Internal Control Fundamentals

Collected By : Ch.
Yasir
Chapter 07 - Internal Control
Chapter 07
Internal Control
Chapter 07 Internal Control
True / False Questions
1. Internal control is concerned with the reliability of financial information.
o
TRUE
nf
r.i
Difficulty: Easy
ne
2. The Foreign Corrupt Practices Act prohibits bribes to foreign corporate officials to obtain
business.
or
FALSE
c
es
Difficulty: Hard
e
3. Incompatible duties exist when an employee is in a position to perpetrate and conceal errors
oy
or fraud.
TRUE
pl
m
Difficulty: Easy
.e
4. Internal auditors should preferably report to the chief accounting officer of the company.
FALSE
w
w
Difficulty: Medium
w
5. Well-designed internal control will prevent all fraud by top management.

FALSE
Difficulty: Easy
7-2
1 Share By : Faisal Qureshi
Collected By : Ch. Yasir
6. CPA firms may use written narratives to describe internal control in their audit working
papers.
TRUE
Difficulty: Easy
7. The auditors' communication of internal control significant deficiencies should be
o
addressed only to senior management of the company.
nf
FALSE
r.i
ne
Difficulty: Easy
8. If the auditors' assessment of the design of internal control reveals that it cannot be relied
or
upon, the auditors are not required to prepare any documentation of internal control for their
working papers.
FALSE c
e es
Difficulty: Medium
oy
9. The relatively low number of types of transactions incurred by small firms makes the
pl
segregation of duties impossible.

FALSE
m
.e
Difficulty: Easy
w
10. In a financial statement audit, CPAs are required to assess the operating effectiveness of
w
most significant accounting oriented controls.

FALSE
w
Difficulty: Medium
Multiple Choice Questions
7-3
11. Which of the following matters would an auditor most likely consider to be a significant
deficiency to be communicated to the audit committee?
A. Management's failure to renegotiate unfavorable long-term purchase commitments.
B. Recurring operating losses that may indicate going concern problems.
C. Evidence of a lack of objectivity by those responsible for accounting decisions.
D. Management's current plans to reduce its ownership equity in the entity.
o
Difficulty: Medium
Source: AICPA
nf
r.i
12. In assessing the objectivity of a client's internal auditors, the CPA would be most likely to
consider internal auditor:
ne
A. Education levels.
B. Experience.
C. Organizational status within the company.
or
D. Training and supervisory skills.
c
es
Difficulty: Medium
e
13. In a financial statement audit performed following AICPA Professional Standards, how
oy
frequently must an auditor test operating effectiveness of controls that appear to function as
they have in past years and on which the auditor wishes to rely upon in the current year?
A. Monthly.
pl
B. Each audit.
C. At least every second audit.
m
D. At least every third audit.

.e
w
Difficulty: Medium
w
w
7-4
14. After obtaining an understanding of internal control and arriving at a preliminary assessed
level of control risk, an auditor decided to perform tests of controls. The auditor most likely
decided that:
A. Additional evidence to support a reduction in the assessed level of control risk is not
available.
B. An increase in the assessed level of control risk is justified for certain financial statement
assertions.
C. It would be efficient to perform tests of controls that would result in a reduction in planned
substantive procedures.
o
D. There were many internal control deficiencies that would allow misstatements to enter the
nf
accounting system.
r.i
Difficulty: Hard
ne
Source: AICPA
or
15. Which of the following is least likely to be evidence of operating effectiveness of
controls?
A. Cancelled supporting documents.
B. Confirmations of accounts receivable.
c
es
C. Records documenting usage of computer programs.
D. Signatures on authorization forms.
e
oy
Difficulty: Hard
pl
16. Which of the following is not ordinarily a procedure for documenting an auditor's
m
understanding of internal control for planning purposes?

A. Checklist.
.e
B. Flowchart.
C. Questionnaire.
w
D. Confirmation.
w
w
Difficulty: Easy
7-5
17. Tests of controls do not ordinarily address:

A. By whom a control was applied.
B. How a control was applied.
C. The consistency with which a control was applied.
D. The cost effectiveness of the way a control was applied.
Difficulty: Hard
o
nf
18. Which is most likely when the assessed level of control risk increases?
A. Change from performing substantive procedures at year-end to an interim date.
r.i
B. Perform substantive procedures directed inside the entity rather than tests directed toward
parties outside the entity.
ne
C. Use the maximum number of dual purpose tests.
D. Use larger sample sizes for substantive procedures.
Difficulty: Medium
c or
es
19. Which of the following must the auditor communicate to the audit committee?
A. Significant deficiencies and material weaknesses.
e
B. Only significant deficiencies.

oy
C. Only material weaknesses.

D. Neither significant deficiencies nor material weaknesses.
pl
m
Difficulty: Medium
.e
20. A client's internal control appears strong, but the CPA has elected not to perform any tests
w
of controls. The planned assessed level of control risk is at what level?

A. Zero.
w
B. Low.
C. Moderate.
w
D. Maximum.
Difficulty: Hard
7-6
21. Which of the following would be least likely to be regarded as a test of a control?
A. Tests of the additions to property by physical inspection.
B. Comparisons of the signatures on cancelled checks to the authorized check signer list.
C. Tests of signatures on purchase orders.
D. Recalculation of payroll deductions.
Difficulty: Hard
o
nf
22. Which of the following is not considered one of the five major components of internal
control?
r.i
A. Risk assessment.
B. Segregation of duties.
ne
C. Control activities.
D. Monitoring.
Difficulty: Medium
c or
es
23. Which of the following statements is correct concerning the understanding of internal
control needed by auditors?
e
A. The auditors must understand the information system, not the accounting system.
oy
B. The auditors must understand monitoring and all preliminary accounting controls.
C. The auditors must have a sufficient understanding to assess the risks of material
misstatement.
pl
D. The auditors must understand the control environment, risk assessment, and all control
activities.
m
.e
Difficulty: Easy
w
w
24. The effectiveness of controls is not generally tested by:

A. Inspection of documents and reports.
w
B. Performance of analytical procedures.

C. Observation of the application of accounting policies and procedures.
D. Inquiries of appropriate client personnel.
Difficulty: Medium
7-7
25. On financial statement audits, it is required that the auditors obtain an understanding of
internal control, including:
A. Its operating effectiveness.
B. Whether it has been implemented (placed in operation).
C. Performing tests of controls for all material controls.
D. Its ability to provide reasonable assurance.
o
Difficulty: Medium
nf
26. A significant deficiency:
r.i
A. Differs from a material weakness in that it involves internal control over operations rather
than internal control over financial reporting.
ne
B. Involves an amount of discovered misstatements greater than the amount used as the
planning measure of materiality.
C. Is identical to a material weakness except that it need not be communicated to those
or
responsible for oversight of the company's financial reporting.
D. Is less severe than a material weakness.
c
es
Difficulty: Medium
e
oy
27. This organization developed a set of criteria that provide management with a basis to
evaluate controls not only over financial reporting, but also over the effectiveness and
efficiency of operations and compliance with laws and regulations:
pl
A. Foreign Corrupt Practices Corporation.

B. Committee of Sponsoring Organizations.
m
C. Cohen Commission.
D. Financial Accounting Standards Board.
.e
w
Difficulty: Medium
w
w
7-8
28. Which of the following is most likely to be considered a risk assessment procedure
relating to internal control?
A. Confirm accounts receivable.
B. Perform a test of a control relating to payroll.
C. Take test counts of the year-end inventory.
D. Trace a transaction through the information system relevant to financial reporting.
o
Difficulty: Hard
nf
29. Which statement is correct concerning the definition of internal control developed by the
r.i
Committee of Sponsoring Organizations (COSO)?
A. Its applicability is largely limited to internal auditing applications.
ne
B. It is recognized in the Statements on Auditing Standards.
C. It emphasizes the effectiveness and efficiency of operations over the reliability of financial
reporting.
or
D. It suggests that it is important to view internal control as an end product as contrasted to a
process or means to obtain an end.
c
es
Difficulty: Hard
e
oy
30. The definition of internal control developed by the Committee of Sponsoring

Organizations (COSO) includes controls related to the reliability of financial reporting, the
effectiveness and efficiency of operations, and:
pl
A. Compliance with applicable laws and regulations.

B. Effectiveness of prevention of fraudulent occurrences.
m
C. Safeguarding of entity equity.

D. Incorporation of ethical business practice standards.
.e
w
Difficulty: Medium
w
w
7-9
31. Which statement is correct concerning the relevance of various types of controls to a
financial statement audit?
A. An auditor may ordinarily ignore the consideration of controls when a substantive audit
approach is used.
B. Controls over the reliability of financial reporting are ordinarily most directly relevant to
an audit, but other controls may also be relevant.
C. Controls over safeguarding assets and liabilities are of primary importance, while controls
over the reliability of financial reporting may also be relevant.
D. All controls are ordinarily relevant to an audit.
o
nf
Difficulty: Hard
r.i
ne
32. Which of the following is not a component of the control environment?
A. Integrity and ethical values.
B. Risk assessment.
or
C. Commitment to competence.
D. Organizational structure.
c
es
Difficulty: Medium
e
oy
33. Which of the following is not ordinarily considered a factor indicative of increased
financial reporting risk when an auditor is considering a client's risk assessment policies?
A. Salaried sales personnel.
pl
B. Implementation of a new information system.

