Chapter 8 Test Questions & Answers Risk Response - Auditing Data Analytics 1e Test Bank by Raymond N. Johnson. DOCX document preview.
Chapter 8
Risk Response
Performing Tests of Controls
Question Type: True or False
Assessing control risk begins with understanding entity-level controls.
A. True
B. False
The flow of a transaction, and the documents involved, will be the same from transaction class to transaction class.
A. True
B. False
Strong entity-level controls make it less likely that transaction-level controls will operate effectively.
A. True
B. False
The two levels of internal control are entity-level controls and auditor-level controls.
A. True
B. False
Prevention controls are those applied to each transaction during normal processing that are intended to stop fraud or errors from occurring.
A. True
B. False
Detection controls are those applied before transactions have been processed to identify whether fraud or errors have occurred.
A. True
B. False
Detection controls are those applied to each transaction that stop fraud or errors from occurring.
A. True
B. False
In inquiry, the auditor is not allowed to ask the employee who prepares the bank reconciliation how reconciling items are identified and the reasons for them.
A. True
B. False
The auditors should plan to test each and every control.
A. True
B. False
Tolerable deviation rate is the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level control risk.
A. True
B. False
Attribute sampling is a technique used to reach a conclusion about a sample in terms of a rate of occurrence.
A. True
B. False
When performing tests of controls, the auditor is making a “yes or no” decision.
A. True
B. False
A material weakness is a deficiency where there is more than a remote possibility that a misstatement that is less than material, but still significant enough that it should be reported to those charged with governance.
A. True
B. False
Once controls have been tested, the auditors document their work in a representation letter.
A. True
B. False
The more complex the client’s operations and its internal controls, the more experienced the auditor who performs the work needs to be.
A. True
B. False
Question Type: Multiple choice
The first step in assessing control risk is to _______.
A. understand entity-level controls
B. understand the flow of transactions
C. identify relevant controls to test
D. determine preliminary audit strategy
The fourth step in assessing control risk is _______.
A. understand entity-level controls
B. understand the flow of transactions
C. identify relevant controls to test
D. perform tests of controls
Entity-level controls involve _______.
A. all five components of internal controls
B. all four components of internal controls
C. all auditor and client controls
D. all controls recommended by the internal audit function
Strong entity-level controls _______.
A. make it less likely that transaction-level controls will operate effectively
B. make it more likely that transaction-level controls will operate effectively
C. generally increase inherent risk
D. have no bearing on inherent risk
Once auditors understand the flow of transactions, _______.
A. they will use their knowledge of assertions to understand what can go wrong
B. they will use their knowledge of the client's legal history to understand what can go wrong
C. they are ready to issue a clean audit opinion
D. they should request the internal audit function begin the audit
If the audit firm is performing an integrated audit for a public company, _______.
A. there is an expectation that the auditor will test controls in order to support an opinion on Internal Control over Financial Reporting (ICFR)
B. there is an expectation that the auditor will audit the financial statements only in order to support an opinion on ICFR
C. the audit should be conducted in conjunction with the internal auditors
D. the auditor should request the assistance of the prior auditor
If a client has strong entity-level controls, _______.
A. it is less likely that transaction-level controls will operate effectively
B. it is more likely that transaction-level controls will operate effectively
C. it is likely that the client has an ineffective audit committee
D. it is likely that the client has a higher assessed level of inherent risk
Which of the following should be done by the auditor if tests of controls indicate that a key control is not functioning as designed?
A. Increase the assessed level of control risk
B. Increase the level of assessed detection risk
C. Stabilize the nature, timing, and extent of substantive tests related to the assertion
D. Rely on external controls
Assessing control risk begins with understanding which of the following?
A. Entity-level controls
B. Transaction-level controls
C. Internal controls
D. External controls
Which of the following refer(s) to the audit procedures designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level?
A. Tests of controls
B. Financial auditing
C. External controls
D. Transaction-level controls
Which of the following controls are designed to prevent misstatements from happening (prevent controls) and / or detect and correct misstatements on a timely basis (detect controls)?
A. Internal controls
B. External controls
C. Entity-level controls
D. Transaction-level controls
The two levels of internal control are _______.
