AUD 2.08 - Risk Assessment 2

  1. True / False: If the auditor does not rely on internal controls, then the auditor doesn't need to obtain an understanding of the internal controls
  2. What are the 3 objectives of every entity?
    • Effectiveness and efficiency of operations
    • Compliance with applicable laws and regulations
    • Reliability of financial reporting
  3. At which stage of the audit process must the auditor obtain an understand of the entity's internal control: (1) engagement letter, (2) assessment of risk, (3) planning of the audit, (4) execution of the audit, (5) forming the opinion, (6) reporting on the opinion
    Planning of the Audit
  4. What are the 5 components of internal control and a brief description
    • C-R-I-M-E
    • (1) Control environment = overall tone of the organization, management's participation
    • (2) Risk assessment by management for lieing, stealing, cheating
    • (3) Information and Communications systems = recording transactions and communicating responsibilities
    • (4) Monitoring = assessing the performance of internal control over time
    • (5) Existing control policies and procedures
  5. True / False: The auditor is required to understand each element of the 5 components of internal control as it relates to financial reporting.
  6. What types of items are included in the control environment
    • Management's "tone at the top"
    • Written policy statements
    • Written codes of conduct
    • Management's actions to reduce occurrence of unethical acts, including willingness to raise difficult questions
    • Management's reaction to violations
    • Commitment to competence
    • Organizational structure
    • HR policies
  7. What types of management behavior might indicate increased risk regarding the control environment
    • Mgmt is consumed with meeting the budget (pressure)
    • Mgmt is dominated by one person (opportunity for mgmt override)
    • Mgmt compensation is contingent on the entity's financial performance (rationalization)
  8. What situations may increase risk within an entity to prepare and fairly present GAAP-based FS?
    • (don't need to know them all)
    • Change in the regulatory or operating environment
    • New or modified information systems
    • Rapid expansion of operations
    • Incorporation of new technology
    • New business models, products, processes, segments
    • Corporate restructuring
    • New personnel
    • Foreign operations
  9. Define the internal control communication system
    • Written procedures, oral instruction, and modeling by management that
    • provide an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
  10. What is the purpose of monitoring for internal control
    • Evaluate the quality of performance over time and
    • take necessary corrective actions.
  11. Which existing control activities are relevant to an audit?
    • P-A-I-D   T-I-P-S
    • Prenumbered documents
    • Authorization of transactions before commitment of resources
    • Independent checks
    • Documentation
    • ******
    • Timely financial performance reviews (analytical procedures)
    • Information processing controls
    • Physical controls to safeguard assets
    • Segretation of duties
  12. What are a few examples of independent checks?
    • Review of bank reconciliations
    • Comparison of subsidiary records to control accounts
    • Comparison of physical inventory counts to perpetual records
  13. What are a few examples of timely financial performance reviews?
    • Comparison of actual to budget
    • Cross-checking using financial (revenues) to nonfinancial (ticket sales) information
    • Cross-checking of differing activities (sales reports vs receivables reports)
  14. What is the purpose of information processing controls and what are the two main categories of controls?
    • Purpose: to ensure that individual transactions are valid, properly authorized, and accurate.
    • Application controls apply to the processing of individual transactions
    • General controls apply to company-wide integration.
  15. What is the purpose of physical controls and provide some examples.
    • Purpose: The use of security devices to limit access to programs and assets, including computer facilities.
    • Preventive Examples: protective devices, lock boxes, keypad or badge entry devices, requiring authorized pre-numbered forms, passwords.
    • Detective Examples: periodic counting and comparison of actual vs recorded assets, review of logs.
  16. Which 3 duties should always be segregated?
    • A-R-C
    • Authorization
    • Recording or record keeping
    • Custody of related assets
  17. True / False: The auditor is responsible to review all internal controls.
    • False
    • The auditor is responsible for all internal controls related to the prevention, detection or correction of material misstatements
  18. What must be determined when evaluating the design of an internal control?
    Whether it is capable, individually or in combination with other controls, of preventing, detecting, or correcting material misstatements.
  19. What must be determined when evaluating the implementation of an internal control?
    • Does the control exist and is it being used.
    • ** Does the user know about the control?
    • ** Does the user have knowledge of how the procedure should be performed?
