Practice Question.

Internal Controls

Introduction—Importance of Understanding the

d. Analyze monthly production reports to identify
Entity's Internal Control
variances and unusual transactions.
1. According to PSA 315, an auditor uses the
6. Which of the following is not useful for obtaining an
understanding of internal control to:
understanding of internal controls?
a. Identify types of potential misstatements
a. Make inquiries of the client’s personnel.
b. Consider factors that affect the risks of material
b. Examine documents and records.
misstatement
c. Read industry trade magazines.
c. Design the nature, timing and extent of further
d. Observe client activities and operations.
audit procedures
d. All of the above
Nature of Internal Control
2. Reasons to evaluate internal control would not
7. The process designed and effected by those charged
include
with governance, management, and other personnel
a. Basis for planning the audit.
to provide reasonable assurance about the
b. Determining the nature, timing, and extent of
achievement of the entity’s objectives with regard to
substantive procedures.
reliability of financial reporting, effectiveness and
c. Basis for type of opinion to be rendered.
efficiency of operations and compliance with
d. Formulating constructive suggestions for
applicable laws and regulations.
improvements.
a. Internal Control c. Administrative control
b. Accounting control d. Control environment
RAP to Obtain Understanding of Internal Control
8. The financial statements are not likely to correctly
3. The auditor’s understanding of the accounting and
reflect GAAP if the:
internal control systems significant to the audit is
a. controls affecting the reliability of financial
ordinarily obtained through previous experience with
reporting are inadequate.
the entity. In addition, the auditor may perform the
b. company’s controls do not promote efficiency.
following procedures, except
c. company’s controls do not promote effectiveness.
a. Inquiries of appropriate management,
d. company’s control do not promote compliance
supervisory and other personnel at various
with applicable rules and regulations.
organizational levels within the entity,
together with reference to documentation,
9. Among the three objectives of internal control, which
job descriptions and flow charts, although
is of most importance to the auditor in an audit of
inquiry although is not sufficient.
financial statements?
b. Inspection of documents and records produced by
a. Reliability of financial reporting.
the accounting and internal control system.
b. Effectiveness and efficiency of operations.
c. Observation of the entity’s activities and
c. Compliance with applicable laws and regulations.
operations, including observation of the
d. All of the above.
organization of computer operations,
management personnel and the nature of
10. What is the relationship between an entity’s
transaction processing.
objectives and the controls it implements to provide
d. Reperformance of internal control procedures.
reasonable assurance about their achievement?
a. Direct. c. None
4. Risk assessment procedures performed to obtain
b. Inverse d. Both A and B
evidence about the design and implementation of
relevant controls include
11. An entity’s internal control encompasses its
a. External confirmation.
a. People. c. Processes.
b. Recalculation.
b. Units and function. d. All of the above.
c. Analytical procedures.
d. Tracing transactions or walkthrough.
12. The primary responsibility for designing,
implementing and maintaining internal control rests
5. In obtaining an understanding of a manufacturing
with
entity’s internal control concerning inventory a. Internal auditors c. The external auditor
balances, an auditor most likely would
b. The CFO d. The management/TCWG
a. Review the entity’s descriptions of inventory
policies and procedures.
Inherent Limitations of Internal Control
b. Perform test counts of inventory during the
entity’s physical count.
13. When considering internal control, an auditor must be
c. Analyze inventory turnover statistics to identify
aware of the concept of reasonable assurance, which
slow-moving and obsolete items.
recognizes that
 a. Employment of competent personnel provides addressing fraud risk implemented by management
assurance that the objectives of internal control and those charged with governance.
will be achieved.
c. The absence of programs and controls
b. Establishment and maintenance of internal
addressing fraud risk of control environment
control is an important responsibility of the
may not represent a material weakness.
management and not of the auditor.
d. The evaluation of the design of the control
c. Cost of internal control procedures should
environment includes considering the seven
not exceed the benefits expected to be
elements of control environment.
derived from the control.
d. Segregation of incompatible functions is
19. Which of the following factors are included in an
necessary to ascertain that the control
entity’s control environment?
procedures are effective. a. b. c. d.
Integrity and ethical values Yes No Yes Yes
14. Which of the following is not one of the inherent Commitment to competence Yes Yes No Yes
limitations of internal control?
Participation of those
a. Faulty human judgment. Yes Yes No Yes
charged with governance
b. Collusion.
Management’s philosophy
c. Management override. and operating style Yes Yes No Yes
d. Lack of proper segregation of incompatible Organizational structure No Yes Yes Yes
duties.
Assignment of authority and No Yes Yes Yes
responsibility
15. Which of the following is most likely to be a direct Human resources policies
consequence of the fact that internal controls have and procedures Yes No Yes Yes
inherent limitations that normally cannot be
completely eliminated?
20. Which of the following relates to human resource
a. Inherent risk must be greater than zero.
policies and practices factor of control environment?
b. Risk of material misstatement must be greater
a. Effective communication of standards and values
than zero.
and removal of incentives and temptations for
c. Audit risk must be greater than zero.
dishonest or unethical acts.
d. Detection risk must be greater than zero.
b. Management’s approach to taking and managing
business risks.
The Five Components of Internal Control and The
c. Consideration of key areas of authority and
Auditor's Required Understanding
responsibility and appropriate lines of reporting.
d. Recruitment, orientation, training,
16. Control environment component of internal control
evaluation, counseling, promotion,
a. Consists of the policies and procedures that help
compensation, and remedial action.
ensure that management directives are carried
out.
21. In obtaining an understanding of control environment
b. Includes the governance and management
component of internal control, an auditor should
functions and the attitudes, awareness, and
evaluate whether
actions of those charged with governance
a. Management, with oversight of TCWG, has
and management concerning the entity’s
created and maintained a culture of honesty and
internal control and its importance in the
ethical behavior.
entity.
b. The strengths of control environment elements
c. Is the entity’s process for identifying business
provide a foundation for the other components of
risks relevant to financial reporting objectives
internal control.
and deciding about actions to address those c. Both a and b.
risks, and the results thereof.
d. Neither a nor b.
d. Consists of the procedures and records
established to initiate, authorize, record, process,
Risk Assessment
and report entity transactions, events and
conditions and to maintain accountability for the 22. Which of the following risks should be considered by
related assets, liabilities, and equity.
the entity’s risk assessment process?
a. b. c. d.
17. Monitoring
Changes in operating
a. Is the entity’s identification and analysis of Yes Yes Yes Yes
environment.
relevant risks as a basis for their management. New personnel. Yes Yes Yes No
b. Support the identification, capture, and exchange
New or revamped
of information in a form and time frame that
information systems. Yes Yes Yes Yes
enable people to carry out their responsibilities.
Rapid growth. Yes No No Yes
c. Is a process that assesses the quality of
New technology. Yes Yes No No
internal control performance over time.
New business models,
d. Sets the tone of an organization, influencing the
products, or activities. Yes Yes Yes Yes
control consciousness of its people.
Corporate restructurings. Yes Yes Yes Yes
Expanded foreign Yes Yes Yes Yes
Control Environment
operations.
18. Which of the following is incorrect regarding control New accounting
pronouncements. Yes Yes Yes Yes
environment component of internal control?
a. The foundation for the other components of
internal control to function as control 23. In obtaining an understanding of an entity’s risk
environment provides discipline and structure. assessment process component of internal control,
b. To understand the control environment, the an auditor should evaluate whether the entity has a
auditor considers programs and controls process for
 a. b. c. d.
Identifying business risks. Yes Yes Yes Yes
 Estimating the significance c. The human resources department authorizes the
of the risks. Yes Yes Yes No hiring of only those persons for accounting
Assessing likelihood of positions that meet the written job requirements
occurrence. Yes Yes No Yes specified by the corporate controller.
Deciding actions to address d. An accounting manual, accompanied by a
those risks. Yes No No Yes detailed chart of accounts, carefully and clearly
describes each type of transaction affecting the
Control Activities entity.