A. entity-level controls and transaction-level controls
B. entity-level controls
C. transaction-level controls
D. transaction-level and auditor-level controls
Transaction-level controls are _______.
A. implemented by businesses to reduce the risk of misstatement due to error or fraud, and to ensure that business processes are operating effectively
B. implemented by the auditors to reduce the risk of misstatement due to error or fraud, and to ensure that business processes are operating effectively
C. the same as entity-level controls
D. tested by the internal auditors
Prevention controls are those applied _______.
A. at both the entity and transaction levels
B. at the transaction level only
C. to each transaction during normal processing and are intended to stop fraud or errors from occurring
D. to each entity during normal processing and are intended to stop fraud or errors from occurring
Preventing errors during processing _______.
A. is an important objective of every accounting system
B. is an optional objective of every accounting system
C. is the responsibility of the auditor
D. is the responsibility of the internal auditors
Prevention controls _______.
A. should always have physical evidence indicating whether the control was performed
B. will rarely have physical evidence indicating whether the control was performed
C. do not always have physical evidence indicating whether the control was performed
D. are the same as detect controls
Absence of effective prevention controls _______.
A. decreases the risk that errors or fraud may occur
B. increases the risk that errors or fraud may occur
C. decreases the overall risk of the audit
D. has no bearing on the risk of the audit
Most companies design detection controls _______.
A. to ensure that if prevention controls are not effective, errors or fraud will be detected and corrected on a timely basis
B. to ensure that if detection controls are not effective, errors or fraud will be detected and corrected on a timely basis
C. to catch errors or fraud before the transactions have been processed
D. to catch errors or fraud while the transactions are being processed
Detection controls vary _______.
A. from year-to-year with the same client
B. from client to client to a greater extent than prevention controls
C. from client to client to a lesser extent than prevention controls
D. depending on managements desire to override controls
An example of a purely manual control is a _______.
A. computerized batch processing system
B. locked inventory cage for high dollar-value items to which only a few authorized staff have a key to access
C. requirement for employees to login to computer systems using validating credentials
D. automated prevention and detection controls
An auditor asking the employee who prepares the bank reconciliation how reconciling items are identified would be an example of _______.
A. observation
B. reperformance
C. inquiry
D. statistical testing
Internal controls can _______.
A. only include certain procedures approved by management and the auditor
B. include any procedure used and relied upon by the client to prevent errors from occurring when processing transactions, or to detect and correct errors that may occur in these transactions
C. include any procedure used and relied upon by the auditor to prevent errors from occurring when processing transactions, or to detect and correct errors that may occur in these transactions
D. never be subject to senior management override
Which of the following best defines detection controls?
A. Controls that are applied after transactions have been processed to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis
B. The collective assessment of the client’s control environment, risk assessment process, information system, control activities and monitoring of controls
C. Controls that affect a particular transaction cycle or group of transactions
D. Controls that determine the flow of documents through the system
The technique that involves the auditor using questioning skills to determine how the control is completed and whether it appears to have been carried out properly and on a timely basis is known as _______.
A. inquiry
B. observation
C. reperformance
D. recalculation
An auditor watching an employee prepare a bank reconciliation would be an example of _______.
A. observation
B. professional skepticism
C. recalculation
D. inquiry
Processing auditor test data using the client’s software application _______.
A. will allow the auditor to verify that the software application is functioning as designed
B. will allow the auditor to verify manual controls within the software application are functioning as designed
C. may corrupt the client's system, and should not be attempted
D. should be performed without the knowledge of the client's senior management
The procedure that relies on the auditor testing the physical evidence to verify that a control has been performed properly _______.
A. is referred to as reperformance
B. is referred to as recalculation
C. is known as inspection of physical evidence
D. is known as inspection of computer systems
When an auditor asks management how it makes sure the reconciliation is prepared correctly and on a timely basis, this is an example of _______.
A. inquiry
B. interrogation
C. audit scanning techniques
D. professional skepticism
Reperformance _______.
A. should be delegated to the internal audit function
B. should be the responsibility of the client's legal counsel
C. is mandatory at every client audit
D. is likely to be used, but would be determined by the auditor’s professional judgment
Inquiry _______.
A. alone would be considered quality audit evidence
B. would not be considered quality audit evidence
C. should not be used in conjunction with other audit procedures
D. involves making inquiries of prior auditors
Important information obtained through inquiry _______.
A. should be forwarded to the client's legal counsel for review and approval
B. should be disregarded if it contradicts management's statements and intentions
C. should be corroborated with other evidence
D. should be used in isolation
A common software-based audit technique involves _______.
A. requesting management complete flowcharts and questionnaires related to the audit
B. submitting certain test data into the client's software application while the auditor is in control of the software
C. allowing the internal auditors access to the external auditor’s software application in order to assist with the audit
D. deleting client files and transactions to ensure that the client's software appropriately alerts the correct staff
Which of the following is NOT a part of tests of control?
A. Performance
B. Observation
C. Inquiry
D. Inspection of physical evidence
The auditor testing the effectiveness of manual follow-up to see whether items put on an exception report were appropriately cleared is an example of _______.
A. reperformance
B. observation
C. inquiry
D. inspection of physical evidence
When the auditor inspects initials and dates on bank reconciliation, he or she is doing ______.
A. inspection of physical evidence
B. inquiry
C. observation
D. reperformance
When performing an integrated audit (to issue an opinion on the financial statements and an opinion on internal controls over financial reporting), _______.
A. the auditor uses a top-down approach to determine which controls to select
B. the auditor uses a bottom-up approach to determine which controls to select
C. the auditor should be careful to issue the same audit opinion for both the financial statements and internal control
D. the auditor should be careful to issue different audit opinions for the financial statements and internal control
The auditor begins selecting controls to test by _______.
A. asking management which controls they would prefer the auditor to test
B. checking the same controls as the prior year
C. by understanding the entity and the business and determining the risk of material fraud or error at the financial statement level
D. by understanding the entity and all other industries and determining the risk of material fraud or error at the financial statement level
If there is a high risk of material fraud related to an assertion, _______.
A. the auditor will want to test controls over that assertion
B. the auditor will want to test controls over other assertions
C. the auditor should request the audit be conducted by the internal audit function
D. the auditor should withdraw from the engagement, to avoid risk exposure
In the audit of a private company, _______.
A. an auditor’s tests of controls are unrelated to the planned audit strategy
B. an auditor’s tests of controls are largely dictated by the planned audit strategy
C. the auditor is not subject to reporting and notification requirements
D. the auditors should preemptively determine the entities ability to pay for the audit and request a certain percentage in advance
In order to determine the extent of testing of controls, _______.
A. the auditor should inquire of management as to their preferences
B. the auditor can use statistically based sampling techniques only
C. the auditor can use either statistically based sampling techniques or nonstatistical techniques
D. the auditor can use non nonstatistical techniques only
The tolerable deviation rate _______.
A. is the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk
B. is the minimum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk
C. refers to the extent that audit fees can go over the roughly agreed amount
D. relates to how many immaterial misstatements the auditor finds
With respect to audit sampling, _______.
A. there is no relationship between assurance and sample size
B. there is a direct relationship between assurance and sample size
C. the choice of which accounts to sample should be as non-random as possible
D. the auditors should ideally select a sample size which is larger than the population
The more assurance the auditor wants, _______.
A. the less representative a sample should be of the population, and the more testing the auditor needs to do
B. the more representative a sample should be of the population, and the less testing the auditor needs to do
C. the more representative a sample should be of the population, and the more testing the auditor needs to do
D. the less representative a sample should be of the population, and the less testing the auditor needs to do
If the auditor intends to assess control risk at a low level, _______.
A. he or she performs more testing than if he or she is planning to obtain only limited assurance from tests of controls
B. he or she performs less testing than if he or she is planning to obtain only limited assurance from tests of controls
C. he or she performs the same amount of testing if he or she is planning to obtain only limited assurance from tests of controls
D. he or she performs more testing than if he or she is planning to obtain unlimited assurance from tests of controls
The expected rate of deviation in the population _______.
A. is the rate at which the auditor expects controls not to function as planned
B. is the rate at which the auditor expects controls to function as planned
C. relates to how many accounts within the population will be stated correctly
D. relates to how many accounts within the population will be consistent with the auditor’s expectation
With respect to timing, tests of controls _______.
A. are usually carried out after the firm’s financial statement date
B. are usually carried at the firm’s financial statement date
C. will usually be carried out at an interim date, often about three months prior to year-end
D. will usually be carried out at an interim date, often about six months prior to year-end
The greater the amount of difference between tolerable deviation rate and expected deviation rate, _______.
A. the larger the sample size
B. the lower any statistical variance should be
C. the smaller the sample size.
D. the smaller the population being sampled should be
An audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period is known as _______.
A. statistical benchmarking
B. benchmarking
C. nonstatistical sampling
D. prior period inference
The assurance that the _______ is not exceeded by the actual rate of deviation is influenced by the degree to which the auditor intends to rely on the control as a basis for limiting substantive tests or for supporting an opinion on internal control over financial reporting (ICFR).
A. tolerable rate of deviation
B. expected rate of deviation in the population
C. desired level of assurance
D. control exception
Which of the following refers to a sampling technique used to reach a conclusion about a population in terms of a rate (frequency) of occurrence?
A. Attribute sampling
B. Control exception
C. Tests of control
D. Benchmarking
Define expected rate of deviation.
A. It is the rate at which the auditor expects controls to not function as planned.
B. It is the maximum rate of deviation from a prescribed control that an auditor is willing to accept.
C. It is the rate that represents the confidence that the evidence obtained is representative of the underlying population from which the sample was taken.
D. It is similar to the actual rate of deviation in the population.
If tests of controls indicate that a key control is not functioning as designed, and if other compensating controls do not exist, the auditor should _______.
A. increase the assessed level of control risk
B. decrease the level of assessed detection risk
C. make appropriate changes to the nature, timing and extent of substantive tests related to the assertion
D. All of these answer choices are correct.
- increase the assessed level of control risk,
- decrease the level of assessed detection risk,
- and make appropriate changes to the nature, timing and extent of substantive tests related to the assertion.
If the auditor is auditing a public company in the United States and must report on internal controls over financial reporting (ICFR), the identification of one or more material weaknesses _______.
A. will result in the auditor issuing an adverse opinion on the financial statements
B. will result in the auditor issuing a disclaimer of opinion on the financial statements
C. will result in an adverse opinion on ICFR
D. will result in an unmodified opinion on ICFR
When performing tests of controls, the auditor is making _______.
A. a “yes or no” decision with respect to effectiveness
B. multiple decisions
C. sure that all controls are working perfectly, with no errors, material or immaterial
D. certain that he or she will ultimately be in a position to render absolute assurance on the financial statements and internal control
When testing controls, _______.
A. the auditor must be alert for evidence that the control might be effective, even if only once or twice
B. the auditor must be alert for evidence that the control might be ineffective, even if only once or twice
C. the auditor should delegate audit procedures to the internal auditors where possible
D. it is possible for the auditor to rely on the opinion of the prior auditor
A control would be ineffective _______.
A. if it was performed
B. if it was not performed, or if it failed to function as designed
C. if it was not performed only
D. if it failed to function as designed only
An IT application control will be ineffective _______.
A. if the entity is hacked or experiences some form of phishing
B. if it lists an appropriate transaction on an exception report
C. if it fails to put an invalid transaction on an exception report
D. if it is consistently used
Manual follow-up procedures are ineffective _______.
A. if they are not acted upon on a timely basis, or if client personnel fail to clear items noted on an exception report
B. if they are acted upon on a timely basis, or if client personnel fail to clear items noted on an exception report
C. if they are not acted upon on a timely basis only
D. if client personnel fail to clear items noted on an exception report only
If the test results do not confirm the preliminary evaluation of controls, _______.
