Chapter 8—INTERNAL CONTROL

MULTIPLE CHOICE

1. The purpose of tests of controls in the examination of the financial statements of an SEC client is to
provide reasonable assurance that the
a Controls can be relied upon.
.
b Client has complied with GAAP.
.
c CPA firm has complied with the quality control standards.
.
d Accounting for transactions is accurate.
.

2. Which of the following is not a component of internal control?

a Monitoring.
.
b Control environment.
.
c Auditor’s business risk.
.
d Information and communication.
.

3. The audit report expressing an opinion on an entity's internal controls should state that the
a Compliance objectives of the client's internal controls are being met.
.
b Inherent limitations of the client's internal controls were examined.
.
c Tests of internal control revealed no deficiencies in the operation of the system.
.
d Establishment and maintenance of internal control is the responsibility of management.
.

4. Which of the following is the correct order for performing the procedures noted?
a Test controls, perform substantive tests, understand the system of internal control.
.
b Understand the system of internal control, test controls, perform substantive tests.
.
c Test controls, understand the system of internal control, perform substantive tests.
.
d Perform substantive tests, test controls, understand the system of internal control.
.

5. Which of the following audit tests is a test of controls?

a Tests of the specific items making up the balance in a financial statement account.
.
b Comparing inventory prices to vendors' invoices.
.
c Comparing signatures on canceled checks to those of authorized check signers.
.

79
 INTERNAL CONTROL 80

d Tests of the additions to property, plant, and equipment by physical inspections.

.

6. Select the true statement regarding the COSO and SEC definitions of internal control over financial
reporting.
a The two definitions are identical.
.
b The SEC definition includes controls over compliance with applicable laws and
. regulations.
c The COSO definition does not apply to public companies.
.
d The COSO definition is broader; i.e., the SEC definition fits within the COSO definition.
.

7. Which of the following is part of the control environment?

a Segregation of duties.
.
b Codes of conduct.
.
c Procedures for initiating transactions.
.
d Monthly bank reconciliations.
.

8. Which of the following statements about the auditor’s responsibilities in public company audits is
true?
a The auditor issues opinions on the financial statements and internal control over financial
. reporting.
b The auditor issues an opinion on the financial statements; if those are found to be fairly
. stated, the auditor proceeds to issue an opinion on internal control over financial
reporting.
c The auditor issues an opinion on the financial statements only if internal control over
. financial reporting is found to be effective.
d The auditor issues an opinion on the financial statements and management issues the
. opinion on internal control over financial reporting.
9. After gaining an understanding and documenting internal control, the auditor may elect to perform
tests on
a Those controls that the auditor plans to rely on.
.
b Those controls for which significant deficiencies have been identified.
.
c Those controls that have a material effect on the financial statement balances.
.
d A random sample of the controls that were reviewed.
.
10. Control risk and the reliance planned for the auditor’s substantive procedures have which of the
following types of relationship?
a Direct.
 INTERNAL CONTROL 81

.
b Unknown.
.
c Inverse.
.
d Parallel.
.
11. Control activities include
a The control environment.
.
b Risks faced by the entity from new technology.
.
c Authorization of purchases of new equipment.
.
d Market share data.
.
12. Audit committees
a Should be appointed by the CEO.
.
b Assist the auditor in the audit of management’s report on internal control.
.
c Should have at least one financial expert on them.
.
d Are most effective when made up of top management, including the CFO.
.
13. The report expressing an opinion on an entity's internal controls does not include a
a Description of the scope of the engagement.
.
b Specific date that the report covers rather than a period of time.
.
c Brief explanation of the broad objectives and inherent limitations of internal control.
.
d Statement that the entity's internal controls are consistent with that of the prior year.
.
14. Which of the following elements is not a part of an entity's internal controls?
a Control risk.
.
b Control activities.
.
c Information and communication systems support.
.
d The control environment.
.