24. Control activities are policies and procedures helping 31. Internal controls may be preventive, detective, or
to ensure that actions are taken to address risks to corrective. Which of the following is preventive?
achievement of entity’s objectives. Control activities a. Requiring two persons to open mail.
may be b. Reconciling the accounts receivable subsidiary file
a. Manual. with the control account.
b. Automated. c. Using batch totals.
c. Manual and automated. d. Preparing bank reconciliations.
d. All of the above.
Information System and Communication
25. Control activities component of internal control
include 32. An information system consists of that
a. b. c. d. interrelate to achieve a business goal.
Performance reviews Yes Yes Yes No a. b. c. d.
Information processing Yes No No Yes Physical and hardware
Physical controls Yes Yes No No infrastructure. Yes Yes Yes No
Segregation of duties Yes Yes Yes Yes Software. Yes No No Yes
Authorization Yes Yes Yes Yes Data. Yes Yes No No
Manual and automated
26. Which of the following control activities refers to procedures. Yes Yes Yes Yes
information processing control? People. Yes Yes Yes Yes
a. Reviews of actual performance versus budgets
and prior performance. 33. An information system
b. Checking of accuracy, completeness, and a. b. c. d.
authorization of transactions, which include Identifies and records all
general controls and application controls. valid transactions. Yes Yes Yes No
c. The safeguarding of assets, records, Describes transactions
periodic counts, and reconciliations that sufficiently for proper
creates asset accountability. classification. Yes No No Yes
d. The separation of the functions to minimize the Measures transactions. Yes Yes No No
opportunities for a person to be able to Determines the proper
perpetrate and conceal errors or fraud in the reporting period for
normal course of his/her duties. transactions. Yes Yes Yes Yes
Presents transactions and
27. Proper segregation of functional responsibilities calls related disclosures Yes Yes Yes Yes
for separation of the functions of authorization properly.
recording and custody
a. Authorization, execution, and recording. 34. Communication component of internal control
b. Authorization, execution, and payment. includes providing an understanding to employees
c. Custody, execution, and reporting. about their roles and responsibilities. Communication,
d. Authorization, payment, and recording. electronic, oral or by management actions, may be
through
28. Which of the following statements is correct with a. Policy manuals.
respect to separation of duties? b. Financial reporting manuals.
a. Employees should not have temporary and c. Memoranda.
permanent custody of assets. d. All of the above.
b. Employees who authorize transactions should not
have custody of related assets. Monitoring
c. It is permissible to allow an employee to open
cash
receipts and record those receipts. receipts and depositing cash.
d. Employees who authorize transactions should b. Bank accounts are reconciled monthly by persons
have recording responsibility for these independent of cash recording and cash custody.
transactions.