C. Rapid growth of the organization.
m
D. Corporate restructuring.
.e
w
Difficulty: Medium
w
34. The Sarbanes-Oxley Act of 2002 requires that the audit committee:
w
A. Annually reassess control risk using information from the CPA firm.
B. Be directly responsible for the appointment, compensation and oversight of the work of the
CPA firm.
C. Require that the company's CPA firm rotate the partner in charge of the audit.
D. Review the level of management compensation.
Difficulty: Medium
7-10
35. When tests of controls reveal that controls are operating as anticipated, it is most likely
that the assessed level of control risk will:
A. Be less than the preliminary assessed level of control risk.
B. Equal the preliminary assessed level of control risk.
C. Equal the actual control risk.
D. Be less than the actual control risk.
o
Difficulty: Hard
nf
36. Under which circumstance is it likely that the extent of substantive procedures will be
r.i
expanded beyond that anticipated in the audit plan?
A. The auditors have determined that controls have been implemented (placed in operation)
ne
but, in accordance with the audit plan, have performed no tests of controls.
B. Certain controls do not leave a trail of documentary evidence.
C. Deviation rates were greater than zero and approached anticipated levels.
or
D. The operating effectiveness of certain controls was found to be less than expected,
although no material misstatements were identified.
c
es
Difficulty: Hard
e
oy
37. The provisions of the Foreign Corrupt Practices Act apply to:
A. All U.S. corporations.
B. All U.S. corporations that engage in foreign operations.
pl
C. All corporations that must file under the Securities Exchange Act of 1934.
D. All U.S. partnerships and corporations.
m
.e
Difficulty: Medium
w
w
38. If the auditors do notperform tests of controls for certain assertions:

A. They have performed a substandard audit.
w
B. They are not required to communicate significant deficiencies relating to those accounts to
management and the board of directors.
C. They must issue a qualified opinion.
D. They must assess control risk at the maximum level for those assertions.
Difficulty: Medium
7-11
39. During financial statement audits, the auditors' consideration of their clients' internal
control is integral to both assess the risk of material misstatement and to:
A. Assess inherent risk.
B. Design further audit procedures.
C. Assess compliance with the Foreign Corrupt Practices Act.
D. Provide a reasonable basis for an opinion on compliance with applicable laws.
o
Difficulty: Easy
nf
40. Which of the following comes closest to outlining the auditors' responsibility for
r.i
considering internal control in all financial statement audits?
A. An understanding of the control environment, information and communication, risk
ne
assessment and monitoring is necessary; an understanding of control activities is only
necessary for areas in which the auditor is performing tests of controls.
B. The auditor must obtain an understanding of each of the five internal control components
or
sufficient to assess the risks of material misstatement for the audit.
C. When tests of controls have been performed, control risk must be assessed at a level less
than the maximum. c
es
D. An understanding of the control environment is necessary, but no understanding of the
other components is necessary unless control risk is to be assessed at a level less than the
maximum.
e
oy
Difficulty: Medium
pl
41. Which of the following is not a primary procedure auditors use to obtain sufficient
m
knowledge about the design of the relevant controls and to determine whether they have been
implemented (placed in operation)?
.e
A. Previous experience with the entity.

B. Inquiries of appropriate management personnel.
w
C. Performance of substantive procedures.

w
D. Inspection of document and records.

w
Difficulty: Medium
7-12
42. A control deficiency that is less severe than a material weakness, but important enough to
merit attention by those responsible for oversight of the company's financial reporting is
referred to as a(n):
A. Control deficiency.
B. Inherent limitation.
C. Reportable deficiency.
D. Significant deficiency.
o
nf
Difficulty: Medium
r.i
43. For effective internal control, which of the following functions should not be assigned to
the company's accounting department?
ne
A. Reconciling accounting records with existing assets.
B. Recording financial transactions.
C. Signing payroll checks.
or
D. Preparing financial reports.
c
es
Difficulty: Medium
e
44. Which of the following is not a responsibility that should be assigned to a company's
oy
internal audit department?

A. Evaluating internal control.
B. Approving disbursements.
pl
C. Reporting on the effectiveness of operating segments.

D. Investigating potential merger candidates.
m
.e
Difficulty: Hard
w
w
w
7-13
45. Which of the following is true about the auditors' consideration of internal control in a
financial statement audit?
A. The auditors must assess control risk at a level lower than the maximum.
B. The auditors must prepare a flowchart description of internal control for their working
papers.
C. The auditors must obtain an understanding of the steps in processing major types of
transactions.
D. The auditors must perform tests of controls.
o
nf
Difficulty: Medium
r.i
46. Which of the following is an advantage of describing internal control through the use of a
ne
standardized questionnaire?
A. Questionnaires highlight weaknesses in the system.
B. Questionnaires are more flexible than other methods of describing internal control.
or
C. Questionnaires usually identify situations in which internal control weaknesses are
compensated for by other strengths in the system.
c
D. Questionnaires provide a clearer and more specific portrayal of a client's system than other
es
methods of describing internal control.
e
Difficulty: Medium
oy
47. Which of the following is least likely to be considered a risk assessment procedure
pl
relating to internal control?

A. Counting marketable securities at year-end.
m
B. Inquiries of client personnel.

C. Inspecting documents and reports.
.e
D. Observing the application of specific controls.

w
w
Difficulty: Hard
w
7-14
48. Which of the following is least likely to be considered a risk assessment procedure?
A. Analytical procedures.
B. Inspection of documents.
C. Observation of the counting of inventory.
D. Observation of the performance of certain accounting procedures.
Difficulty: Hard
o
nf
49. Which of the following is not a factor that is considered a part of the client's overall
control environment?
r.i
A. The organizational structure.
B. The information system.
ne
C. Management philosophy and operating style.
D. Board of directors.
Difficulty: Medium
c or
es
50. Which of the following would be least likely to be considered a benefit of effective
internal control?
e
A. Eliminating all employee fraud.

oy
B. Restricting access to assets.

C. Detecting ineffectiveness.
D. Ensuring authorization of transactions.
pl
m
Difficulty: Medium
.e
w
51. After documenting the client's prescribed internal control, the auditors will often perform
a walk-through of each transaction cycle. An objective of a walk-through is to:
w
A. Verify that the controls have been implemented (placed in operation).

B. Replace tests of controls.
w
C. Evaluate the major strengths and weaknesses in the client's internal control.
D. Identify weaknesses to be communicated to management in the management letter.
Difficulty: Medium
7-15
52. The major components of internal control include all of the following, except:
A. Risk assessment.
B. The control environment.
C. Internal auditing.
D. Control activities.
Difficulty: Medium
o
nf
53. Which of the following is correct with respect to control deficiencies discovered during an
audit?
r.i
A. Auditors must communicate and recommend corrections relating to all material
weaknesses in internal control to management.
ne
B. All material weaknesses in internal control should be reported to the audit committee.
C. All such matters must be communicated to the audit committee and regulatory agencies.
D. All control deficiencies are also significant deficiencies.
Difficulty: Hard
c or
es
54. After considering the client's internal control the auditors have concluded that it is well
e
designed and is functioning as anticipated. Under these circumstances the auditors would
oy
most likely:
A. Cease to perform further substantive procedures.
B. Reduce substantive procedures in areas where the internal control was found to be
pl
effective.
C. Increase the extent of anticipated analytical procedures.
m
D. Perform all tests of controls to the extent outlined in the preplanned audit program.
.e
w
Difficulty: Easy
Source: AICPA
w
w
7-16
55. The use of fidelity bonds protects a company from embezzlement loses and also:
A. Minimizes the possibility of employing persons with dubious records in positions of trust.
B. Reduces the company's need to obtain expensive business interruption insurance.
C. Allows the company to substitute the fidelity bonds for various parts of internal control.
D. Protects employees who made unintentional errors from possible monetary damages
resulting from such errors.
o
Difficulty: Medium
Source: AICPA
nf
r.i
56. The independent auditors might consider the procedures performed by the internal
auditors because:
ne
A. They are employees whose work must be reviewed during substantive testing.
B. They are employees whose work might affect the independent auditors' work.
C. Their work impacts upon the cost/benefit tradeoff in evaluating inherent limitations.
or
D. Their degree of independence may be inferred by the nature of their work.
c
es
Difficulty: Medium
Source: AICPA
e
57. In the consideration of internal control, the operating effectiveness of controls is tested
oy
by:
A. Flowcharts verification.
pl
B. Tests of controls.
C. Substantive procedures.
m
D. Decision tables.
.e
Difficulty: Easy
w
Source: AICPA
w
w
7-17
58. The auditors who become aware of an internal control significant deficiency are required
to communicate this to the:
A. Client's legal counsel.
B. Compensation committee.
C. Audit committee.
D. Internal auditors.
o
Difficulty: Medium
Source: AICPA
nf
r.i
59. A material weakness involves an amount that could result in a misstatement that is
A. Smaller than inconsequential.
ne
B. Larger than inconsequential.
C. Tolerable.
D. Material.
Difficulty: Medium c or
es
60. At least what level of probability of a material misstatement is required for a control
e
deficiency to be considered a material weakness?

oy
A. More than remote.

B. Probable.
C. Reasonable possibility.
pl
D. Sufficient.
m
.e
Difficulty: Medium
w
61. A situation in which the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect
w
material misstatements on a timely basis is referred to as a:

w
A. Control deficiency.
B. Material weakness.
C. Reportable condition.
D. Significant deficiency.
Difficulty: Medium
7-18
62. To provide for the greatest degree of independence in performing internal auditing
functions, an internal auditor most likely should report to the:
A. Financial vice-president.
B. Corporate controller.
C. Audit committee.
D. Corporate stockholders.
o
Difficulty: Medium
Source: AICPA
nf
r.i
63. Well-designed internal control that is functioning effectively is most likely to detect an
fraud arising from:
ne
A. The fraudulent action of several employees.
B. The fraudulent action of an individual employee.
C. Informal deviations from the official organization chart.
or
D. Management fraud.
c
es
Difficulty: Medium
Source: AICPA
e
64. The program flowcharting symbol representing a decision is a:

oy
A. Triangle.
B. Circle.
pl
C. Rectangle.
D. Diamond.
m
.e
Difficulty: Medium
Source: AICPA
w
w
65. Controls are not designed to provide assurance that:

A. Transactions are executed in accordance with management's authorization.
w
B. Fraud will be eliminated.

C. Access to assets is permitted only in accordance with management's authorization.
D. The recorded accountability for assets is compared with the existing assets at reasonable
intervals.
Difficulty: Medium
Source: AICPA
7-19
66. The scope of substantive procedures as compared to the scope of tests of controls
generally vary:
A. In a parallel manner.
B. Inversely.
C. Directly.
D. Equally.
o
Difficulty: Medium
Source: AICPA
nf
r.i
67. Which of the following is least likely to be a factor that might indicate to an auditor that
an identified risk of misstatement requires special audit consideration?
ne
A. Complex calculations are involved.
B. The rate of technological change is moderate in the industry.
C. The potential for fraud seems high.
or
D. Various subjective methods of application of a key accounting policy exist.
c
es
Difficulty: Easy
e
68. Which of the following audit tests would be regarded as a test of a control?
oy
A. Tests of the specific items making up the balance in a given general ledger account.
B. Tests confirming receivables.
C. Tests of the signatures on canceled checks to board of director's authorizations.
pl
D. Tests of the additions to property, plant, and equipment by physical inspection.

m
.e
Difficulty: Medium
Source: AICPA
w
69. If the independent auditors decide that the work performed by the internal auditors may
w
have a bearing on their own procedures, they should consider the internal auditors':
A. Competence and objectivity.
w
B. Efficiency and experience.