A. the auditor will consider whether there is a compensating control that might prevent and correct a misstatement missed by the original control being tested
B. the auditor will consider whether there is a compensating control that might detect and correct a misstatement missed by the original control being tested
C. the auditor should obtain additional written assurances from management
D. the auditor should consider withdrawing from the engagement
In trying to determine whether there is a need for additional tests of controls, the following factors are considered:
A. Results of inquiries and observations
B. Evidence provided by other tests
C. Changes in the overall control environment
D. All of these answer choices are correct
If the auditor determines that an effective compensating control does not exist, or tests of controls show that the compensating control is not functioning as designed, _______.
A. the auditor revises the overall audit risk assessment for the related account and assertion, and the planned audit strategy
B. the auditor makes no changes to the overall audit risk assessment for the related account and assertion, and the planned audit strategy
C. the auditor concludes that internal control is weak, and issues an appropriate opinion
D. the auditor would lower inherent risk surrounding the engagement as a whole
The auditor always needs to investigate any control exceptions (deviations) that he or she identifies during testing to find out, to the extent practical, _______.
A. the causes and the amounts involved
B. the financial statement accounts affected
C. the potential effect on other audit procedures
D. All of these answer choices are correct.
Which of the following refers to a deficiency where there is more than a remote possibility that a material misstatement could occur in the financial statements due to a breakdown in the system of internal control?
A. Material weakness
B. Significant deficiency
C. Control deficiency
D. Insignificant deficiency
An observed condition that provides evidence that the control being tested did not operate as intended is called a/an _______.
A. control exception
B. significant deficiency
C. attribute sampling
D. material weakness
Once controls have been tested, _______.
A. the auditors immediately issue an unqualified opinion on internal control
B. the auditors document their work in a working paper
C. the auditors should request all fees due for this part of the audit, before moving on to the financial statement audit
D. the auditors should document their understanding in a memo addressed to the client's legal counsel
Working paper documentation for test of controls should include _______.
A. all client-owned documents which will be returned to the client once audit fees are paid
B. comments on this year’s audit by the prior auditor
C. the auditors’ opinion of absolute assurance about control risk, and the basis for their conclusion (e.g., underlying evidence)
D. the auditors’ conclusion about control risk, and the basis for their conclusion (e.g., underlying evidence)
- the auditors’ conclusion about control risk, and
- the basis for their conclusion (e.g., underlying evidence).
After the auditor has completed test of controls and drawn a conclusion about control risk, _______.
A. the auditor will want to make decisions about the nature, timing and extent of substantive testing
B. the auditor will want to make decisions about the nature of substantive testing
C. the auditor will want to make decisions about the timing of substantive testing
D. the auditor will want to make decisions about the extent of substantive testing
In preparing a working paper for tests of controls, _______.
A. the auditor would ordinarily set out the purpose of the financial statements audited
B. the auditor would ordinarily set out the purpose of the tests of the controls identified
C. the auditor would request input and amendments from senior management
D. the auditor would complete the working paper with the help of the client's legal counsel
Regardless of how the working papers are prepared and documented, _______.
A. the extent of the auditor’s documentation will increase as the complexity of the client’s operations, systems, and controls increases
B. the extent of the auditor’s documentation will decrease as the complexity of the client’s operations, systems, and controls increases
C. the extent of the auditor’s documentation will increase as the complexity of the client’s operations, systems, and controls decrease
D. the extent of the auditor’s documentation will decrease as the complexity of the client’s operations, systems, and controls decrease
The more complex the client’s operations and its internal controls, _______.
A. the lower inherent risk is assessed by the auditor
B. the less audit staff should be assigned to the client engagement
C. the more experienced the auditor who performs the work needs to be
D. the more inexperienced the auditor who performs the work needs to be
Auditors of both public companies and private entities _______.
A. have a responsibility to report internal control weaknesses to those charged with governance of the entity
B. have a responsibility to report internal control weaknesses directly to the SEC
C. have a responsibility to report internal control weaknesses to the internal audit function, for immediate rectification
D. have a responsibility to report internal control weaknesses directly to the shareholders of an entity, who in turn should address their concerns to management
In preparing a working paper for tests of controls, _______.
