaluating and testing the control environment? The auditor should also evaluate the competence and objectivity of the individuals who performed the work. Internal auditors are generally expected to have greater competence and objectivity than other company personnel. If internal auditors have performed an extensive amount of relevant work and the auditor determines they possess a high degree of competence and objectivity, the auditor can rely on the results of their work to the extent possible while still providing the principal evidence for his or her opinion. The auditor should also evaluate the nature of the controls subjected to the work of others. As the risk of material misstatement in the accounts and disclosures addressed by the control, the degree of judgment required to evaluate the operating effectiveness of the control, the pervasiveness of the control and the potential for management override increase in significance, the auditor should increase his or her own work on those controls and decrease reliance on the work of others. The external auditor should test some of the work performed by others to evaluate the quality and effectiveness of their work. In performing this, the auditor should evaluate such factors as the scope of their work, the adequacy of their work programs, the adequacy of the work performed, the appropriateness of their conclusions, and the consistency of their reports with the work performed. Even considering these steps, the auditor is not permitted to rely on the work of others in evaluating and testing the control environment. The auditor must perform enough of the testing that his or her own work provides the principal evidence for the auditor's opinion.

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Application Difficulty: Moderate Learning Objective: 7

7-46

Chapter 07 - Auditing Internal Control over Financial Reporting

62. Information Nation has two hundred locations spread across the fifty states. Twenty of the locations are considered to be individually important, but fifty of the locations are not important even when aggregated from the others. Five locations deal with foreign exchange trading. These locations are not considered important, but they are important when aggregated with the other locations. As an auditor, discuss the considerations involved in testing multiple locations and group the locations accordingly (provide how many locations are included in each group). Include the treatment that each group should receive from the auditor. First, the auditor should determine which locations are individually important. There are twenty locations and the auditor should evaluate documentation and test controls over relevant assertions for significant accounts at each location. Second, the auditor should determine the locations with specific risks. Foreign exchange trading is normally considered a specific risk. Of the 180 locations left, five have specific risks. For these, the auditor should evaluate documentation and test controls over specific risks. Of the 175 locations left, the auditor should next determine which are not important even when aggregated with others. This group includes fifty locations. No further action is required for such units. Now 125 locations are left. The auditor should determine if there are documented companylevel controls over this group. If there are, the auditor should evaluate documentation and test company-level controls over the group. If documented company-level controls are not present, some testing of controls at individual locations is required.

AACSB: Analytic AICPA BB: Industry AICPA FN: Decision Making Bloom's: Analysis Difficulty: Moderate Learning Objective: 14

7-47

Chapter 07 - Auditing Internal Control over Financial Reporting

63. Discuss the differences between a control deficiency, a significant deficiency, a material weakness, and the two dimensions of the control deficiency - likelihood and magnitude. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A design deficiency exists when: (1) a control necessary to meet the relevant control objective is missing or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met. Significant Deficiency. A significant deficiency is a control deficiency, or combination of control deficiencies, in ICFR that is less sever than a material weakness, yet important enough to merit attention by those responsible for oversight of the company's financial reporting. Material Weakness. A material weakness is a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected on a timely basis. Likelihood and Magnitude. According to the above definitions, in judging the significance of a control deficiency, management and the auditor must consider two dimensions of the deficiency: likelihood and magnitude. The definition of material weakness includes the phrase "reasonable possibility." This term is to be interpreted using the guidance in ASC Topic 450, Contingencies. Accordingly, the likelihood of an event is a "reasonable possibility" if it is either reasonably possible or probable. Magnitude refers to the size of the potential misstatement that could occur due to the deficiency. In determining whether it is reasonably possible that a financial statement misstatement resulting from a deficiency is material, the auditor relies on the same concept of materiality as is used in determining financial statement materiality.

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Comprehension Difficulty: Moderate Learning Objective: 4

7-48

Chapter 07 - Auditing Internal Control over Financial Reporting

64. Discuss entity-level controls and provide examples of these types of controls. Entity-level controls can have a pervasive effect on the entity's ability to meet the COSO control criteria. If general controls are not effective, the specific controls are probably unreliable. Entity-level controls addressing management's ability to override specific controls are thus of central importance. The pervasiveness of entity-level controls suggests that it may be appropriate for the auditor to test and evaluate them before evaluating the other aspects of internal control over financial reporting. However, testing entity-level controls alone is not sufficient for the purpose of expressing an opinion on the effectiveness of an entity's internal control over financial reporting. Examples of entity-level controls include: 1. Controls within the control environment, which includes the tone at the top, assignment of authority and responsibility, consistent policies and procedures, and company-wide programs that apply to all locations and business units (such as codes of conduct and fraud prevention). 2. Controls over management override. 3. Management's risk assessment process. 4. Centralized processing and controls, including shared service environments. 5. Controls to monitor results of operations. 6. Controls to monitor other controls, including activities of the internal audit function, the audit committee and self-assessment programs. 7. The period-end financial reporting process. 8. Policies that address significant business control and risk management practices.

AACSB: Communications AICPA BB: Industry AICPA FN: Decision Making Bloom's: Comprehension Difficulty: Moderate Learning Objective: 5

7-49

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF