Upgrade to remove ads
Only $2.99/month

Auditing Test 3 (short answer)

Terms in this set (30)

23) Control activities help assure that the necessary actions are taken to address risks to the achievement of the company's objectives. List the five types of control activities.
1.adequate separation of duties
2.proper authorization of transactions and activities
3.adequate documents and records
4.physical control over assets and records
5.independent checks on performance
24) Certain principles dictate the proper design and use of documents and records. Briefly describe several of these principles.
• Documents should be prenumbered consecutively to facilitate control over missing documents and as an aid in locating documents when they are needed at a later date.
• Documents and records should be prepared at the time a transaction takes place, or as soon as possible thereafter, to minimize timing errors.
• Documents and records should be designed for multiple uses, when possible, to minimize the number of different forms.
• Documents and records should be constructed in a manner that encourages correct preparation. This can be done by providing internal checks within the form or record.
25) Management's identification and analysis of risk is an ongoing process and is a critical component of effective internal control. An important first step is for management to identify factors that may increase risk. Identify at least five factors, observable by management, which may lead to increased risk in a typical business organization.
• failure to meet prior objectives
• quality of personnel
• geographic dispersion of company operations
• significance and complexity of core business processes
• introduction of new information technologies
• entrance of new competitors
• economic downturns
• rapid technology changes
26) Separation of duties is essential in preventing errors and intentional misstatements on the financial statements. List below the four general guidelines.
1. separation of custody of the assets from accounting
2. separation of the authorization of transactions from custody of related assets
3. separation of operational responsibility from record keeping responsibility
4. separation of IT duties from user departments
27) The internal control framework developed by COSO includes five so-called "components" of internal control
27) The internal control framework developed by COSO includes five so-called "components" of internal control. Discuss each of these five components.
Answer: Five components of internal control are:
• The control environment. The control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity about internal control and its importance to the company.
• Risk assessment. This is management's identification and analysis of risks relevant to the preparation of financial statements in accordance with appropriate accounting frameworks such as GAAP or IFRS.
• Information and communication. These are the methods used to initiate, record, process, and report the entity's transactions and to maintain accountability for the related assets.
• Control activities. These are the policies and procedures that management has established to meet its objectives for financial reporting.
• Monitoring. This is management's ongoing and periodic assessment of the quality of internal control performance to determine whether controls are operating as intended and are modified when needed.
28) Discuss what is meant by the term "control environment" and identify four control environment subcomponents that the auditor should consider.
• integrity and ethical values
• commitment to competence
• board of director or audit committee participation
• accountability
• organizational structure
29) List the four underlying principles of risk assessment per the COSO framework
• have clear objectives in order to identify risks related to those objectives
• determine how risks should be managed
• consider the potential for fraud
• monitor changes
31) Define control for general controls and application controls. Also list the categories of controls included under general controls and application controls.
-General controls are those that relate to all aspects of the IT function. They include controls related to administration, separation of IT duties, systems development, physical and on-line security, backup and contingency planning, and hardware controls.
-Application controls relate to the processing of individual transactions. Application controls are specific to certain software applications and typically do not affect all IT functions. They include input controls, processing controls, and output controls.
32) Identify the three categories of application controls, and give one example of each.
• Input controls — preformatted screens which prompt the data input personnel for the information to be entered
• Processing controls — a reasonableness test for the unit selling price of a sale.
• Output controls — postprocessing review of sales transactions by the sales department.
33) One category of general controls is physical and online access controls. Describe the control and give at two examples of implementation of the control.
• keypad entrances
• badge-entry systems
• security cameras and security personnel
• employee fingerprints or retina scanning and matching to database before access is allowed
monitoring of cooling and humidity
• installing fire-extinguishing equipment.
• proper user IDs and passwords
• separate add-on security software packages
• firewalls
• encryption programs.
a. Application controls
b. Error listing
c. General controls
d. Hardware controls
e. Input controls
f. Output controls
g Parallel simulation
h. Parallel testing
i Pilot testing
j. Processing controls

________ 1. The new and old systems operate simultaneously in all locations.

________ 2. Controls that relate to all aspects of the IT system.

________ 3. Controls such as review of data for reasonableness, designed to assure that data generated by the computer is valid, accurate, complete, and distributed only to authorized people.

________ 4. Controls that apply to processing of transactions.

________ 5. A new system is implemented in one part of the organization while other locations continue to rely on the old system.