29. Physical controls to safeguard assets would include:

a. hiring only trustworthy cashiers
b. segregation of duties
c. locks on the warehouse doors
d. safety audits on the production-line

30. Controls that enhance the reliability of the financial

statements may be classified as prevention controls
and detection controls. Which of the following is
primarily a detection control?
a. Separation of duties between recording cash
35. A component of COSO’s internal control system
concerns the process that provides feedback on
the effectiveness of the other components of
internal control. This component is called:
a. Information & communication c. Monitoring
b. Control activities d. Risk assessment

36. The monitoring process of internal control does

not involve
a. Ongoing activities and separate evaluations
b. Actions of internal auditors
c. Communications from external parties.
d. None of the above

37. An entity's ongoing monitoring activities, which

are built into normal recurring actions, often
include
a. Periodic audits by the audit committee.
b. Reviewing or supervising the purchasing function.
 c. The audit of the annual financial statements. small business is whether the enterprise is auditable.
d. Control risk assessment in conjunction with Which
quarterly reviews.

Entity-Level and Transaction-Level Internal

Controls

38. Statement 1: Entity-level internal controls are

pervasive controls that relate to the overall
operations of an entity.

Statement 2: Transaction-level internal controls are

specific controls that ensure transactions are
accurately and timely recorded, authorized, and
processed.
a. True, true
b. True, false
c. False, true
d. False, false

Evaluating Entity-Level Controls

39. An auditor typically follows a approach in

obtaining an understanding of internal control.
a. Top-down.
b. Bottom-up.
c. Parallel.
d. All of the above.