C. Independence and review skills.
D. Training and supervisory skills.
Difficulty: Medium
Source: AICPA
7-20
70. In the consideration of internal control, the auditor is basically concerned that it provides
reasonable assurance that:
A. Management can not override the system.
B. Operational efficiency has been achieved in accordance with management plans.
C. Misstatements have been prevented or detected.
D. Controls have not been circumvented by collusion.
o
Difficulty: Medium
Source: AICPA
nf
r.i
71. Which of the following is least likely to be considered an appropriate response relating to
risks the auditors identify at the financial statement level?
ne
A. Assign more experienced staff.
B. Incorporate additional elements of unpredictability in the selection of audit procedures.
C. Increase the scope of auditor procedures.
or
D. Emphasize the need to remain neutral, rather than to exercise professional skepticism.
c
es
Difficulty: Easy
e
72. In assessing the competence of a client's internal auditor, an independent auditor most
oy
likely would consider the

A. Internal auditor's compliance with professional internal auditing standards.
B. Client's policies that limit the internal auditor's access to management salary data.
pl
C. Evidence supporting a further reduction in the assessed level of control risk.

D. Results of ratio analysis that may identify unusual transactions and events.
m
.e
Difficulty: Medium
Source: AICPA
w
w
73. Which of the following factors would most likely be considered an inherent limitation to
an entity's internal control?
w
A. The complexity of the information processing system.

B. Human judgment in the decision making process.
C. The ineffectiveness of the board of directors.
D. The lack of management incentives to improve the control environment.
Difficulty: Medium
Source: AICPA
7-21
74. Proper segregation of duties reduces the opportunities to allow any employee to be in a
position to both
A. Journalize cash receipts and disbursements and prepare the financial statements.
B. Monitor internal controls and evaluate whether the controls are operating as intended.
C. Adopt new accounting pronouncements and authorize the recording of transactions.
D. Record and conceal fraudulent transactions in the normal course of assigned tasks.
o
Difficulty: Easy
Source: AICPA
nf
r.i
75. Which of the following is intended to detect deviations from prescribed controls?
A. Substantive procedures specified by a standardized audit program.
ne
B. Tests of controls designed specifically for the client.
C. Analytical procedures as set forth in an industry audit guide.
D. Computerized analytical procedures tailored for the configuration of the computer
or
equipment in use.
c
es
Difficulty: Medium
Source: AICPA
e
76. An auditor's purpose for performing tests of controls is to provide reasonable assurance
oy
that:
A. Controls are operating effectively.
pl
B. The risk that the auditor may unknowingly fail to modify the opinion on the financial
statements is minimized.
m
C. Transactions are executed in accordance with management's authorization and access to

assets is limited by a segregation of functions.
.e
D. Transactions are recorded as necessary to permit the preparation of the financial statements
in conformity with generally accepted accounting principles.
w
w
Difficulty: Medium
Source: AICPA
w
7-22
77. Of the following statements about internal control, which one is not valid?
A. No one person should be responsible for the custodial responsibility and the recording
responsibility for an asset.
B. Transactions must be properly authorized before such transactions are processed.
C. Because of the cost/benefit relationship, a client may apply control procedures on a test
basis.
D. Control activities reasonably insure that collusion among employees can not occur.
o
nf
Difficulty: Easy
Source: AICPA
r.i
78. Tests of controls are most likely to be performed when:
ne
A. Controls seem weak and must be properly documented.
B. Inadequate substantive procedures exist to restrict audit risk to an acceptable level.
C. The auditor wishes to assess control risk at the maximum.
or
D. The client's control environment appears weak.
c
es
Difficulty: Hard
e
79. Which of the following would be least likely to be included in an auditor's tests of
oy
controls?
A. Inspection.
B. Observation.
pl
C. Inquiry.
D. Analytical procedures.
m
.e
Difficulty: Medium
Source: AICPA
w
w
80. The internal control provisions of the Sarbanes-Oxley Act of 2002 apply to which
companies in the United States:
w
A. All companies.
B. SEC registrants.
C. Only those companies included in the Fortune 500.
D. All nonpublic companies.
Difficulty: Medium
7-23
81. An integrated audit performed under Section 404b of the Sarbanes-Oxley Act addresses
financial statements and:
A. Compliance with laws.
B. Internal control over asset safeguarding.
C. Internal control over financial reporting.
D. Suitable criteria.
o
Difficulty: Medium
nf
82. A report on internal control performed in accordance with PCAOB Standard No. 2
r.i
includes an opinion on internal control for:
A. The entire year.
ne
B. The prior quarter.
C. The "as of date."
D. The end of each quarter.
Difficulty: Hard
c or
es
83. When performing an audit of internal control under PCAOB requirements, auditors
e
evaluate control:
oy
pl
m
A. Option A
.e
B. Option B
C. Option C
w
D. Option D
w
w
Difficulty: Medium
7-24
84. When performing an internal control audit under PCAOB requirements, one or more
material weaknesses in internal control that exist at year-end may result in what type of
report(s):
o
A. Option A
nf
B. Option B
C. Option C
r.i
D. Option D
ne
Difficulty: Hard
or
85. When performing an internal control audit under PCAOB standards, one or more material
c
weaknesses in internal control that exist at year-end may result in what type of report(s):
e es
oy
A. Option A
B. Option B
pl
C. Option C
D. Option D
m
.e
Difficulty: Medium
w
w
w
7-25
Essay Questions
86. Independent auditors should consider the work of internal auditors in their assessment of
control risk.
a. Are internal auditors independent of management? Explain.
b. What is the difference between the primary objective of the independent auditors and that
of internal auditors? Explain.
c. Discuss the factors that should be considered by the independent auditors in deciding how
o
much, if any, reliance should be placed on the work of the internal auditors.
nf
a. No. However, internal auditors may achieve independence from departments they evaluate
by reporting to a senior officer or the board of directors.
r.i
b. The independent auditors' objective is to express an opinion on the client's financial
statements. The internal auditors' primary objective is to aid management in achieving the
ne
most efficient and effective administration of the business.
c. In deciding the degree of reliance to be placed on the work of the internal auditors, the
or
independent auditors should consider the competence and objectivity of the internal auditors,
and evaluate their work.
c
es
Difficulty: Hard
e
87. Auditors are required to consider a client's internal control.

oy
a. Describe the two purposes of the auditors' consideration of a client's internal control.
b. Even the best internal control has certain limitations. List three of those limitations.
pl
a. The auditors' consideration of their clients' internal control is integral to both (1) to assess
m
the risks of material misstatement in the financial statements and (2) to design the nature,
timing and extent of further audit procedures.
.e
b. The limitations of internal control include (only three required):

Carelessness.
w
Misunderstanding of instructions.
Top management may override the system
w
Collusion among employees may circumvent controls dependent upon segregation of duties.
Cost considerations often limit the effectiveness of the design of the structure.
w
Difficulty: Medium
7-26
88. When considering a client's internal control, the auditors focus on its various
characteristics. For each of the following characteristics indicate the auditors' responsibility
under generally accepted auditing standards and the procedures used to meet that
responsibility.
a. The design of internal control.
b. Controls have been implemented (placed in operation).
c. The operating effectiveness of controls.
a. The auditors have a responsibility to obtain an understanding of internal control that is
o
sufficient to plan the audit. An understanding of the design of the structure is obtained by
nf
inspecting control manuals, organization charts, and job descriptions, and by interviewing
client personnel.
r.i
b. The auditors have a responsibility to determine whether significant internal control policies
and procedures are implemented (placed in operation) in every audit. The auditors may
ne
determine whether the controls have been implemented (placed in operation) by observation,
inspection, and inquiry. Walk-through tests may also be used.
c. The auditors have a responsibility to determine the operating effectiveness of controls that
or
provide the basis for the auditors' assessment of control risk at levels below the maximum.
The auditors use observation, inspection, inquiry, and reperformance to test the operating
effectiveness of controls. c
e es
Difficulty: Medium
oy
pl
m
.e
w
w
w
7-27
89. Assume that you have assessed inherent risk for an audit area at a very high level. While
obtaining an understanding of internal control, you have determined that it appears to be very
strong. Nonetheless, due to the large number of transactions involved, you have chosen not to
test controls in the area.
a. At what level will the planned assessed level of control risk be established?
b. Describe the scope of tests of controls that will be performed.
c. At what level will the assessed level of control risk be established?
d. What must be documented in the working papers relating to internal control?
e. At what level will detection risk be established?
o
f. Describe the required scope of substantive procedures, if any. Make certain to discuss
nf
details of likely nature, timing and extent.
r.i
a. Maximum, High or Highest.
b. None will be performed (because control risk is being assessed at the maximum level).
ne
c. Maximum, High or Highest
d. Control risk assessed at maximum (or high or highest) level. The auditor need not
document the reason for assessing control risk at the maximum (we delete points from scores
or
of students who state that the auditor needs to document the reason).
e. Minimum, low, or lowest
c
f. Nature--External sources rather than internal Timing--Year-end testing rather than interim
es
testing. Extent--Greatest extent
e
Difficulty: Hard
oy
pl
m
.e
w
w
w
7-28
Chapter 10
Internal Control
Multiple-Choice Questions
1. Which of the following is responsible for establishing a private companys internal control?
easy a. Management.
a b. Auditors.
c. Management and auditors.
d. Committee of Sponsoring Organizations.
o
2. Which of the following is not one of the three primary objectives of effective internal control?
nf
easy a. Reliability of financial reporting
d b. Efficiency and effectiveness of operations
r.i
c. Compliance with laws and regulations
d. Assurance of elimination of business risk.
ne
3. (Public) The Public Company Accounting Oversight Board states that reasonable assurance allows a:
easy a. small likelihood of ineffective internal controls.
b b. remote likelihood that material misstatements will not be prevented or detected by
or
internal control.
c. likelihood that material misstatements will not be prevented or detected by internal
control.
c
d. high likelihood that material misstatements will not be prevented or detected by
es
internal control.
4. Two key concepts that underlie managements design and implementation of internal control
e
easy are:
c a. costs and materiality.
oy
b. absolute assurance and costs.

c. inherent limitations and reasonable assurance.
d. collusion and materiality.
pl
5. Internal controls can never be considered as absolutely effective because:

m
easy a. their effectiveness is limited by the competency and dependability of employees.

a b. not all organizations have internal audit departments.
c. controls are designed to prevent and detect only material misstatements.
.e
d. internal controls prevent separation of duties.

w
6. A major control available in a small company, which might not be feasible in a big company, is:
easy a. a wider segregation of duties.
w
d b. a voucher system.
c. fewer transactions to process.
d. the owner-managers personal interest and close relationship with personnel.
w
7. (Public) Which of the following is responsible for establishing internal controls for a public company?
easy a. Management.
a b. The PCAOB.
c. Management and auditors.
d. Committee of Sponsoring Organizations.
8. Which of the following parties provides an assessment of the effectiveness of internal control
medium over financial reporting for public companies?
a
Arens/Elder/Beasley