15. In an auditor's consideration of internal control, the completion of a questionnaire is most closely
associated with which of the following?
 INTERNAL CONTROL 82

a Separation of duties.
.
b Understanding the system.
.
c Flowchart accuracy.
.
d Tests of controls.
.

16. Accounting functions that are normally considered incompatible in a manual system are often
combined by computer software. This necessitates an application control that prevents unapproved
a Access to the computer library.
.
b Revisions to existing software.
.
c Usage of software.
.
d Testing of modified software.
.
17. Which of the following is part of risk assessment?
a A foreign subsidiary does not adapt to changes in company procedures.
.
b The client lacks written procedures for initiating sales transactions.
.
c Lack of proper approval of payroll checks.
.
d The client does not reconcile its bank accounts on a regular basis.
.

18. Which of the following is done by an auditor when gaining an understanding of an entity's internal
controls?
a Design the nature, timing, and extent of substantive tests.
.
b Test depreciation for reasonableness.
.
c Identify the types of potential misstatements that might occur.
.
d Initially consider business risk.
.

19. Section 404 of the Sarbanes-Oxley Act requires management to certify that
a The financial statements are fairly presented.
.
b Internal control over compliance activities is effective.
.
c The auditor’s opinion on internal control is fairly stated.
.
d That internal control over financial reporting is effective.
.
 INTERNAL CONTROL 83

20. A material weakness is a condition in which material errors or fraud may occur and not be detected
within a timely period by
a Customers of the organization when they are paying for services.
.
b Certified fraud examiners when called in to investigate fraud.
.
c The external auditor during the annual audit.
.
d Employees in the normal course of performing their functions.
.

21. The auditor is examining copies of sales invoices for the initials of the person checking the extensions.
This is an example of a
a Test of controls.
.
b Substantive test.
.
c Dual-purpose test.
.
d Test of balances.
.

22. A CPA's consideration of internal control in a financial statement audit for a non-SEC client
a Is generally more extensive than that made for an engagement to express an opinion on
. internal control.
b Is the same as for an engagement to express an opinion on internal control.
.
c Results in the CPA expressing an opinion on the internal control.
.
d Is generally more limited than that made for an engagement to express an opinion on
. internal control.

23. After consideration of a client's internal control, an auditor might decide to

a Increase the extent of substantive testing in areas where controls are strong.
.
b Reduce the extent of tests of controls in areas where the controls are strong.
.
c Reduce the extent of both substantive tests and tests of controls in areas where the
. controls are strong.
d Increase the extent of substantive testing in areas where the controls are weak.
.

24. Which of the following is not a purpose of the auditor's consideration of internal control for a non-SEC
client?
a To ascertain if controls may be relied upon.
.
b To assess control risk.
 INTERNAL CONTROL 84

.
c To gain an understanding of internal control.
.
d To determine the time budgeted for controls.
.

25. In the annual report of a public company submitted to the SEC,

a Two reports on the financial statements will be present.
.
b The auditor provides an opinion on the effectiveness of management in achieving the
. entity’s objectives.
c Two reports on internal control over financial reporting will be present.
.
d The report of internal auditors on the effectiveness of internal control is presented.
.

26. Proper segregation of duties is separating the following functions:

a Payment, execution, and authorization.
.
b Custody, execution, and reporting.
.
c Payment, recording, and authorization.
.
d Authorization, execution, and recording.
.

27. A flowchart of a client's internal controls

a Provides documentation of the system of internal control.
.
b Is typically obtained from the client’s internal auditors.
.
c Serves as the audit program for testing of controls.
.
d Illustrates the type of fraud, which may have occurred in the system.
.

28. Which of the following is not true of a client who is required to obtain an auditor’s opinion on internal
control or the auditor performing the engagement?
a The auditor performs the audit in accordance with PCAOB Auditing Standard No. 2.
.
b Management assesses internal control and its report is considered by the auditor in
. developing the internal control opinion.
c The client is a public company.
.
d A different auditor may examine internal control than the one performing the financial
. statement audit.