The Entity's Transaction Cycles and Controls

40. An entity’s transaction cycles typically include

a. b. c. d.
Revenue and receipt cycle Yes Yes Yes No
Purchasing and
disbursement cycle Yes No No Yes
Personnel and payroll cycle Yes Yes No No
Inventory and production Yes Yes Yes Yes
cycle
Financing and investing Yes Yes Yes Yes
cycle

41. Which of the following statements with respect to the

independent auditor's evaluation of internal control is
correct?
a. The auditor should decrease control testing when
weaknesses in cash receipts are mitigated by
strong controls in cash disbursement procedures.
b. The auditor should increase control testing when
weaknesses in billing procedures are mitigated by
strong controls in collection procedures.
c. The auditor generally should not evaluate the
overall effectiveness of internal control, but
should separately evaluate each of the
transaction cycles.
d. The auditor should evaluate all internal control
weaknesses before determining the control
procedures that should prevent or detect errors
or irregularities.

42. Why does the auditor divide the financial statements

into smaller segments?
a. Using the cycle approach makes the audit more
manageable.
b. Most accounts have few relationships with others
and so it is more efficient to break the financial
statements into smaller pieces.
c. The cycle approach is used because auditing
standards require it.
d. All of the above are correct.

Internal Control in Smaller Entities

43. An important issue that arises in the context of a

 of the following factors would be most likely to b. Majority.
indicate to a CPA that a small business c. At least four.
enterprise was not auditable? d. All the five.
a. The inherent risk of material misstatement is high.
b. The company relies solely on manual data
processing of basic transactions.
c. There are a limited number of employees
and poor segregation of duties.
d. Underlying source documents for
transactions are not retained.

44. Which of the following is most likely to be a

characteristic of an owner-managed small
business?
a. A formal organization structure
b. A strong control environment
c. Management tendency to override
internal controls
d. Effective segregation of duties

45. Which of the following risk assessments or

values is least likely to be characteristic of a
small business audit?
a. Business risk is low.
b. Control risk is low.
c. Inherent risk is low
d. Detection risk is low.

46. In auditing smaller entities, an auditor usually

finds it more efficient to apply
a. Tests of controls strategy.
b. Substantive procedures strategy.
c. Combination of a and b.
d. Any of the above.

47. Under what circumstances is testing of controls

required when auditing a small business?
a. For those accounts where the auditor has
determined that there are significant
inherent risks of material misstatement
b. For those accounts for which substantive
testing alone does not provide sufficient
assurance
c. For those accounts where the auditor has
determined the risk of fraud to be higher
than normal
d. For all accounts containing one or more
transactions that are individually material in
amount

48. Which of the following best describes the level of

engagement risk when a CPA audits the financial
statements for a small business client?
a. Low
b. Moderate
c. High
d. Maximum

Scope of Internal Control

Understanding— Determining
Relevant Controls

49. PSAs require the auditor to obtain understanding of

the entity’s internal control structure
a. For first time audit clients.
b. For every audit.
c. Whenever the auditor wishes or sees necessary.
d. Sufficient to find any frauds that may exist.

50. In all audits, the auditor should obtain an

understanding of components of
internal control sufficient to assess the risk of
material misstatement and to design further
audit procedures.
a. Depends on the management’s permission.
 b. Controls over accuracy.
c. Both a and b.
51. With respect to the client's system of internal control,
d. Neither a nor b.
the auditor is concerned that the existing policies and
procedures provide reasonable assurance that
a. Operational efficiency has been achieved in
accordance with management plans.
b. Errors and fraud have been prevented or
detected.
c. Controls have not been circumvented by
collusion.
d. Management cannot override the internal
controls.

52. An internal control is relevant to an audit of financial

statements if it addresses risks of material
misstatement. In determining whether a control is
relevant, an auditor shall consider
a. Materiality and significance of risk.
b. Size and nature of entity.
c. How a specific control prevents, or detects and
corrects, material misstatement.
d. All of the above.

53. Which of the following statements is false with regard

to the auditor’s consideration of an entity’s internal
control?
a. An entity may have controls relating to objectives
that are not relevant to audit and need not be
considered.
b. Understanding internal control relevant to each
operating unit or business function may not be
necessary to perform an audit.
c. The auditor’s primary consideration of internal
control is whether the control affects financial
statement assertions.
d. Internal control is considered relevant to the
audit of financial statements when the control
addresses all business risks.