Management Financial statement auditors

a. Yes Yes
b. No No
c. Yes Yes
d. No No
9. An act of two or more employees to steal assets or misstate records is frequently referred to as:
easy a. collusion.
a b. a material weakness.
c. a control deficiency.
d. a significant deficiency.
o
10. When the auditor attempts to understand the operation of the accounting system by tracing a
easy few transactions through the accounting system, the auditor is said to be:
nf
c a. tracing.
b. vouching.
r.i
c. performing a walk-through.
d. testing controls.
ne
11. (SOX) Which section of the Sarbanes-Oxley Act requires management to issue an internal control
easy report?
c a. 202
or
b. 203
c. 404
d. 408
c
es
12. (SOX) Sarbanes-Oxley requires management to issue an internal control report that includes two
easy specific items. Which of the following is one of these two requirements?
a a. A statement that management is responsible for establishing and maintaining an adequate
e
internal control structure and procedures for financial reporting.

b. A statement that management and the board of directors are jointly responsible for
oy
establishing and maintaining an adequate internal control structure and procedures for
financial reporting.
c. A statement that management, the board of directors, and the external auditors are jointly
pl
responsible for establishing and maintaining an adequate internal control structure and
procedures for financial reporting.
m
d. A statement that the external auditors are solely responsible.
13. (SOX) When management is evaluating the design of internal control, management evaluates whether
.e
easy the control can do which of the following?

c
w
Detect material misstatements Correct material misstatements

a. Yes Yes
w
b. No No
c. Yes No
w
d. No Yes
14. (SOX) Internal control reports issued by public companies must identify the framework used to
easy evaluate the effectiveness of internal control. Which of the following is the most common
b framework in the U.S.?
a. Effective Internal Control Framework - AICPA
b. Internal Control - Integrated Framework - COSO
c. Enterprise Internal Control - COSO
d. Enterprise Internal Control - AICPA
15. (Public) When one material weakness is present at the end of the year, management of a public company
Arens/Elder/Beasley

easy must conclude that internal control over financial reporting is:
c a. insufficient.
b. inadequate.
c. ineffective.
d. inefficient.
16. (Public) The auditors tests to understand the clients internal controls might include which of the
easy following types of procedures?
a
Observation of employees Inquiries of personnel
a. Yes Yes
b. No No
c. Yes No
o
d. No Yes
nf
17. Which of managements concerns with respect to implementing internal controls is the auditor
easy primarily concerned?
r.i
b a. Efficiency of operations.
b. Reliability of financial reporting.
c. Effectiveness of operations.
ne
d. Compliance with applicable laws and regulations.
18. Which of the following activities would be least likely to strengthen a companys internal
or
easy control?
b a. Separating accounting from other financial operations.
c
b. Maintaining insurance for fire and theft.
c. Fixing responsibility for the performance of employee duties.
es
d. Carefully selecting and training employees.
19. (Public) Management must disclose material weaknesses in internal control:

e
medium a. whenever the weakness is deemed significant to a single class of transactions.

c b. whenever the weakness is significant to overall financial reporting objectives.
oy
c. if the weakness exists at the end of the year.

d. only if the auditor identifies the weakness as significant.
pl
20. When auditing a private company, the auditor should obtain an understanding of internal control
easy sufficient to:
m
b a. provide reasonable protection against client fraud and defalcations by client employees.
b. assess control risk.
c. provide a basis for suggestions to the client for improving the accounting system.
.e
d. provide a method for safeguarding assets, checking the accuracy and reliability of
accounting data, promoting operational efficiency, and encouraging adherence to
w
prescribed managerial policies.

w
21. (Public) The initial presumption in the audit of a public company is that control risk is:
medium a. low.
w
a b. moderate.
c. high.
d. low or moderate, but not high.
22. In the audit of a private company, the auditor will test controls when control risk is initially
assessed at:
medium
c Low Moderate High
a. Yes No Yes
b. No No Yes
c. Yes Yes No
Arens/Elder/Beasley

d. No Yes No
23. (Public) The auditors study of a public companys internal control is:
medium a. required by GAAS.
c b. required by the AICPA.
c. required by the Sarbanes-Oxley Act.
d. recommended by the AICPA.
24. The auditors consideration of a private companys internal control is:

medium a. required by GAAP.
b b. required by GAAS.
c. required by the IRS.
d. recommended by the SEC.
o
25. Internal controls can never be regarded as completely effective. Even if company personnel
nf
medium could design an ideal system, its effectiveness depends on the:
d a. adequacy of the computer system.
r.i
b. proper implementation by management.
c. ability of the internal audit staff to maintain it.
d. competency and dependability of the people using it.
ne
26. Even with the most effectively designed internal control, the auditor must obtain audit evidence,
medium beyond testing the controls, for every:
or
c a. transaction.
b. financial statement account.
c. material financial statement account.
c
d. financial statement account that will be relied upon by third parties.
es
27. The essence of an effectively controlled organization lies in the:
medium a. effectiveness of its independent auditor.
e
d b. effectiveness of its internal auditor.

c. attitude of its employees.
oy
d. attitude of its management.
28. (Public) To issue a report on internal control over financial reporting for a public company, an auditor
pl
medium must:
c a. evaluate managements assessment process.
m
b. independently assess the design and operating effectiveness of internal control.

c. evaluate managements assessment process and independently assess the design and
operating effectiveness of internal control.
.e
d. test controls over significant account balances.

w
29. (Public) Which of the stock exchanges require listed companies to have an audit committee composed
medium entirely of independent directors?
w
a
NYSE NASDAQ
w
a. Yes Yes
b. No No
c. Yes No
d. No Yes
30. Which of the following factors may increase risks to an organization?

Medium
a Geographic dispersion of
company operations Presence of new information technologies
a. Yes Yes
Arens/Elder/Beasley

b. No No
c. Yes No
d. No Yes
31. Which of the following statements is correct with respect to separation of duties?
medium a. Employees should not have temporary and permanent custody of assets.
b b. Employees who authorize transactions should not have custody of related assets.
c. It is permissible to allow an employee to open cash receipts and record those receipts.
d. Employees who authorize transactions should have recording responsibility for these
transactions.
32. Authorizations can be either general or specific. Which of the following is not an example of a
medium general authorization?
o
b a. Automatic reorder points for raw materials inventory.
b. A sales managers authorization for a sales return.
nf
c. Credit limits for various classes of customers.
d. A sales price list for merchandise.
r.i
33. The most important type of protective measure for safeguarding assets is:
medium a. adequate separation of duties among personnel.
ne
c b. proper authorization of transactions.
c. the use of physical precautions.
d. adequate documentation.
or
34. Which of the following is correct with respect to the design and use of business documents?
medium a. Not all documents used for internal purposes need to be prenumbered.
a c
b. Documents should be designed for single purposes only to avoid confusion in their use.
es
c. Documents should be designed to be understandable only by those who use them.
d. Documents designed for external use must be prenumbered.
e
35. (Public) PCAOB Standard 2 requires auditors to evaluate the effectiveness of the audit committees
medium oversight of the companys:
oy
a
External financial Efficiency of Internal control over financial
reporting operations reporting
pl
a. Yes No Yes
b. No No Yes
m
c. Yes Yes No
d. No Yes No
.e
36. Which of the following is correct?

medium a. Approval is a policy decision implemented by employees.
w
c b. Approval occurs as a matter of general policy and includes significant transactions only.
c. Authorization is a policy decision for either a general class of transactions or specific
w
transactions.
d. Approval should be given by the employee responsible for recording the transaction.
w
37. Which of the following principles is not necessary for the proper design and use of documents
medium and records?
a a. Designed for a single use to increase efficiency of operations.
b. Constructed in a manner that encourages correct preparation.
c. Prepared at the time a transaction takes place.
d. Designed for multiple uses to increase efficiency of operations.
38. Narratives, flowcharts, and internal control questionnaires are three common methods of:
medium a. testing the internal controls.
b b. documenting the auditors understanding of internal controls.
Arens/Elder/Beasley

c. designing the audit manual and procedures.

d. documenting the auditors understanding of a clients organizational structure.
39. _____ deal with ongoing or periodic assessment of the quality of internal control by
medium management.
b a. Quality monitoring activities
b. Monitoring activities
c. Oversight activities
d. Management activities
40. (Public) Smaller public companies face challenges implementing effective internal control due to
medium ______.
c a. a lack of expertise
o
b. reduced importance
c. limited resources
nf
d. limited available guidance
r.i
41. Which of the following is not one of the levels of an absence of internal controls?
medium a. Major deficiency.
a b. Material weakness.
ne
c. Significant deficiency.
d. Control deficiency.
or
42. Which of the following is the correct definition of control deficiency?
medium a. A control deficiency exists if the design or operation of controls does not permit company
a personnel to prevent or detect misstatements on a timely basis.
c
b. A control deficiency exists if one or more deficiencies exist that adversely affect a
es
companys ability to prepare external financial statements reliably.
c. A control deficiency exists if the design or operation of controls results in a more than
remote likelihood that controls will not prevent or detect misstatements.
e
d. A control deficiency exists if the design or operation of controls results in a more than
probable likelihood that controls will prevent or detect misstatements.
oy
43. A(n) _______ deficiency exists if a necessary control is missing or not properly formulated.
medium a. control
pl
c b. significant
c. design
m
d. operating
44. To determine if significant internal control deficiencies are material weaknesses, they must be
.e
medium evaluated on their:

a
w
Likelihood Significance
a. Yes Yes
w
b. No No
c. Yes No
w
d. No Yes
45. The purpose of an entitys accounting information and communication system is to ______.
medium
d Record and
Monitor process
transactions transactions Initiate transactions
a. Yes Yes Yes
b. No No No
c. Yes No No
d. No Yes Yes
Arens/Elder/Beasley

46. A procedure that would most likely be used by an auditor in performing tests of control
medium procedures that involve segregation of functions and that leave no transaction trail is:
b a. inspection.
b. observation.
c. reperformance.
d. reconciliation.
47. If the results of tests of controls support the design and operations of controls as expected, the
medium auditor uses ____ control risk as the preliminary assessment.
b a. a lower
b. the same
c. a higher
o
d. either a lower or higher
nf
48. Internal controls normally include procedures designed to provide reasonable assurance that:
medium a. employees act with integrity when performing their assigned tasks.
r.i
b b. transactions are executed in accordance with managements authorization.
c. decision processes leading to managements authorization of transactions are sound.
d. collusive activities would be detected by segregation of employee duties.
ne
49. Which of the following is correct?
medium a. A significant deficiency is always a material weakness.
or
d b. A control deficiency is always a material weakness.
c. A material weakness is less significant that a control deficiency.
d. A material weakness is always a significant deficiency.
c
es
50. Which of the following is not a likely procedure to support the operating effectiveness of internal
medium controls?
d a. Inquiry of client personnel.
e
b. Observation of control-related activities.