A. the auditor should defer preparation to the internal audit function
B. the auditor would ordinarily set out the purpose of the tests of the financial statement accounts identified
C. the auditor would ordinarily set out the purpose of the tests of the controls identified
D. the auditor should be careful to avoid bringing to management's attention any defective controls
The extent of the auditor’s documentation will increase if _______.
A. the complexity of the client’s operations, systems, and controls increases
B. the complexity of the client’s operations, systems, and controls decreases
C. the auditor making on the documentation is more experienced
D. the auditor making on the documentation is less experienced
Which of the following is true of working papers?
A. Working papers document the auditors' conclusion about control risk and the basis for that conclusion.
B. Working papers are necessary for the junior auditor to keep track of the daily work, but are not important to the overall audit.
C. Working papers document the results of the tests but not the purpose of the control selected for testing.
D. Working papers document the purpose of the control selected for testing and the conclusion made by the auditor, but not the results of the test.
The _______ clearly lays out the purpose of the test of the control, the nature and extent of the work performed at an interim date, the results of the audit tests, and the auditor’s conclusion about control risk.
A. working paper
B. audit documentation
C. controls testing paper
D. audit report
Question Type: Text Entry
The auditor performs _______ once she has determined to follow a reliance strategy for an assertion and identified the key controls to test.
tests of controls
When designing tests of controls, consideration is given to _______ with the transaction (the risk of material misstatement) at the assertion level.
WCGW | what can go wrong | what can go wrong (WCGW)
The procedure that relies on the auditor testing the physical evidence to verify that a control has been performed properly is known as _______.
Inspection | inspection
The procedure that involves the auditor performing the control in the same manner as an employee in order to test its effectiveness is known as _______.
A. Reperformance | reperformance
Techniques that involve the auditor’s use of computers to assist in verification are known as software-assisted _______ techniques.
Audit | audit
If the auditor wants to test using the _______ technique, he must find evidence that the control was performed on a timely basis.
reperformance
A _______ is an observed condition that provides evidence that the control being tested did not operate as intended.
control exception
Working paper documentation includes the auditors’ conclusion about _______ and the basis for their conclusion.
control risk
Question Type: Drop down
Match the steps in assessing control risk on the left with their details on the right.
A. Understand entity-level controls.
||This involves all five components of internal controls, which are the client's control environment, risk assessment, information system, control activities, and monitoring of controls.
B. Understand the flow of documents through the system.
||The common steps in any transaction stream are authorization, executing the transaction, recording the transaction, and consideration.
C. Identify what can go wrong (WCGW).
||This describes where material misstatements due to error or fraud could occur in a flow of transactions or source and preparation of information that affects a relevant financial statement assertion.
D. Identify relevant controls to test.
||Once the auditor identifies what can go wrong, the auditor will look for relevant internal controls that will either prevent them or detect and correct them.
Understand the flow of documents through the system: The common steps in any transaction stream are authorization, executing the transaction, recording the transaction, and consideration.
Identify what can go wrong (WCGW): This describes where material misstatements due to error or fraud could occur in a flow of transactions or source and preparation of information that affects a relevant financial statement assertion.
Identify relevant controls to test: Once the auditor identifies what can go wrong, the auditor will look for relevant internal controls that will either prevent them or detect and correct them.
In the given table, match the concepts related to control risks on the left with the descriptions on the right.
A. Desired level of assurance
||It represents the confidence that the evidence obtained is representative of the underlying population from which the sample was taken.
B. Attribute sampling
||It is used to reach a conclusion about a population in terms of a rate (frequency) of occurrence.
C. Benchmarking
||It can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period.
D. Control exception
||It provides evidence that the control being tested did not operate as intended.
The desired level of assurance represents the confidence that the evidence obtained is representative of the underlying population from which the sample was taken.
Attribute sampling is a sampling technique that is used to reach a conclusion about a population in terms of a rate (frequency) of occurrence.
Benchmarking is an audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period.
Control exception is an observed condition that provides evidence that the control being tested did not operate as intended.
Match the steps of assessing control risks on the left of the table to their details on the right.
A. Additional tests of controls
||They are required if the auditor becomes aware of adverse changes in the overall control environment of the entity.