54. Which of the following statements is false with regard

to the auditor’s consideration of an entity’s internal
control?
a. Controls over financial reporting objectives are
usually relevant to audit of financial statements.
b. Controls over operations and compliance
objectives are totally not relevant to audit of
financial statements.
c. Controls over operations and compliance
objectives may be relevant to audit of financial
statements if they relate to information or data
involved in performance of audit procedures such
as those controls related to nonfinancial data
used in analytical procedures and noncompliance
with laws and regulations.
d. Controls over safeguarding of assets such as limit
access to data and programs (e.g., passwords)
that process cash payments are relevant to audit
of financial statements.

55. Which of the following internal control is most likely

relevant to an audit of financial statements?
a. A TV manufacturer’s computerized production
scheduling system.
b. An airline’s automated controls that maintain
flight schedules.
c. A furniture manufacturer’s controls for incidental
sales of scrap materials that accounts for less
than 1% of total sales.
d. A bank’s loan approval process.

56. When an auditor uses information produced by the

entity, which of the following controls is(are)
relevant?
a. Controls over completeness.
57. Identifying relevant controls is least likely c. Decision table. c. Check list.
facilitated by d. Policy manual. d. Questionnaire.
a. Previous experience.
b. The understanding of the entity and its 64. A decision table
environment.
c. Information gather during the during.
d. Rate of responses to bank confirmation letters.

Extent of Understanding of the Entity's

Relevant Controls—Design and
Implementation

58. The auditor must evaluate the design of relevant

controls and determine whether they have been
implemented. Evaluating the design of the
entity’s internal control would involve
a. Considering whether the control, individually
or in combination with other controls, is
capable of effectively preventing or detecting
and correcting, material misstatements.
b. Determining whether control exists and the
entity is using it.
c. Determining the how, by whom, and
consistency of application of internal control.
d. Determining whether the control is operating
effectively.

59. Obtaining an understanding of internal control

through risk assessment procedures involves
evaluating the
a. b. c. d.
Design of internal control. Yes Yes Yes Yes
Implementation of internal Yes No No Yes
control.
Operating effectiveness of
internal control. Yes Yes No No

60. When is the case that obtaining an

understanding of internal control is sufficient to
test the operating effectiveness of control?
a. Controls are highly automated and the IT
general controls are effective.
b. Controls are non-complex in nature.
c. Controls are periodically evaluated by
internal auditors.
d. Controls are sophisticated and critical.

61. When obtaining an understanding of an entity’s

internal controls, an auditor should concentrate
on their substance rather than their form
because
a. The controls may be operating effectively
but may not be documented.
b. Management may establish appropriate
controls but not enforce compliance with
them.
c. The controls may be so inappropriate that
the auditor assesses control risk at the
maximum.
d. Management may implement controls whose
costs exceed their benefits.

Documentation of Understanding of Internal Control

62. Which of the following is not a medium that can

normally be used by an auditor to record
information concerning a client's internal control
policies and procedures?
a. Narrative memorandum. c. Flowchart.
b. Procedures manual. d. Questionnaire.