29. Significant deficiencies in internal control are required to be reported

a Creditors, which the client has debt to.
.
 INTERNAL CONTROL 85

b The audit committee of the board of directors.

.
c Management of the unit in which they occurred.
.
d Internal auditors of the entity.
.

30. After gaining an understanding of a public company’s internal control and arriving at an initial
assessment of control risk at a low level, the next step for the auditor is to
a Determine the timing of substantive tests.
.
b Issue the opinion on internal control.
.
c Consider the most appropriate substantive tests to be performed.
.
d Test controls to be relied upon.
.

31. In an audit of a nonpublic company, the primary objective of obtaining an understanding of internal
control is for the auditor to
a Comply with PCAOB standards.
.
b Be able to assess inherent risk.
.
c Obtain information necessary to plan the audit.
.
d Make the acceptance or continuance decision of the client.
.

32. In an audit of financial statements for a non-SEC company, the auditor considers internal control
a In order to issue an opinion on internal control.
.
b In more detail than if an opinion on internal control is to be issued.
.
c On a more limited basis than if engaged to also issue an opinion on internal control.
.
d To the same extent as if the auditor is issuing a report on internal control.
.

33. The auditor has evaluated the system of internal control and has reached the conclusion that the system
is well designed and is functioning as designed. The next step for the auditor is to
a Issue the opinion on the financial statements.
.
b Increase analytical procedures that are planned in the audit program.
.
c Remove substantive tests from the audit program.
.
d Leave substantive testing as planned for in the audit program.
.

34. The main purpose of the auditor's consideration of internal control for a non-SEC client is to
 INTERNAL CONTROL 86

a Determine the nature, timing, and extent of substantive tests.

.
b Express an opinion on the financial statements.
.
c Develop suggestions for improvements in internal control.
.
d Determine whether fraud has occurred during the year under audit.
.

35. Evidence about segregation of duties is best obtained by

a Studying a flowchart detailing who performs which duties.
.
b Making inquiries of coworkers about which employees performs which duties.
.
c Inspecting conflict of interest policies for segregation of duties procedures.
.
d Observation of employees who perform control activities.
.

36. Which of the following statements about internal control is correct?

a Poor internal control calls for more extensive control tests.
.
b Establishing and maintaining internal control is the internal auditor's responsibility.
.
c Strong control allows the auditor to eliminate substantive tests of details.
.
d The cost-benefit relationship should be considered in designing internal controls.
.
37. A significant deficiency is best defined as
a A violation of the entity's conflict-of-interest policies and code of ethics.
.
b An attempt by the client to limit the scope of the auditor's work in conducting the
. financial statement engagement.
c A deficiency that adversely affects the ability to process transactions in accordance with
. generally accepted accounting principles.
d Fraud or illegal acts committed by management that have a material impact on the
. financial statements.

38. Internal control procedures are designed to provide reasonable assurance that
a The effects of fraud will be eliminated from the financial statements.
.
b Transactions are executed in accordance with management's authorization.
.
c The recorded accountability for assets is compared with the physical assets at intervals of
. five years or more.
d The internal auditors permit access to assets only with approval.
.

39. Which of the following is not true concerning control activities?

a Control procedures are another term for control activities.
.
 INTERNAL CONTROL 87

b Transaction authorization is a control activity.

.
c Control activities generally fall into the two categories of preventive controls and
. detective controls.
d Information and communication is an important component of control activities.
.

40. Auditors trace a transaction through the system

a Via an audit trail.
.
b When making inquiries of the internal auditor.
.
c By making inquiries of the audit committee.
.
d Near the close of the engagement.
.

41. Limiting access to assets and records might be accomplished by

a Audit trails documenting who had authorization to access assets and records.
.
b A control environment, which discourages access to assets and records.
.
c Access codes for those parties with authorization to access assets and records.
.
d Risk assessment of the parties with authorization to access assets and records.
.