B. Results of inquiries and observations
||The auditor may need to identify and test other controls, perform additional tests of controls, or increase the level of substantive testing performed at year-end.
C. Control deficiency
||The magnitude is such that it does not need the attention of those charged with governance of the entity.
D. Significant deficiency
||It is a deficiency where there is more than a remote possibility that a misstatement that is less than material, but still significant enough that it should be reported to those charged with governance.
Additional tests of controls: They are required if the auditor becomes aware of adverse changes in the overall control environment of the entity.
Results of inquiries and observations: The auditor may need to identify and test other controls, perform additional tests of controls or increase the level of substantive testing performed at year-end.
Control deficiency: The magnitude is such that it does not need the attention of those charged with governance of the entity.
Significant deficiency: It is a deficiency where there is more than a remote possibility that a misstatement that is less than material, but still significant enough that it should be reported to those charged with governance.
In the given table, match the components of working paper on the left with their details on the right.
A. Test results table
||It assists the person reviewing the working paper to determine if enough work has been performed and if the right conclusion regarding the controls testing has been reached.
B. Conclusion
||It is specific to whether the test results support the overall purpose of the test.
C. Actual controls selected
||There should be enough details in the working paper to allow another auditor to review the working paper, reperform the steps, and reach the same conclusion as the auditor who prepared the working paper.
D. Deciding the nature, timing, and extent of substantive testing
||After the auditor has completed testing controls and drawn a conclusion about control risk, it is the last step in working paper documentation.
A test results table assists the person reviewing the working paper to determine if enough work has been performed and if the right conclusion regarding the controls testing has been reached.
The conclusion is specific to whether the test results support the overall purpose of the test.
Actual controls selected should have enough details in the working paper to allow another auditor to review the working paper, reperform the steps, and reach the same conclusion as the auditor who prepared the working paper.
After the auditor has completed testing controls and drawn a conclusion about control risk, deciding the nature, timing, and extent of substantive testing is the last step in working paper documentation.
Question Type: Multiple choice multi select
Entity-level controls involve which of the following three components of internal controls?
A. Client's control environment
B. Risk assessment
C. Information system
D. External activities
Which three of the following are types of controls?
A. Manual control
B. Software application control
C. Information technology general controls (ITGCs)
D. Automated controls
Which two of the following are examples of the inquiry technique in tests of controls?
A. The auditor asks the employee who prepares the bank reconciliation how reconciling items are identified.
B. The auditor asks management how it makes sure the reconciliation is prepared correctly and on a timely basis.
C. The auditor observes the preparation of the bank reconciliation.
D. The auditor inspects initials and dates on bank reconciliation.
- The auditor asks the employee who prepares the bank reconciliation how reconciling items are identified.
- The auditor asks management how it makes sure the reconciliation is prepared correctly and on a timely basis.
Tests of various manual controls have which two requirements?
A. Testing to see that the person who performed the control provided their initials
B. Reperforming the checking routine itself
C. Checking the nature of the control implemented by management
D. Professional judgment is not applied in manual controls
Which of the following are set out by the working paper?
A. The purpose of the test of control
B. The nature and extent of the work performed at an interim date
C. The auditor’s conclusion about audit risk
D. The auditor’s conclusion about control exceptions
Question Type: Short Answer
Identify the types of audit evidence that are tested using audit sampling techniques.
Some audit procedures involve sampling, while others do not.
The following types of audit evidence can be tested using audit sampling techniques:
1. Inspection of tangible assets
2. Inspection of records or documents
3. Reperformance
4. Recalculation
5. Confirmation
Indicate which of the following audit procedures, used as tests of controls, do not involve audit sampling:
1. Observing and evaluating segregation of duties.
2. Testing of whether sales invoices are supported by authorized customer orders and shipping documents.
3. Reviewing client's procedures for accounting for the numerical sequence of shipping documents.
4. Examining sales orders for proper credit approval.
5. Recomputing the information on copies of sales invoices.
6. Comparing the average days outstanding in accounts receivable with industry averages.
A.
- Does not involve sampling.
- Involves sampling.
- Does not involve sampling.
- Involves sampling.