c. Reperformance of client procedures.
oy
d. Completing an internal control questionnaire.
51. (Public) Before making the final assessment of internal control at the end of an integrated audit, the
pl
medium auditor must:

a
m
Test controls Perform substantive tests of details

a. Yes Yes
b. No No
.e
c. Yes No
d. No Yes
w
52. (Public) Significant deficiencies and material weaknesses in internal control of a public company must
w
medium be reported to which of the following?

c a. The Public Company Accounting Oversight Board.
w
b. Members of management who are responsible for the related area of the company.
c. Audit committee of the companys board of directors.
d. The AICPA.
53. Of the following statements about internal controls, which one is not valid?
medium a. No one person should be responsible for the custodial responsibility and the recording
d responsibility for an asset.
b. Transactions must be properly authorized before such transactions are processed.
c. Because of the cost-benefit relationship, a client may apply controls on a test basis.
d. Control procedures reasonably ensure that collusion among employees cannot occur.
Arens/Elder/Beasley

54. Which of the following best describes the inherent limitations that should be recognized by an
medium auditor when considering the potential effectiveness of internal control?
a a. Procedures that depend on segregation of duties can be circumvented by collusion.
b. Competent and honest client personnel provide an environment conducive to accounting
control and provide absolute assurance that effective control will be achieved.
c. Procedures designed to assure the execution and recording of transactions in accordance
with proper authorizations are effective against irregularities perpetrated by management.
d. The benefits expected to be derived from effective internal accounting control usually do
not exceed the costs of such control.
55. Which of the following is not one of the subcomponents of the control environment?
medium a. Managements philosophy and operating style.
c b. Organizational structure.
o
c. Adequate separation of duties.
d. Commitment to competence.
nf
56. It is important for the CPA to consider the competence of the clients personnel because their
r.i
medium competence bears directly and importantly upon the:
b a. cost/benefit relationship of the system of internal control.
b. achievement of the objectives of internal control.
ne
c. comparison of recorded accountability with assets.
d. timing of the tests to be performed.
or
57. Audit evidence concerning proper segregation of duties normally is best obtained by:
medium a. direct personal observation of the employee who applies control procedures.
a b. making inquiries of co-workers about the employee who applies control procedures.
c
c. preparation of a flowchart of duties performed and available personnel.
es
d. inspection of third-party documents containing the initials of who applied control
procedures.
e
58. Proper segregation of functional responsibilities calls for separation of:

medium a. authorization, execution, and payment.
oy
b b. authorization, recording, and custody.

c. custody, execution, and reporting.
d. authorization, payment, and recording.
pl
59. Internal controls are not designed to provide reasonable assurance that:
m
medium a. all frauds will be eliminated.

a b. transactions are executed in accordance with managements authorization.
c. access to assets is permitted only in accordance with managements authorization.
.e
d. company personnel comply with applicable rules and regulations.

w
60. Which of the following statements about auditor documentation of the clients internal controls
medium is correct?
w
d a. Documentation must include flow charts.

b. Documentation must include procedural write-ups.
w
c. No documentation is necessary although it is desirable.

d. No one particular form of documentation is necessary.
61. Significant deficiencies are matters that come to an auditors attention and should be
medium communicated to an entitys audit committee because they represent:
b a. material frauds perpetrated by high-level management.
b. internal control deficiencies that could adversely affect a companys ability to initiate,
record, process, or report external financial statements reliably.
c. flagrant violations of the entitys documented conflict-of-interest policies.
d. intentional attempts by client personnel to limit the scope of the auditors field work.
Arens/Elder/Beasley

62. How must significant deficiencies and material weaknesses be communicated to those charged
medium with governance?
c a. Either oral or written communication is acceptable.
b. Oral communication is required.
c. Written communication is required.
d. Written communication is required for material weaknesses, but oral communication is
allowed for significant deficiencies.
63. Which of the following statements, if any, is correct?

challenging a. The NASDAQ market requires listed companies to have audit committees that have only
a independent directors.
b. The NASDAQ market requires listed companies to have audit committees that have a
minority of the positions held by independent directors.
o
c. The NASDAQ market recommends, but does not require, listed companies to have audit
committees.
nf
d. The NASDAQ market recommends, but does not require, listed companies to have audit
committees that have a minority of the positions held by independent directors.
r.i
64. (SOX) The Sarbanes-Oxley Act requires:
challenging a. all public companies to issue reports on internal controls.
ne
a b. all public companies to define adequate internal controls.
c. the auditor of public companies to design effective ICFR.
d. the auditor of public companies to provide recommendations to correct material
or
weaknesses.
65. When considering internal control, an auditor should be aware of the concept of reasonable
challenging c
assurance, which recognizes that the:
es
d a. segregation of incompatible functions is necessary to ascertain that internal control is
effective.
b. employment of competent personnel provides assurance that the objectives of internal
e
control will be achieved.

c. establishment and maintenance of internal control is an important responsibility of the
oy
management and not of the auditor.

d. costs of internal control should not exceed the benefits expected to be derived from
internal control.
pl
66. The financial statements are not likely to correctly reflect GAAP if the:
m
challenging a. controls affecting the reliability of financial reporting are inadequate.

a b. companys controls do not promote efficiency.
c. companys controls do not promote effectiveness.
.e
d. companys control do not promote compliance with applicable rules and regulations.
w
67. The primary emphasis by auditors is on controls over:

challenging a. classes of transactions.
w
a b. account balances.
c. both a and b, because they are equally important.
w
d. both a and b, because they vary from client to client.
68. Compared to a public company, the most important difference in a nonpublic company in
challenging assessing control risk is the ability to assess control risk at _______ for any or all control-related
objectives.
d a. low
b. moderately low
c. medium
d. high
69. An auditor should consider two key issues when obtaining an understanding of a clients
Arens/Elder/Beasley

challenging internal controls. These issues are:

c a. the effectiveness and efficiency of the controls.
b. the frequency and effectiveness of the controls.
c. the design and utilization of the controls.
d. The implementation and efficiency of the controls.
70. The independent auditor should acquire an understanding of the internal audit function as it
challenging relates to the independent auditors study and evaluation of internal control because the:
c a. audit programs, working papers, and reports of internal auditors can often be used as a
substitute for the work of the independent auditors staff.
b. procedures performed by the internal audit staff may eliminate the independent auditors
need for an extensive study and evaluation of internal control.
c. work performed by internal auditors may be a factor in determining the nature, timing, and
o
extent of the independent auditors procedures.
d. understanding of the internal audit function is an important substantive test to be
nf
performed by the independent auditor.
r.i
71. To be effective, an internal audit department must be independent of:
challenging a. operating departments.
c b. the accounting department.
ne
c. both a and b.
d. either a or b, but not both.
or
72. Hanlon Corp. maintains a large internal audit staff that reports directly to the chief financial
challenging officer. Audit reports prepared by the internal auditors indicate that the system is functioning as
d it should and that the accounting records are reliable. An independent auditor will probably:
a. eliminate tests of controls. c
es
b. increase the depth of the study and evaluation of administrative controls.
c. avoid duplicating the work performed by the internal audit staff.
d. place limited reliance on the work performed by the internal audit staff.
e
73. External financial statement auditors must obtain evidence regarding what attributes of an
oy
challenging internal audit (IA) department if the external auditors intend to rely on IAs work?
d a. Integrity
b. Objectivity
pl
c. Competence
d. All of the above
m
74. When planning an audit, the auditors assessed level of control risk is:
challenging a. determined by using actuarial tables.
.e
c b. calculated by using the audit risk model.

c. an economic issue, trading off the costs of testing controls against the cost of testing
w
balances.
d. calculated by using the formulas provided in the AICPAs auditing standards.
w
75. When a compensating control exists, the absence of a key control:

w
challenging a. is no longer a concern because there is no longer a significant deficiency or material

a weakness.
b. is still a major concern to the auditor.
c. could cause a material loss, so it must be tested using substantive procedures.
d. is magnified and must be removed from the sampling process and examined in its entirety.
76. After considering a clients internal controls, an auditor has concluded that it is well designed
challenging and is functioning as intended. Under these circumstances the auditor would most likely:
c a. perform tests of controls to the extent outlined in the audit program.
b. determine the control procedures that should prevent or detect errors and irregularities.
c. not increase the extent of predetermined substantive tests.
Arens/Elder/Beasley

d. determine whether transactions are recorded to permit preparation of financial statements

in conformity with generally accepted accounting principles.
77. To obtain an understanding of an entitys control environment, an auditor should concentrate on

challenging the substance of managements policies and procedures rather than their form because:
a
a. management may establish appropriate policies and procedures but not act on them.
b. the board of directors may not be aware of managements attitude toward the control
environment.
c. the auditor may believe that the policies and procedures are inappropriate for that
particular entity.
d. the policies and procedures may be so weak that no reliance is contemplated by the
auditor.
o
nf
Essay Questions
r.i
78. Describe each of the three broad objectives management typically has for internal control. With
medium which of these objectives is the auditor primarily concerned?
ne
Answer:
The three objectives are:
or
Reliability of financial reporting. Management has both a legal and professional
responsibility to be sure that the information is fairly presented in according with
reporting requirements such as GAAP.
c
Efficiency and effectiveness of operations. Controls within an organization are meant
es
to encourage efficient and effective use of its resources to optimize the companys
goals.
Compliance with laws and regulations. Public and non-public organizations are
e
required to follow many laws and regulations. Some relate to accounting only
indirectly, such as environmental protection and civil rights laws. Others are closely
oy
related to accounting, such as income tax regulations and fraud.
The auditor is primarily concerned with the objective of reliable financial reporting.
pl
m
79. Briefly describe the responsibilities of management and external auditors for internal controls.
medium
Answer:
.e
Management is responsible for establishing and maintaining the entitys internal controls.
w
For public companies, management is also required by Section 404 to publicly report on
the operating effectiveness of those controls. In contrast, the auditors responsibilities
include understanding and testing internal control over nancial reporting. For public
w
company clients, the auditor is also required by Section 404 to issue an audit report on
managements assessment of its internal controls, including the auditors opinion on the
w
operating effectiveness of those controls.
80. (Public) There are four steps in the auditors process of understanding internal control and assessing
medium control risk for a public company. Step one is obtain and document an understanding of
internal control: design and operation. What are the remaining three steps?
Arens/Elder/Beasley