42. To be effective, an accounting system should

a Assess the risk that transactions will not be recorded.
.
b Measure the transactions properly.
.
c Include provisions for monthly updates of the accounting software.
.
d Identify and describe significant deficiencies for the auditors.
.

43. Which of the following is not one of the four transaction cycles?
a Expenditure/disbursement.
.
b Risk assessment.
.
c Revenue/receipt.
.
d Conversion.
.
 INTERNAL CONTROL 88

44. Monitoring is accomplished by the client through

a Continuing and periodic evaluations.
.
b SEC reports on the client.
.
c Its Risk Containment department.
.
d Analyst’s report on the stock of the client.
.
45. Which of the following is not true concerning Auditing Standard No. 2 on internal control?
a Management is required to assess internal control.
.
b The audit committee must sign the report regarding internal control.
.
c Management must acknowledge responsibility for internal control.
.
d The auditor of the financial statements must also audit internal control.
.

46. Which of the following is not included in the Form 10-K submitted to the SEC for a public company?
a Management’s acknowledgement of its responsibility to establish and maintain internal
. control.
b The independent auditor’s list of significant deficiencies.
.
c The independent auditor’s report on management’s assessment of internal control.
.
d Management’s 404 certification, which is the assessment of the effectiveness of internal
. control.
47. An effective audit committee
a Is comprised of management with financial expertise.
.
b Meets no more than once a year.
.
c May challenge the financial reporting of the CEO and CFO.
.
d Establishes and distributes policies for access to assets and records.
.

48. Which of the following is not a reason that auditors should understand the information technology of
the client?
a To plan the audit engagement.
.
b To be able to run audit software on the client’s computers.
.
c To have the ability to effectively perform the audit engagement.
.
d To know when to engage specialists for the engagement.
.
 INTERNAL CONTROL 89

49. In making its assessment of internal control under Section 404, management
a Allow internal auditors to perform the assessment and take responsibility for it.
.
b Must support the evaluation with documentation.
.
c Must perform its evaluations on a biennial basis.
.
d May choose to contract with third parties to make the assessment and issue the report.
.

ESSAY

1. Describe what is meant by significant deficiencies

It is considered as a combination of deficiencies or control deficiency that adversely affects

the entity’s process or report of external financial data and significantly merits attention by those
responsible for oversight of the entity's financial reporting.

2. The COSO Report addresses internal control.

a. State the definition of internal control as presented in the COSO report.
It is a process that was designed to provide reasonable assurance, particularly on the
achievement of management objectives such as operational effectiveness and efficiency, and financial
reporting reliability.
b. State the three objectives of internal control.
 Accurate and reliable financial reporting
 Compliance with laws and regulations
 Effectiveness and efficiency of the organization’s operations.

2. What are the three phases of the consideration of an entity's internal controls made by the auditor?
 Planning
 Fieldwork and review
 Reporting.
4. Segregation of duties is basic to good internal control.
a. Explain the importance of segregation of duties in internal control.
It serves as a key internal control intended to reduce the risk of both erroneous and
inappropriate actions. 
b. Name the three functions, which should be separated to achieve good segregation of duties.
1. Having custody of assets.
2. Being able to authorize the use of assets.
3. Recordkeeping of assets.

PROBLEM

1. In a well-designed and executed audit, the auditor's objective in considering an entity's control
environment is to obtain an understanding of management's and the board of directors' attitude,
awareness, and actions concerning the following items:
a. Integrity and ethical values
Internal auditors should perform their work honestly to the client or company.
b. Human resource policies and practices
 INTERNAL CONTROL 90

Review every aspect of management of HR to determine the effectiveness of each program in an

organization.
c. Commitment and competence
Having skills relating to critical thinking and business understanding; and interpersonal and
communication skills.
d. Assignment of authority and responsibility
Auditor's responsibility for obtaining an understanding of internal control
e. Board of directors or audit committee
Reports to the board on a quarterly or more frequent basis on things such as audit plans, audit
findings, and other items deemed to be significant.
f. Organizational structure
The audit procedures were performed to obtain an understanding of the entity and its environment,
in- including the entity's internal control
g. Management's philosophy and operating style.
Auditors must acquire management's attitudes toward the organization’s objectives, and learn how to
minimize the business risks and attitude toward internal controls over financial reporting.