63. Which of the following is not a medium that can

normally be used by an auditor to record
information concerning a client's internal control
policies and procedures?
 a. Consists of a series of procedures to be
d. The auditor traces three purchasing transactions
performed.
from the purchase order to the financial
b. Logic diagrams presented in matrix form.
statement for observation and understanding.
c. A written description of the process and flow of
documents and of the control points.
70. In considering internal control, what is the purpose of
d. Diagrams of the client’s system that track the
a transaction walk through?
flow of documents and processing.
a. To assure that employees are performing
assigned functions accurately.
65. Questionnaires consist of a series of interrelated
b. To confirm the auditor's understanding of the
questions about internal control policies and
internal control structure.
procedures. The questions are typically phrased so
c. To select documents for detailed tests of controls.
that a “Yes” indicates a control strength and a “No”
d. To verify the results of the auditor's sampling plan.
indicates a potential weakness. An advantage(s) of
the questionnaire is(are)
71. Obtaining knowledge about whether the control is
a. Provide a visual representation of the system and
implemented can best be obtained by
flexible in construction. a. Inquiry of client’s personnel.
b. Help identify control concerns and prevents the b. Performing tests of control.
auditor from overlooking important control c. Reading procedures manual.
considerations.
d. Tracing transactions through the information
c. Flexible to prepare, although difficult for a
system relevant to financial reporting.
complex system.
d. Identify the contingencies considered in the
Deficiencies in Internal Control
description of a problem and the appropriate
actions to be taken in each case.
72. Which of the following is not one of the levels of an
absence of internal controls?
66. An auditor must document his/her understanding of
a. Control deficiency.
internal control using
b. Significant deficiency.
a. A narrative memorandum.
c. Material weakness.
b. A flowchart.
d. Major deficiency.
c. A questionnaire.
d. Any form.
73. Deficiency in internal control exists when:
a. A control is unable to prevent, or detect and
Walkthrough Tests
correct, F/S misstatements timely.
b. A necessary control is missing.
67. A procedure that involves tracing a transaction from
c. Either a or b.
its origination through the company's information
d. Neither a nor b.
systems until it is reflected in the company's financial
report is referred to as a(n)
74. A(n) deficiency exists if a necessary control
a. Analytical analysis.
is missing or not properly formulated.
b. Substantive procedure.
a. Control.
c. Test of a control.
b. Significant.
d. Walk-through
c. Design.
d. Operating.
68. Which of the following statements is incorrect about
walk-through test?
75. An operation deficiency exists when
a. A procedure required to be performed every year
a. a properly designed control does not operate as
of audit and to verify the identified “what can go
designed.
wrongs” that have the potential to materially
b. the person performing the control does not
affect relevant financial statement assertions
possess the necessary authority or competence.
related to significant accounts and disclosures
c. Either a or b.
within each significant class of transactions.
d. Neither a nor b.
b. This procedure may be treated as part of tests of
control.
76. If the auditor finds a material weakness in the
c. This procedure is performed to evaluate the
controls of the client, it represents a deficiency in the
effectiveness of the design of controls and
design or operation of a control
determine (confirm) whether the controls are
a. that adversely affects the company’s ability to
implemented (placed in operation) by the client.
initiate, record, process, or report external
d. The nature and extent of walk-through tests
financial data reliably in accordance with GAAP.
performed by the auditor are such that they
b. that negatively affects the company’s ability to
alone would provide sufficient appropriate audit
initiate, record, process, or report external
evidence to support a control risk assessment
financial data reliably in accordance with GAAP.
which is less than high.
c. that results in a remote possibility that a material
misstatement of the annual or interim financial
69. Which of the following best represents a walk-
statements will not be prevented or detected.
through?
d. that results in a reasonable possibility that a
a. The controller reviews the bank reconciliation
material misstatement of the annual or interim
prepared by the accountant and its resulting
financial statements will not be prevented or
journal entries.
detected.
b. The auditor walks the production line to find
inefficiencies in the inventory process and reports
77. In general, a material weakness in internal control
them to management.
may be defined as a condition in which material
c. The controller takes a sample of write-offs to
errors or irregularities may occur and not be detected
ensure they have been adequately documented
within a timely period by
and recorded.
a. An independent auditor during tests of controls.
 b. Employees in the normal course of performing
and communicated this finding in writing to the
their assigned functions.
client's senior management and those charged with
c. Management when reviewing interim financial
governance. The auditor should
statements and reconciling account balances.
a. Consider the weakness a scope limitation and
d. Outside consultants who issue a special-purpose
therefore disclaim an opinion.
report on internal control structure.
b. Suspend all audit activities pending directions
from the client's audit committee.
78. The auditor is not obligated to search for deficiencies
c. Withdraw from the engagement.
in internal control, although the he/she must
d. Consider the effects of the condition on the audit.
communicate control deficiencies noted. Which of the
following control deficiencies the auditor must
80. When a compensating control exists, the absence of
communicate to management and those charged with
a key control:
governance?
a. is still a major concern to the auditor.
a. Control deficiency.
b. could cause a material loss, so it must be tested
b. Significant deficiency.
using substantive procedures.
c. Material weakness.
c. is magnified and must be removed from the
d. Both b and c.
sampling process and examined in its entirety.
d. is no longer a concern because there is no longer
79. During the audit the independent auditor identified
a significant deficiency or material weakness.
the existence of a weakness in the client's internal
control