- Involves sampling.
- Does not involve sampling.
During your audit of Bricks, Inc., your test of a control over revenue recognition shows that the control is ineffective. Explain what you should do next.
Solution: If the test results do not confirm the preliminary evaluation of controls, the auditor will consider whether there is a compensating control that might detect and correct a misstatement missed by the original control being tested.
If the compensating control proves effective, the evidence now supports the auditor’s preliminary evaluation of controls, and control risk and planned substantive audit procedures are not modified.
If the auditor extends the testing and another control exception is identified, the auditor should change the decision to rely on that control. If another (compensating) control is not available to be substituted for the control being tested, or it is not considered efficient to continue testing controls, the auditor should modify (and potentially increase) the nature, timing and extent of the planned substantive procedures. That is, the audit strategy is altered, and detection risk is reduced.
Explain the differences in auditor responsibility for reporting control deficiencies, significant deficiencies, and material weaknesses to management and those charged with governance.
Solution: Auditors of both public companies and private entities have a responsibility to report internal control weaknesses to those charged with governance of the entity. This is a requirement of both PCAOB AS 2201 and AU-C 265. This is usually done through a management letter. The auditor includes a discussion of both material weaknesses and significant deficiencies in the management letter. It is also important to note that all internal control deficiencies should be reported to management. If a control weakness is sufficiently small in magnitude such that it is not reported to those charged with governance, it should still be verbally reported to management, at least one level above where the weakness occurred.
As technology continues to advance, will technology reduce the number of situations in which audit sampling is necessary and perhaps eliminate the need for auditors to rely on sampling?
Even with sophisticated advances in technology, it will not likely eliminate the need for auditors to rely on sampling to some degree because:
(1) many control processes require human involvement to operate effectively,
(2) many testing procedures require the auditor to physically examine certain items (such as tangible assets), and
(3) in many cases auditors are required to obtain and examine evidence from third parties.
In a large population, these situations all require both sampling and an auditor's "hands-on" attention.
Bob Jensen is the staff auditor on the Banson Fashion audit. Bob performed tests of controls over the control “the accounts receivable subsidiary ledger reconciliation is reviewed by the financial controller”. The objective of the test was to verify that a review by the financial controller occurred on a timely basis. When performing the testing, however, Bob found that while there was evidence of the review (a signature), there was no date, so timeliness could not be verified. What can Bob conclude from this test result and what should Bob do next?
Solution: Bob is able to conclude that the control operated, but he is not able to conclude as to whether it operated on a timely basis. Bob needs to determine whether a compensating control should be tested, or whether or not the timeliness of the review is critical to the auditor’s ability to rely on the accounts receivable reconciliation as audit evidence.
Evaluate the following "procedures" section from a tests of controls working paper:
Work performed:
Selected several bank reconciliations from different months and matched to supporting documentation. Ensured the reconciliations had been prepared and reviewed on a timely basis.
Solution: This working paper section is insufficient. There needs to be enough detail regarding the controls selected to allow another auditor to review the working paper, reperform the steps (if necessary) and reach the same conclusion as the auditor who prepared the working paper. Specifically, how many bank reconciliations were tested? What supporting documents were used? What months were tested?
Question Type: Drag and Drop
_______ are controls that do not rely on the client's information technology (IT) environment for their operation.
[Manual controls] | Automated controls | IT general controls (ITGCs) | Computer application controls
_______ are a combination of testing procedures that provides the evidence that the control operated as intended throughout the period the auditor wishes to place reliance on the control.
[Tests of controls] | Observational methods | Inquiry controls | Inspection of physical evidence
_______ rate is the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk.
A. [Tolerable deviation] | Expected deviation | Attribute sampling | Investigation
If the auditor determines that an internal control deficiency is either a significant deficiency or a control deficiency, the auditor will issue a/an _______ on internal controls over financial reporting (ICFR).
[unqualified opinion] | adverse opinion | modified opinion | unmodified opinion
After the auditor completes test of controls and draws conclusion about control risk, the auditor makes decisions about the nature, timing, and extent of _______.
[substantive testing] | sampling risk | non-sampling risk | control exception