Answer:
The remaining three steps are:
Assess control risk.
Design, perform, and evaluate tests of controls.
Decide planned detection risk and substantive tests.
81. Certain principles dictate the proper design and use of documents and records. Briefly describe
medium several of these principles.
Answer:
Documents should be prenumbered consecutively to facilitate control over missing
o
documents and as an aid in locating documents when they are needed at a later date.
Documents and records should be prepared at the time a transaction takes place, or as
nf
soon as possible thereafter, to minimize timing errors.
Documents and records should be designed for multiple uses, when possible, to
r.i
minimize the number of different forms. For example, a properly designed and used
shipping document can be the basis for releasing goods from storage to the shipping
ne
department, informing billing of the quantity of goods to bill to the customer and the
appropriate billing date, and updating the perpetual inventory records.
Documents and records constructed in a manner that encourages correct preparation.
or
This can be done by providing internal checks within the form or record. For example,
a document might include instructions for proper routing, blank spaces for
authorizations and approvals, and designated column spaces for numerical data.
c
es
82. Managements identification and analysis of risk is an ongoing process and is a critical
medium component of effective internal control. An important first step is for management to identify
e
factors that may increase risk. Identify at least five factors, observable by management, which
may lead to increased risk in a typical business organization.
oy
Answer:
There are many factors that may lead to increased risk in an organization. Some examples
pl
include:
failure to meet prior objectives,
decreasing quality of personnel,
m
increasing geographic dispersion of company operations,

increasing significance and complexity of core business processes,
.e
introduction of new information technologies, and

entrance of new competitors.
w
w
83. During a financial statement audit of a private company, three steps must be completed by the
medium auditor before concluding that control risk is low. What are these steps?
w
Answer:
The three steps that must be completed by the auditor before concluding that control risk is
low are:
1. obtaining an understanding of the control environment, risk assessment procedures,
accounting information and communication system, and monitoring methods at a
fairly detailed level;
2. identify specific controls that will reduce control risk and make an assessment of
control risk; and
3. test the effectiveness of controls.
Arens/Elder/Beasley

84. What are the two primary factors that auditors consider in determining if an entity is auditable?
medium
Answer:
The two primary factors are the integrity of management and the adequacy of accounting
records.
85. Define the following terms: control deficiency, significant deficiency, and material weakness.
medium
Answer:
A control deciency exists if the design or operation of controls does not permit
o
company personnel to prevent or detect misstatements on a timely basis.
nf
A signicant deciency exists if one or more control deciencies exist that results in
more than a remote likelihood that a misstatement that is more than inconsequential
r.i
will not be prevented or detected.
A material weakness exists if a signicant deciency, by itself, or in combination with
ne
other signicant deciencies, results in a more than remote likelihood that internal
control will not prevent or detect material nancial statement misstatements.
or
86. Describe three inherent limitations of internal control.
medium
Answer: c
The effectiveness of internal controls depends on the competency and dependability of the
es
people using it. Inherent limitations of internal control include:
employee carelessness,
lack of understanding,
e
management override, and

oy
collusion.
pl
87. The internal control framework developed by COSO includes five so-called components of
medium internal control. Discuss each of these five components.
m
Answer:
Five components of internal control are:
.e
The control environment. The control environment consists of the actions, policies,
and procedures that reflect the overall attitudes of top management about control and
w
its importance to the company.

Risk assessment. This is managements identification and analysis of risks relevant to
w
the preparation of financial statements in accordance with GAAP.

Information and communication. This is the set of manual and/or computerized
w
procedures that identifies, assembles, classifies, analyzes, records, and reports a

companys transactions and maintains accountability for the related assets.
Control activities. These are the policies and procedures that help ensure necessary
actions are taken to address risks in the achievement of the companys objectives.
Monitoring. This is managements ongoing and periodic assessment of the quality of
internal control performance to determine that controls are operating as intended and
modified when needed.
Arens/Elder/Beasley

88. Discuss what is meant by the term control environment and identify four control environment
medium subcomponents that the auditor should consider.
Answer:
The control environment consists of the actions, policies, and procedures that reflect the
overall attitudes of top management, directors, and owners of an entity about control and
its importance to the entity. Subcomponents include integrity and ethical values,
commitment to competence, board of directors or audit committee participation,
managements philosophy and operating style, organizational structure, assignment of
authority and responsibility and human resource policies and practices.
89. Describe the auditors responsibilities related to communications regarding internal control
o
challenging matters.
nf
Answer:
The auditor must communicate signicant deciencies and material weaknesses in writing
r.i
to those charged with governance as soon as they become aware of their existence. The
communication is usually addressed to the audit committee and to management. Timely
ne
communications may provide management an opportunity to address control deciencies
before managements report on internal control must be issued. In some instances,
deciencies can be corrected sufciently early such that both management and the auditor
can conclude that controls are operating effectively as of the balance sheet date.
90.
challenging
c or
The text suggested a five-step approach to identify deficiencies, significant deficiencies, and
material weaknesses. Describe this approach.
es
Answer:
e
1. Identify existing controls. Because deciencies and material weaknesses are the
oy
absence of adequate controls, the auditor must rst know which controls exist.
2. Identify the absence of key controls. Internal control questionnaires, owcharts, and
walkthroughs are useful tools to identify where controls are lacking and the likelihood
pl
of misstatement is therefore increased.

3. Consider the possibility of compensating controls. A compensating control is one
elsewhere in the system that offsets the absence of a key control. When a
m
compensating control exists, there is no longer a signicant deciency or material

weakness.
.e
4. Decide whether there is a signicant deciency or material weakness. The

likelihood of misstatements and their materiality are used to evaluate if there are
signicant deciencies or material weaknesses.
w
5. Determine potential misstatements that could result. This step is intended to identify
specic misstatements that are likely to result because of the signicant deciency or
w
material weakness. The importance of a signicant deciency or material weakness is

directly related to the likelihood and materiality of potential misstatements.
w
Arens/Elder/Beasley

91. Auditing standards related to the audits of private companies specify the extent to which
challenging auditors can rely on evidence about internal controls obtained in prior years. Briefly describe
this guidance.
Answer:
When auditors plan to use evidence about the operating effectiveness of internal control
obtained in prior audits, SAS 110 requires them to test their effectiveness at least every
third year. If auditors determine that a key control has been changed since it was last
tested, they should test it in the current year. When there are a number of controls tested in
prior audits that have not been changed, SAS 110 requires auditors to test some of those
controls each year to ensure there is a rotation of controls testing throughout the three-year
period.
o
92. Adequate separation of duties is an important control activity. Discuss the four general
nf
challenging guidelines for separation of duties to prevent both intentional and unintentional misstatements
that are of significance to auditors.
r.i
Answer:
ne
The general guidelines are:
Custody of assets should be separated from accounting,
Authorizing transactions should be separated from custody of related assets,
Operational responsibility should be separated from record-keeping, and
or
Duties within IT should be separated.
c
es
Other Objective Answer Format Questions
e
93. Match seven of the terms (a-i) with the definitions provided below (1-7):
medium a. Control environment
oy
b. Control activities
c. Independent checks on performance
d. Internal control
pl
e. Monitoring
f. Separation of duties
m
g. General authorization
h. Specific authorization
i. Risk assessment
.e
e 1. Managements ongoing and periodic assessment of the quality of internal

w
control performance to determine that controls are operating as intended and

modified when needed.
w
g 2. Company-wide policies for the approval of all transactions within stated

w
limits.
a 3. The actions, policies, and procedures that reflect the overall attitudes of top
management, directors, and owners of an entity about control and its
importance to the entity.
f 4. Segregation of the following activities in an organization: custody of assets,

accounting, authorization, and operational responsibility.
Arens/Elder/Beasley

i 5. Managements identification and analysis of risks relevant to the preparation

of financial statements in accordance with generally accepted accounting
principles.
b 6. Policies and procedures that help ensure necessary actions are taken to address
risks in the achievement of the entitys objectives.
d 7. A process designed to provide reasonable assurance regarding the

achievement of managements objectives in the following categories: (1)
reliability of financial reporting, (2) effectiveness and efficiency of operations,
and (3) compliance with applicable laws and regulations.
o
nf
94. If, when obtaining an understanding of control activities of a relatively small client, the auditor
easy identified no control activities, the auditor would probably set a high assessment of control risk.
a a. True
r.i
b. False
95. If, when obtaining an understanding of control activities of a relatively small client, the auditor
ne
easy identified no control activities, the auditor would probably determine the client were
a unauditable.
a. True
or
b. False
96. When internal controls are effective, then substantive audit tests are more reliable; thus, the
easy
b
c
extent of substantive tests should be reduced.
a. True
es
b. False
97. Auditors of private companies may rely on prior periods tests of controls for a period not to
e
easy exceed four years.

oy
b a. True
b. False
pl
98. In an audit of a non-public company, the less control risk there is, the smaller the amount of
easy planned substantive evidence that is required.
a a. True
m
b. False
.e
99. As a clients information system becomes more complex, it is likely that an auditor will
easy decrease reliance on controls and increase substantive tests to support a control risk assessment.
b a. True
w
b. False
w
100. When a company designs and implements internal controls, cost of the controls is not a valid
easy consideration.
w
b a. True
b. False
101. (Public) PCAOB Standard 2 requires auditors to perform walkthroughs to assist in understanding
easy internal control.
a a. True
b. False
102. Adequate documents and records is a subcomponent of the control environment.

easy a. True
b b. False
Arens/Elder/Beasley

103. For proper internal control, there should be adequate separation of duties. However, the extent
easy of separation of duties considered adequate depends heavily on the size of the organization.
a a. True
b. False
104. In an audit of a non-public company, the auditors assessment of control risk and the extent of
medium tests of controls are inversely related.
a a. True
b. False
105. Smaller companies usually have more extensive internal controls than larger companies which
o
medium result in fewer frauds being committed at small companies.
nf
b a. True
b. False
r.i
106. (Public) To issue an unqualified opinion on internal control over financial reporting, there must be no
medium identified material weaknesses and no restrictions on the scope of the audit.
ne
a a. True
b. False
107. (SOX) The Sarbanes-Oxley Act of 2002 requires that public companies issue an internal control report.
or
medium a. True
a b. False
108.
c
The most important component of internal control is risk assessment.
es
medium a. True
b b. False
e
109. The primary emphasis by auditors when evaluating and testing internal control is on controls
oy
medium over classes of transactions rather than controls over account balances.
a a. True
b. False
pl
110. When internal controls over a given financial statement account are assessed as highly effective,
medium the auditor need not obtain audit evidence for that account beyond testing the controls.
m
b a. True
b. False
.e
111. The chart of accounts is a control and is closely related to the controls related to adequate
medium documents and records.
w
a a. True
b. False
w
112. Auditing standards prohibit reliance on the work of internal auditors due to the lack of
w
medium independence of the internal auditors.