For each of the items above, provide one example of what knowledge the auditor is attempting to
obtain.

TRUE/FALSE

1. Most internal control deficiencies are identified through substantive tests.

2. A material weakness in internal control is a significant deficiency that is more than remotely likely to
cause a material misstatement that will not be prevented or detected.

3. A material weakness is also a significant deficiency in internal control.

4. The auditor’s assessment of internal control is required to be done quantitatively.

5. After assessing detection risk, the auditor performs tests of controls.

6. Control risk and detection risk are inversely related.

7. For every audit of financial statements that a CPA firm performs, an opinion on internal control must
also be issued.

8. Internal audit reports may not be considered by the auditor in forming an opinion on internal control.

9. The auditor’s report on internal control for an SEC client includes the definition of internal control
over financial reporting.

10. The auditor’s view of internal control is broader than that of management.
 INTERNAL CONTROL 91

MATCHING

a Section 404 f. COSO Framework

.
b DBM system g Auditing Standard No. 2
. .
c Walkthrough h Narrative
. .
d Collusion i. A control activity
.
e Internal control deficiencies j. 404 documentation
.
1. Used to document the understanding of internal controls
2. Segregation of duties
3. Do not prevent or detect misstatements
4. Issued by the PCAOB
5. Integrated collections of stored data
6. Fraud perpetrated by two or more people
7. Memorializes management’s assessment of internal control
8. Requires management to assess internal control
9. Trace from authorization through to summarization in the financial statements
10. Sets forth five components of internal control

SHORT ANSWER

1. The definition of internal control found in COSO encompasses four key concepts.
State and explain each of these concepts.

Control Environment refers to how has management put into place policies and procedures that
guide the organization.
Risk Assessment: It refers to how does the organization assess risk in order to identify the things that
threaten the achievement of its objectives?
Information and Communication it refers to how management communicates to their internal and
external users what is expected of them.
Existing Control Activities identify what are the controls that they currently have in place.

2. Explain which parties in an organization help it to accomplish its internal control objectives.
The Corporation's management is responsible for maintaining effective internal control over
financial reporting and for its assessment of the effectiveness of internal control over financial
reporting.

3. Transaction authorization may be specific or general.

a. Define each.
Specific authorization requires the signature or electronic approval of a transaction by a person with
approval authority.
 INTERNAL CONTROL 92

General authorization is a rule adopted by the director authorizing, without a permit from the division.
b. Explain the difference between the two.
A general authorization serves as a standing approval of certain spending whereas specific
authorization would require an individual to get written permission to override the general
authorization policies.
4. In the audit of a public company, the auditor considers internal control for two reasons.
What are the two reasons?
Minimize risks and protect assets, ensure accuracy of records, promote operational efficiency, and
encourage adherence to policies, rules, regulations, and laws.
5. The auditor’s work in forming an opinion on internal control over financial reporting has three phases.
Give the three phases.
Planning is sometimes called survey or preliminary review), fieldwork, audit report and follow-up
review.
6. In considering a client’s accounting system, the auditor’s objective is to understand five items.
Give the five items.
(a) The control environment. (b) The entity’s risk assessment process. (c) The information system,
including the related business processes, relevant to financial reporting, and communication. (d)
Control activities. (e) Monitoring of controls
7. Auditors typically organize the audit around four transaction cycles. Give the four cycles.
Revenue, expenditure, conversion, and human resources/payroll cycle.
8. The annual report of a public company includes two reports on internal control over financial
reporting. Describe what is in each.
The intent of the required annual report is to provide public disclosure of a company's operating and
financial activities over the past year. The report is typically issued to shareholders and other
stakeholders who use it to evaluate the firm's financial performance and to make investment
decisions.