  20. What procedures can be used to obtain evidence about the design and implementation of internal controls?
    • Inquiry of personnel
    • Observation of the application of controls
    • Reperformance of the procedure
    • Inspection of documents and reports created using the procedure
    • Performing a walk-through
  21. True / False: Talking to (inquiry) of entity personnel regarding the existence of and knowledge about internal controls provides sufficient evidence of design and implementation.
    • False
    • Observation, inspection or walk-throughs must also be performed
  22. What is the purpose of a walk-thru?
    To trace transactions relevant to financial reporting through the accting system from inception through to presentation in the FS
  23. What are the two methods of walk-thru?
    • (1) trace a single transaction from inception to reporting on the FS, OR
    • (2) Identify the key steps from inception to reporting on the FS for a class of transactions, then perform risk assessment procedures for each step, such as testing a specific transaction (but not the same transaction) at each step.
  24. What 4 methods may be used to document the auditor's understanding of the internal control?
    • F-I-N-D
    • Flowchart
    • Internal control questionnaire or checklist
    • Narrative summary (hard to see weaknesses)
    • Documentation provided by the client, such as their procedure manual
  25. Which symbols are used in a flowchart for the following: (1) document or report, (2) computer process, (3) keyed entry, (4) tape file, (5) disk file, (6) display, (7) manual process, (8) decision, (9) data such as journal or general ledger, (10) on-page connector, (11) off-page connector, (12) paper file
    • (1) rectangle with french-curve bottom
    • (2) rectangle
    • (3) rectangle with angled top
    • (4) filled Q
    • (5) cylinder
    • (6) rectangle with (L) side arrow and (R) side curve
    • (7) trapezoid
    • (8) diamond
    • (9) parallelogram
    • (10) circle
    • (11) broad down arrow
    • (12) inverted triangle
  26. True / False: A well designed and implemented internal control system will provide absolute assurance that financial reporting will be accurate.
    • False
    • It will only provide reasonable assurance.
  27. What are the 3 inherent limitations of internal control, regardless of how well designed and implemented.
    • Management override of internal control
    • Human error
    • Deliberate circumvention by collusion of 2+ people
  28. When are manual controls superior to automated controls?
    • When the transactions require judgment or discretion, such as
    • ** large, unusual or nonrecurring transactions
    • ** potential misstatements are difficult to define or predict
    • ** frequent changes in circumstances occur
  29. When are automated controls superior to manual controls?
    • With high volume or recurring transactions
    • When control activities can be adequately designed for automation
  30. What is the difference between an IT general vs application control?
    • General Controls: Relate to many applications, or the proper operation of the information system.
    • Application Controls: apply to the input, processing and output of individual transactions.
  31. What types of controls are considered general controls, and what are a few examples.
    • Control over data center and network operations
    • System software acquisition
    • System maintenance
    • Access security
    • Examples: passwords, change management procedures, backup or recovery, administrative rights to the network
  32. What types of controls are considered application controls, and what are a few examples.
    • Administrative rights to a program
    • Checking mathematical accuracy of records
    • Maintaining and reviewing account & trial balances
    • Automated checks of input data
    • Creation of exception reports and manual f/up of such
  33. True / False: Everyone must have a system of internal control based on a standardized framework.
    • True for issuers via SOX; not required for nonissuers
    • COSO is the common standardized framework (C-R-I-M-E)
  34. Just to remember: If the IT system constantly updates and doesn't retain previous records, the auditor may not be able to retrieve earlier evidence and it negatively impacts the NET of the audit
    The IT system could make it impossible to resolve the detection risk through substantive testing alone; therefore, the auditor must test the control system as well.
  35. When it comes to an IT system, which roles (employee jobs) should be segregated, including not having supervisory authority?
    • C-O-P-A-L
    • Control group
    • Operators
    • Programmers
    • Analysts (system)
    • Librarian
  36. What is meant by an internal control's substance over form?
    The internal control exists (form), but the control must be operating effectively, including management's enforcement of their use (substance).
  37. In which situation are services performed by another organization not considered to be part of the client's information system?
    If the services provided are limited to executing transactions that are specifically authorized by the client.
Card Set
AUD 2.08 - Risk Assessment 2
Becker Review 2017