b a. True
b. False
113. If an auditor wishes to rely on the work of internal auditors (IA), the auditor must obtain
medium satisfactory evidence related to the IAs competence, integrity, and objectivity.
a a. True
b. False
Arens/Elder/Beasley

114. Procedures used to obtain an understanding of internal control are normally performed on fewer
medium transactions than procedures used to test controls.
a a. True
b. False
115. For most uses, flowcharts are superior to narratives as a method of communicating the
medium characteristics of internal control.
a a. True
b. False
116. When documenting their understanding of a clients internal controls, auditors are required to
o
medium use narratives.
nf
b a. True
b. False
r.i
ne
c or
e es
oy
pl
m
.e
w
w
w
Arens/Elder/Beasley

Chapter 26
Internal Control
Multiple-Choice Questions
o
1. The IIA Code of Ethics is based on all but which of the following ethical principles?
nf
easy a. Integrity.
b b. Independence.
c. Competency.
r.i
d. Confidentiality.
ne
2. Statements on Internal Auditing Standards are issued by the:
easy a. AICPA.
c b. SEC.
c. Internal Auditing Standards Boards.
or
d. Auditing Standards Boards.
3.
easy
c
Internal auditors are responsible to:
a. the board of directors.
es
c b. management.
c. both a and b.
d. neither a nor b.
e
oy
4. Which of the following is not a similarity between external and internal auditors?
easy a. Both must be independent of the company.
a b. Both must be competent.
c. Both use similar methodologies in performing their work.
pl
d. Both consider risk and materiality in their work.

m
5. External auditors consider internal auditors effective if they are:

easy a. independent of the operating units being evaluated.
.e
d b. competent and well trained.

c. have performed relevant audit tests of the internal controls and financial statements.
d. all of the above.
w
6. Auditing standards _______ external auditors to use the internal auditors for direct assistance on
w
easy the audit.

d a. discourage
w
b. prohibit
c. encourage
d. permit
7. The primary source of authoritative literature for doing government audits is the:
easy a. Purple Book.
b b. Yellow Book.
c. Green Book.
d. Red Book.
Arens/Elder/Beasley

8. When a state or local government agency receives federal financial assistance, it is subject to
easy the audit requirements of:
c
a Yellow Book Single Audit Act OMB Circular A-133
a. Yes Yes No
b. No No Yes
c. Yes Yes Yes
d. Yes No No
9. Which of the following is not one of the broad categories of operational audits?
easy a. Functional audits.
o
c b. Organizational audits.
nf
c. Single Audit Act audits.
d. Special assignment audits.
r.i
10. Which of the following groups could not be involved in an operational audit?
easy a. CPA firms.
ne
d b. Internal auditors.
c. Government auditors.
d. None of the above answers is correct; that is, all of the above could be involved.
or
11. The IIAs professional practice framework (including its code of ethics and International
easy Standards for the Professional Practice of Internal Auditing) is commonly referred to as the:
b a. Blue Book. c
es
b. Red Book.
c. Green Book.
d. Yellow Book.
e
12. The professional organization which is responsible for providing guidance for internal auditors
oy
easy is the:
b a. APA.
b. IIA.
pl
c. ABA.
d. AIA.
m
13. The financial auditing standards of the Yellow Book are ______ the 10 GAAS of the AICPA.
easy a. the same as
.e
d b. quite different from

c. incompatible with
d. consistent with
w
14. Which of the following is not one of the three phases in an operational audit?
w
easy a. Planning.
b b. Training and supervising employees.
w
c. Evidence accumulation and evaluation.

d. Reporting and follow-up.
15. The correct title of the Yellow Book is:

medium a. Government Auditing Standards.
a b. IIA Practice Standards.
c. Statement of Responsibilities of Internal Auditing.
d. Statement of Standards on Accounting and Review Services.
16. The Yellow Book recognizes that, because of the sensitivity of government activities and their
medium public accountability, in government audits the thresholds of acceptable audit risk and tolerable
Arens/Elder/Beasley

b misstatement compared to an audit of a commercial enterprise may be:

a. equal.
b. lower.
c. higher.
d. indeterminable.
17. The Single Audit Act requires that an audit be conducted for recipients who receive total federal
medium funds in any fiscal year of:
b a. $1,000,000 or more.
b. $500,000 or more.
c. $300,000 or more.
o
d. $100,000 or more.
nf
18. An audit conducted in accordance with the Yellow Book must include an audit report that states
medium the audit was performed in accordance with:
r.i
b a. GAAS.
b. GAGAS.
ne
c. GASA.
d. SAS.
or
19. An audit designed to evaluate the efficiency and effectiveness of an organization or some part
medium of an organization would not be called a(n):
d a. performance audit.
b. management audit.
c. operational audit.
c
es
d. compliance audit.
20. Which of the following is not one of the major differences between financial and operational
e
medium auditing?
oy
c a. The financial audit is oriented to the past, but an operational audit concerns performance
for the future.
b. The financial audit report is distributed to many readers, but the operational audit report
pl
goes to a few managers.

c. Financial audits deal with the information on the financial statements, but operational
audits are concerned with the information in the ledgers.
m
d. Financial audits are limited to matters that directly affect the financial statements, but
operational audits cover any aspect of efficiency and effectiveness.
.e
21. Before an operational audit for effectiveness can be performed, there must be:
medium a. a financial audit by an independent auditor.
w
d b. a financial audit by an internal auditor.

c. a review performed by either an independent or an internal auditor.
w
d. specific criteria developed to define effectiveness.

w
22. Auditors involved in planning, performing, or reporting on audits under GAGAS must complete
medium ____ hours of continuing professional education in each two-year period.
d a. 20
b. 40
c. 60
d. 80
23. Which of the following statements regarding types of operational audits is false?
medium a. A functional audit has the advantage of permitting specialization by auditors.
b b. An advantage of functional auditing is its ability to evaluate interrelated functions.
c. The emphasis in an organizational audit is on how efficiently and effectively functions
Arens/Elder/Beasley

interact.
d. Special operational auditing assignments arise at the request of management.
24. The two most important qualities for an operational auditor are:
medium a. personality and appearance.
b b. independence and competence.
c. competence and technical training.
d. academic background and sufficient experience.
25. Which of the following is not a difference between operational auditing and financial auditing?
medium a. Both must be CPAs.
o
a b. Operational audit reports are usually of a restricted distribution while financial audit
nf
reports are widely distributed.
c. Operational audits often cover non-financial issues while financial audits do not.
d. None of the above is a difference.
r.i
26. A typical objective of an operational audit is to determine whether an entitys:
ne
medium a. internal control is adequately operating as designed.
c b. financial statements present fairly the results of operations.
c. specific operating units are functioning efficiently and effectively.
or
b. operational information is in accordance with generally accepted government auditing
standards.
27. c
Which of the following can affect the independence of operational auditors?
es
medium Responsibilities Reporting Structure
d a. Yes No
b. No No
e
c. No Yes
oy
d. Yes Yes
pl
28. Which is not a purpose of an economy and efficiency audit?

challenging a. Whether the entity is acquiring, protecting, and using resources economically and
m
d efficiently.
b. The causes of inefficiencies and uneconomical practices.
c. Whether the entity has complied with laws and regulations concerning matters of economy
.e
and efficiency.
d. Each of the above is a purpose.
w
29. A(n) _________ audit emphasizes how efficiently and effectively functions interact.
w
challenging a. operational
d b. compliance
c. financial
w
d. organizational
30. Which of the following is not a purpose of a program audit as performed by government
challenging auditors?
b a. Determination of the extent to which the desired results established by the legislature are
being achieved.
b. Determination of the causes of inefficiencies in sponsored programs.
c. Determination of the effectiveness of organizations, programs and activities.
d. Determination as to whether the entity has complied with laws and regulations applicable
to the program.
Arens/Elder/Beasley

31. What distinguishes internal control evaluation and testing for financial and operational
challenging auditing?
c a. Purpose of the work.
b. Scope of the work.
c. Both a and b.
d. Neither a nor b.
32. Of the many hours of continuing professional education required every two years, how many
challenging must be in subjects related to the government environment and government auditing for auditors
c involved in planning, performing and reporting on audits under GAGAS?
a. 8 hours
o
b. 16 hours
nf
c. 24 hours
d. 32 hours
r.i
33. To be effective, an internal audit department must report to:
Challenging
ne
b Operating departments The accounting department
a. Yes Yes
b. No No
c. Yes No
or
d. No Yes
34.
challenging
c
External financial statement auditors must obtain evidence regarding what attributes of an
internal audit department if the external auditors intend to rely on the internal auditors work?
es
d
Independence from the Audit Committee Competence
a. Yes Yes
e
b. No No
oy
c. Yes No
d. No Yes
pl
Essay Questions
m
35. What organization establishes auditing standards for internal auditors and what are those
easy standards commonly called?
.e
Answer:
w
Auditing standards for internal auditors are established by the Internal Auditing
Standards Board. They are commonly known as the Red Book.
w
w
36. What are several similarities between internal and external auditors?
medium
Answer:
Both must be competent as auditors and remain objective in performing their work and
reporting their results.
Both follow a similar methodology in performing their audits, including planning and
performing tests of controls and substantive tests.
Both consider risk and materiality in deciding the extent of their tests and evaluating
results. However, their decisions about materiality and risks may differ, because
external users may have different needs than management or the board.
Arens/Elder/Beasley

37. External auditors typically consider internal auditors effective if they meet three criteria. What
medium are these criteria?
Answer:
External auditors typically consider internal auditors effective if they are:
Independent of the operating units being evaluated
Competent and well-trained
Have performed relevant audit tests of the internal controls and financial statements
38. How do the risk and materiality thresholds change in a government audit compared to a
o
medium financial statement audit of a public company?
nf
Answer:
The Yellow Book recognizes that in government audits the thresholds of acceptable audit
r.i
risk and materiality may be lower than in an audit of a commercial enterprise. This is
because of the sensitivity of government activities and their public accountability.
ne
or
39. Discuss each of the three phases of an operational audit.
medium
Answer:
c
Planning. In the planning phase, the auditor must determine the scope of the
es
engagement, staff the engagement, obtain background information about the
organizational unit, understand internal control, and decide on the appropriate
evidence to accumulate.
Evidence accumulation and evaluation. In operational auditing, it is common to use
e
documentation, client inquiry, and observation extensively, while confirmation and

oy
reperformance are used less extensively for most operational audits than for financial
audits.
Reporting and follow-up. The audit report is tailored to address the scope of the audit,
pl
findings, and recommendations and is typically sent only to management. When

recommendations are made to management, follow-up is done to determine whether
m
the recommended changes were made, and if not, why.