________ 6. Controls such as proper authorization of documents, check digits, and adequate documentation, designed to assure that the information to be entered into the computer is authorized, complete, and accurate.
1. h
2. c
3. f
4. a
5. i
6. e
35) Processing controls include the following tests:
Validation
Sequence
Data Reasonableness
Completeness

Describe what each control is designed to do:
Validation: ensures that a particular type of transaction is appropriate for processing
Sequence: determines that the data submitted for processing are in the correct order
Data Reasonableness: determines whether the data exceeds prespecified amounts
Completeness: determines that every field in a record has been completed
36) What are the two software testing strategies that companies typically use? Which strategy is more expensive?
Companies may use pilot testing and parallel testing to test new software. Pilot testing involves operating the new software at a limited number of facilities, while continuing to operate the old software at all other locations. Parallel testing involves operating the new and old software simultaneously.
37) Discuss the four areas of responsibility under the IT function that should be segregated in large companies.
• IT Management. Oversight of the IT function should be segregated from the systems development, operations, and data control functions. Oversight of IT should be the responsibility of the Chief Information Officer or IT manager. The CIO or IT manager should be responsible for oversight of the IT function to ensure that activities are carried out consistent with the IT strategic plan. A security administrator should monitor both physical and online access to hardware, software, and data files and investigate all security breaches.
• Systems development. Systems analysts are responsible for the overall design of each application system. They also coordinate the development, acquisition, and changes to IT systems by the IT personnel and the primary system users outside of IT. Programmers develop flowcharts for each new application, prepare computer instructions, test the programs, and document the results. Programmers and analysts should not have access to input data or computer operations to avoid using their knowledge of the system for personal benefit.
• Operations. Computer operators are responsible for the day-to-day operations of the computer. They also monitor computer consoles for messages about computer efficiency and malfunction.
• Data control. Data control personnel independently verify the quality of input and the reasonableness of output. Database administrators are responsible for the operation and access security of shared databases.
38) Identify the six categories of general controls and give one example of each.
• Administration of the IT function. The chief information officer (CIO) should report to senior management and board of directors.
• Separation of IT duties. There should be separation of duties between the computer programmers, operators, and the data control group.
• Systems development. Users, analysts, and programmers develop and test software.
• Physical and online security. Access to hardware is restricted, passwords and user IDs limit access to software and data files, and encryption and firewalls protect data and programs from external parties.
• Backup and contingency planning. Written backup plans should be prepared and tested on a regular basis throughout the year.
• Hardware controls. Uninterruptible power supplies should be used to avoid loss of data in the event of a power blackout.
9) From an internal control perspective, what challenges arise when a company outsources computer functions?
Answer: Management is responsible for the design and operating effectiveness of internal controls, and this includes controls that are outsourced to a service provider. The ethics and integrity of service providers, as well as the design and functioning of their internal controls, need to be considered by management when selecting a service provider, and evaluated regularly.
17) You are the audit manager for a new audit client. Your staff auditors are unsure of what constitutes a control deficiency. Discuss the terms control deficiency, design deficiency, and operating deficiency.
-A control deficiency exists if the design and implementation or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis in the normal course of performing assigned functions.
-A design deficiency exists if a necessary control is missing, is not properly designed, or is not properly implemented.
-An operating deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized.
18) The text suggested a five-step approach to identify deficiencies, significant deficiencies, and material weaknesses. Describe this approach.
1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist.
2. Identify the absence of key controls. Internal control questionnaires, flowcharts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is therefore increased. It is also useful to examine the control risk matrix to look for objectives where there are no or only a few controls to prevent or detect misstatements.
3. Consider the possibility of compensating controls. A compensating control is one elsewhere in the system that offsets the absence of a key control. When a compensating control exists, there is no longer a significant deficiency or material weakness.
4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses.
5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements.
10) In evaluating the operational effectiveness of internal controls, the auditor is likely to use four types of audit procedures. List the procedures below.
• Make inquiries of appropriate client personnel.
• Examine documents, records, and reports.
• Observe control-related activities.
• Reperform client procedures.
8) Describe three computer auditing techniques available to the auditor.
• Test data approach. Using this approach, the auditors process their own test data using the client's computer system and application program to determine whether the automated controls correctly process the test data.
• Parallel simulation. The auditors use auditor-controlled software to do the same operations that the client's software does, using the same data files. The purpose is to determine the effectiveness of automated controls and to obtain evidence about electronic account balances.