.e
40. The Institute of Internal Auditors has established Ethical Principles for its members. List each
medium of the principles.
w
Answer:
The IIAs ethical principles are:
w
Integrity.
Objectivity.
w
Confidentiality.
Competency.
41. Define internal auditing.

medium
Answer:
According to the IIA: Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an organizations operations. It
Arens/Elder/Beasley

helps an organization accomplish its objectives by bringing a systematic, disciplined

approach to evaluate and improve the effectiveness of risk management, control, and
governance processes.
42. Discuss three major differences between operational and financial auditing.
medium
Answer:
Purpose of the audit. Financial auditing emphasizes whether historical information
was correctly recorded, whereas operational auditing emphasizes effectiveness and
efficiency.
Distribution of the reports. For financial auditing, the report typically goes to many
o
users of financial statements, such as stockholders and bankers, whereas operational
nf
audit reports are intended primarily for management.
Inclusion of nonfinancial areas in operational auditing. Operational audits cover any
aspect of efficiency and effectiveness in an organization, whereas financial audits are
r.i
limited to matters that directly affect the fairness of financial statement presentations.
ne
43. Discuss each of the three broad categories (types) of operational audits.
or
medium
Answer:
Functional. A functional audit deals with auditing one or more functions (e.g.,
c
purchasing) in an organization.
Organizational. An organizational audit deals with an entire organizational unit, such
es
as a department, branch, or subsidiary.
Special assignments. Special assignments audits arise at the request of management
e
when there is a need to investigate a particular area, such as investigating the

possibility of fraud in a division, or determining the cause of an ineffective EDP
oy
system.
pl
44. Operational auditing is the review of an organization for efficiency and effectiveness. Discuss
medium what is meant by the terms effectiveness and efficiency.
m
Answer:
Effectiveness refers to the degree to which the organizations objectives and goals are
.e
accomplished.
Efficiency refers to the degree to which costs are reduced without reducing
w
effectiveness.
w
45. Audit tests as required by the Single Audit Act must meet several specific objectives. One
challenging objective is to determine whether the amounts reported as expenditures were for allowable
w
services. Identify three other specific objectives.
Answer:
Whether the records show that those who received services or benefits were eligible to
receive them.
Whether matching requirements, levels of effort, and earmarking limitations were
met.
Whether federal financial reports and claims for advances and reimbursements
contain information that is supported by the books and records from which the basic
financial statements have been prepared.
Arens/Elder/Beasley

Whether amounts claimed or used for matching were determined in accordance with
OMB Circular A-87 and OMB Circular A-102.
46. The auditing standards of the Yellow Book are consistent with the ten generally accepted
challenging auditing standards of the AICPA. There are, however, important additions/modifications in the
Yellow Book. For example, the Yellow Book recognizes that materiality and risk are lower due
to the nature of the government enterprise. Discuss the other additions/modifications.
Answer:
Quality control. Auditors of government entities must have an appropriate system of
internal quality control and participate in an external quality control review program.
o
Compliance auditing. The audit should be designed to provide reasonable assurance
nf
of detecting material misstatements resulting from noncompliance with provisions of
contracts or grant agreements that have a material and direct effect on the financial
statements.
r.i
Reporting. The report on financial statements must describe the scope of the auditors
testing of compliance with laws and regulations and internal controls and present the
ne
results of those tests, or refer to a separate report containing that information.
or
47. In addition to an opinion on whether the financial statements are in accordance with GAAP,
challenging identify four other reports required by the OMB Circular A-133.
Answer: c
es
The following reports are required:
An opinion as to whether the schedule of federal awards is presented fairly in all
material respects in relation to the financial statements as a whole.
e
A report on internal control related to the financial statements and major programs.

oy
A report on compliance with laws, regulations, and the provisions of contracts or

grant agreements, noncompliance with which could have a material effect on the
financial statements. This report can be combined with the report on internal control.

pl
A schedule of findings and questioned costs.

m
Other Objective Answer Format Questions

.e
48. Match seven of the terms (a-o) with the descriptions/definitions provided below (1-7):
w
medium
a. Compliance audit
b. Economy and efficiency audit
w
c. Effectiveness
d. Efficiency
w
e. Functional audit
f. Government Auditing Standards
g. Government audit
h. Institute of Internal Auditors
i. Operational auditing
j. Organizational audit
k. Program audit
l. Single Audit Act
m. Special assignment
n. IIA Practice Standards
Arens/Elder/Beasley

o. Statements on Internal Auditing Standards
f 1. The official title of the Yellow Book.
m 2. A management request for an operational audit for a specific purpose, such as

investigating the possibility of fraud in a division or making recommendations
for reducing the cost of a manufactured product.
b 3. A government audit to determine whether an entity is acquiring, protecting, and

using its resources economically and efficiently and whether the entity has
complied with laws and regulations concerning such matters.
o
c 4. The degree to which the organizations objectives are accomplished.
nf
i 5. The review of an organization for efficiency and effectiveness.
r.i
l 6. Federal legislation that provides for a single coordinated audit to satisfy the
audit requirements of all federal funding agencies.
ne
o 7. Statements issued by the Internal Auditing Standards Board of the IIA to
provide authoritative interpretation of the IIA Practice Standards.
or
49. Independence is a fundamental ethical principle for internal auditors.
easy a. True
b b. False c
es
50. Current professional auditing standards prohibit external auditors from using internal auditors
easy for direct assistance on external audits.
b a. True
e
b. False
oy
51. Current professional auditing standards require external auditors to use internal auditors for
easy direct assistance on external audits.
b a. True
pl
b. False
m
52. The objectives of internal auditors are considerably broader than the objectives of external
easy auditors.
.e
a a. True
b. False
w
53. For financial auditing, the audit report typically goes to many users of financial statements,
easy whereas operational audit reports are intended primarily for management.
w
a a. True
b. False
w
54. Integrity is one of the IIAs ethical principles.

easy a. True
a b. False
55. Operational audits are primarily geared toward compliance.

easy a. True
b b. False
56. Effectiveness refers to the degree to which costs are reduced without reducing efficiency.
easy a. True
Arens/Elder/Beasley

b b. False
57. Efficiency refers to the degree to which costs are reduced without reducing effectiveness.
easy a. True
a b. False
58. Internal auditing standards are included in the Yellow Book.

easy a. True
b b. False
59. Government auditing standards are included in the Yellow Book.

easy a. True
o
a b. False
nf
60. Effectiveness is concerned with whether defined goals are achieved, whereas efficiency is
easy concerned with whether the goals are achieved with a minimum use of resources.
r.i
a a. True
b. False
ne
61. Operational audits may be performed by internal auditors and government auditors, but not by
easy external auditors.
b a. True
or
b. False
62. Benchmarking is one source of evaluation criteria for completing an operational audit.
easy
a
a. True
b. False
c
es
63. The two most important qualities for an internal auditor to possess are independence and
easy competence.
e
a a. True
oy
b. False
64. Program audits are primarily focused on inefficient uses of federal funds in sponsored
easy programs.
pl
b a. True
b. False
m
65. The formal name of the Yellow Book is Government Auditing Standards.
.e
easy a. True
a b. False
w
66. Professional guidelines for performing internal audits for companies are not as well-defined as
medium for external audits.
w
a a. True
b. False
w
67. To help them remain independent of the operations they audit, internal auditors should report
medium directly to the controller.
b a. True
b. False
68. An operational auditor may use engineered standards as evaluation criteria.

medium a. True
a b. False
69. The Internal Auditing Standards Board issues Statements on Internal Auditing Standards.
Arens/Elder/Beasley

medium a. True
a b. False
70. Operational audits are often categorized as functional, organizational, or special assignments.
medium a. True
a b. False
71. Internal auditors should have the authority to require implementation of suggestions for
medium improvement.
b a. True
b. False
o
72. The Red Book specifies all auditing standards issued by the U.S. General Accounting Office.
nf
medium a. True
b b. False
r.i
73. One disadvantage of functional auditing is the failure to evaluate interrelated functions.
challenging a. True
ne
a b. False
c or
e es
oy
pl
m
.e
w
w
w
Arens/Elder/Beasley

Internal Control Fundamentals

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Control Fundamentals

Uploaded by

Copyright:

Available Formats

Collected By : Ch.

Chapter 07 Internal Control

True / False Questions

1. Internal control is concerned with the reliability of financial information.

5. Well-designed internal control will prevent all fraud by top management.

7. The auditors' communication of internal control significant deficiencies should be

segregation of duties impossible.

most significant accounting oriented controls.

Multiple Choice Questions

D. At least every third audit.

understanding of internal control for planning purposes?

17. Tests of controls do not ordinarily address:

B. Only significant deficiencies.

C. Only material weaknesses.

of controls. The planned assessed level of control risk is at what level?

24. The effectiveness of controls is not generally tested by:

B. Performance of analytical procedures.

A. Foreign Corrupt Practices Corporation.

30. The definition of internal control developed by the Committee of Sponsoring

A. Compliance with applicable laws and regulations.

C. Safeguarding of entity equity.

B. Implementation of a new information system.

38. If the auditors do notperform tests of controls for certain assertions:

A. Previous experience with the entity.

C. Performance of substantive procedures.

D. Inspection of document and records.

internal audit department?

C. Reporting on the effectiveness of operating segments.

relating to internal control?

B. Inquiries of client personnel.

D. Observing the application of specific controls.

A. Eliminating all employee fraud.

B. Restricting access to assets.

A. Verify that the controls have been implemented (placed in operation).

deficiency to be considered a material weakness?

A. More than remote.

material misstatements on a timely basis is referred to as a:

64. The program flowcharting symbol representing a decision is a:

65. Controls are not designed to provide assurance that:

B. Fraud will be eliminated.

D. Tests of the additions to property, plant, and equipment by physical inspection.

B. Efficiency and experience.

likely would consider the

C. Evidence supporting a further reduction in the assessed level of control risk.

A. The complexity of the information processing system.

C. Transactions are executed in accordance with management's authorization and access to

87. Auditors are required to consider a client's internal control.

b. The limitations of internal control include (only three required):

a. The auditors have a responsibility to obtain an understanding of internal control that is

b. absolute assurance and costs.

5. Internal controls can never be considered as absolutely effective because:

easy a. their effectiveness is limited by the competency and dependability of employees.

d. internal controls prevent separation of duties.

28 Share By : Faisal Qureshi

Management Financial statement auditors

internal control structure and procedures for financial reporting.

d. A statement that the external auditors are solely responsible.

easy the control can do which of the following?

Detect material misstatements Correct material misstatements

29 Share By : Faisal Qureshi

19. (Public) Management must disclose material weaknesses in internal control:

medium a. whenever the weakness is deemed significant to a single class of transactions.

c. if the weakness exists at the end of the year.