• Embedded audit module. Using this approach, the auditor inserts an audit module into the client's application system to identify specific types of transactions.
9) Discuss the advantages and benefits of using generalized audit software.
• It is relatively easy to train the audit staff in its use, even if they have little formal IT training.
• The software can be applied to a wide variety of clients with minimal customization.
• It has the ability to do audit tests much faster and in more detail than using traditional manual procedures.
20) List each of the five types of audit tests.
• risk assessment procedures
• tests of controls
• substantive tests of transactions
• substantive analytical procedures
• tests of details of balances
21) Describe the five types of audit tests. Identify which of the five types are substantive tests, and which are used to reduce assessed control risk.
The five types of audit tests used to determine whether financial statements are fairly stated are: risk assessment procedures, tests of controls, substantive tests of transactions, substantive analytical procedures, and tests of details of balances. Substantive tests of transactions, substantive analytical procedures, and tests of details of balances are substantive tests, whereas procedures to obtain an understanding of internal control and tests of controls are used to reduce assessed control risk. Auditors use substantive analytical procedures and tests of details of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness of internal controls and the dollar amounts of the transactions.
22) Discuss the purposes of (1) substantive tests of transactions, (2) tests of controls, and (3) tests of details of balances. Give an example of each.
The purpose of substantive tests of transactions is to determine whether all six transaction-related audit objectives have been satisfied for each class of transactions. For example, as part of the auditor's test of the accuracy objective for sales, the auditor would compare the amount recorded in the sales journal for a sample of sales transactions with the total on the corresponding sales invoices.
The purpose of tests of controls is to determine the effectiveness of both the design and operations of specific internal controls. For example, the auditor might observe for a month whether statements are mailed to all customers.
The purpose of tests of details of balances is to determine the monetary correctness of the accounts to which they relate. The confirmation of accounts receivable is an example.
23) There are three stages of the audit in which analytical procedures are performed. Identify each of these three stages and, for each stage, discuss the purpose of performing analytical procedures in that stage. Also indicate in which stage(s) analytical procedures are required by current professional auditing standards.
Analytical procedures are performed in the audit planning stage to help the auditor decide the other evidence needed to satisfy sufficient competent evidence requirements. Analytical procedures can also be performed as substantive tests in the testing phase of the audit. Analytical procedures are performed in the audit completion phase as a final test of reasonableness. Auditing standards require that analytical procedures be performed in the planning and completion phases of every audit.
12) There are eight types of audit evidence: physical examination, confirmation, inspection, observation, inquiries of the client, reperformance, analytical procedures, and recalculation. For each of the following types of audit tests, indicate the type(s) of evidence that can be obtained through the test: (1) tests of controls, (2) substantive tests of transactions, (3) analytical procedures, and (4) tests of details of balances.
1. Tests of controls. Inspection, observation, inquiries of the client, reperformance
2. Substantive tests of transactions. Inspection, inquiries of the client, reperformance, recalculation
3. Substantive analytical procedures. Inquiries of the client, analytical procedures
4. Tests of details of balances. Physical examination, confirmation, inspection, inquiries of the client, reperformance, recalculation
5) When designing tests of controls and substantive tests an auditor is gathering evidence to satisfy the transaction-related audit objectives. What are the four steps the auditor would normally follow to reduce assessed control risk?
1. Apply the transaction-related audit objectives to the class of transactions being tested.
2. Identify key controls that should reduce control risk for each transaction-related audit objective.
3. Develop appropriate tests of controls for all internal controls that are used to reduce the preliminary assessment of control risk below maximum (key controls).
4. For potential types of misstatements related to each transaction-related audit objective, design appropriate substantive tests of transactions, considering deficiencies in internal control and expected results of the tests of controls.
14) In phase IV of the audit, complete the audit and issue an audit report, there are five activities required. List below the activities.
1. perform additional tests for presentation and disclosure
2. accumulate final evidence
3. evaluate results
4. issue audit report
5. communicate with audit committee and management
15) In accumulating final evidence upon which to base an audit opinion, the auditor should perform four activities. List the activities below.
1. perform final analytical procedures
2. evaluate the going concern assumption
3. obtain a client representation letter
4. read information in the annual report to ensure that it is consistent with the financial statements
16) Discuss the major activities and procedures performed by the auditor in the plan and design of the audit approach.
• accept client and perform initial planning
• understand the client's business and industry
• perform preliminary analytical procedures
• set preliminary judgment of materiality and performance materiality
• identify significant risks due to fraud or error
• assess inherent risk
• understand internal control and assess control risk
• finalize overall audit strategy and audit plan
YOU MIGHT ALSO LIKE...