Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Internal Control: Principles, Components, and Audit Considerations - ACCT 3222, Exams of Accounting

A comprehensive overview of internal control principles and components, as defined by coso. It explores the relationship between internal control and audit procedures, highlighting the importance of understanding internal control for auditors. The document also delves into the benefits and risks of it on internal control, and outlines the 17 principles underlying the five components of internal control. It includes detailed explanations and examples, making it a valuable resource for students studying accounting and auditing.

Typology: Exams

2024/2025

Available from 03/27/2025

bryanryan
bryanryan ๐Ÿ‡บ๐Ÿ‡ธ

3.9

(8)

11K documents

1 / 14

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
LSU - ACCT 3222 - Chapter 6 โ€“ Questions โ€“
With Complete Solutions
Internal Control (IC) correct answer: - Management has the
responsibility to design and maintain a system of IC that
provides reasonable assurance that assets and records are
properly safeguarded, and that the entity's information system
generates information that is reliable for decision making.
- Important for auditors because the auditor needs assurance
about how well the assets and records of the entity are
safeguarded and about the reliability of the data generated by the
information system.
- Auditor uses risk assessment procedures to obtain an
understanding of the entity's internal control, which helps the
auditor identify key controls, recognize types of potential
misstatements, and design tests of controls and substantive
procedures.
- Inverse relationship between the reliability of IC and the
amount of substantive evidence required of the auditor.
COSO Internal Control Definition correct answer: - A system of
IC is designed and a carried out by an entity's board of directors,
management, and other personnel to provide reasonable
assurance about the achievement of the entity's objectives in the
following categories: (1) reliability, timeliness, and transparency
of internal and external, non financial and financial reporting,
(2) effectiveness and efficiency of operations including the
safeguarding of assets, and (3) compliance with applicable laws
and regulations.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe

Partial preview of the text

Download Internal Control: Principles, Components, and Audit Considerations - ACCT 3222 and more Exams Accounting in PDF only on Docsity!

LSU - ACCT 3222 - Chapter 6 โ€“ Questions โ€“

With Complete Solutions

Internal Control (IC) correct answer: - Management has the responsibility to design and maintain a system of IC that provides reasonable assurance that assets and records are properly safeguarded, and that the entity's information system generates information that is reliable for decision making.

  • Important for auditors because the auditor needs assurance about how well the assets and records of the entity are safeguarded and about the reliability of the data generated by the information system.
  • Auditor uses risk assessment procedures to obtain an understanding of the entity's internal control, which helps the auditor identify key controls, recognize types of potential misstatements, and design tests of controls and substantive procedures.
  • Inverse relationship between the reliability of IC and the amount of substantive evidence required of the auditor. COSO Internal Control Definition correct answer: - A system of IC is designed and a carried out by an entity's board of directors, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives in the following categories: (1) reliability, timeliness, and transparency of internal and external, non financial and financial reporting, (2) effectiveness and efficiency of operations including the safeguarding of assets, and (3) compliance with applicable laws and regulations.
  • Purpose of IC Framework is to help management better control the organization and to provide boards of directors an added ability to oversee internal control.
  • IC allows management to focus on operations and financial performance goals while maintaining compliance with relevant laws and minimizing surprises. Benefits and Risks of IT on Entity's Internal Control correct answer: Components of Internal Control correct answer: - Control Environment: sets the tone of the organization; importance of control to an entity is reflected in the overall attitude, awareness, and actions of the board of directors, management, and owners regarding IC ("tone at the top"); establishes the foundation for implementing the entity's system of internal control.
  • Entity's Risk Assessment Process: identifies and responds to business risks in relation to achieving business objectives; should consider external and internal events and circumstances that may arise and adversely affect the entity's ability to initiate, authorize, record, process, and report financial data consistent with management's F/S assertions; management should then consider the significance of the risks identified, the likelihood of their occurrence, and how they should be managed; may have to accept certain risks as costs > benefits.
  • Control Activities: policies and procedures that help ensure that management directives are carried out and implemented to address risks identified in the risk assessment process; ex: approvals, authorizations, verifications, reconciliations, reviews of operating performance, and segregation of duties.

entity's activities; information availability and willingness/ability to act on information; extent to which difficult questions are raised and pursued with management; and nature and extent of interactions with internal and external auditors.

  1. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
  • Includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate with and contribute to those objectives, and recognize how and for what they will be held accountable.
  1. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  • Entity should have sound personnel policies for hiring, orienting, training, evaluating, counseling, promoting, compensating, planning for succession, and taking remedial action.
  1. The organization holds individuals accountable for their IC responsibilities in the pursuit of objectives. Entity's Risk Assessment Process correct answer: 6) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
  • Considers factors that influence the severity, velocity, and persistence of risk; likelihood of the loss of assets; and related impacts on operations, reporting, and compliance activities.
  1. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
  2. The organization identifies and assesses changes that could significantly impact the system of IC.
  • Entity considers the impact of changes to the regulatory, economic, and physical environment in which it operates, as well as new or dramatically altered business lines, rapid growth, changing reliance on foreign geographies, and new technologies; also considers changes in management and the resulting changes in attitudes/philosophies related to IC. Control Activities correct answer: 10) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
  1. The organization selects and develops general control activities over technology to support the achievement of objectives.
  2. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
  • Types of Control Activities: A) Performance Reviews (Independent Checks) - senior management should review actual performance versus budgets, forecasts, prior periods and competitors; personnel with management or oversight responsibility should review and analyze relationships among both financial and non financial data, investigate unusual items, and take corrective actions when necessary

Monitoring of Controls correct answer: 16) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of IC are present and functioning.

  1. The organization evaluates and communicates IC deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Auditor's Consideration of Internal Control and its Relation to Substantive Procedures correct answer: - There is no single strategy for the entire audit; rather the auditor establishes a strategy for individual business processes (ex: revenue or purchasing) or by specific assertion (ex: occurrence or completeness).
  • It is expected that every public company audit will follow a reliance strategy for significant account balances or assertions. Substantive Strategy correct answer: - Means that the auditor has decided not to rely on the entity's controls and instead use substantive procedures as the main source of evidence about the assertions in the F/S.
  • Still need to have an understanding of the entity's IC hot know whether they are properly designed and implemented.
  • This strategy is chose b/c the auditor has determined that: A) Implemented controls do not pertain to the assertion the auditor is considering. B) Implemented controls are assessed as ineffective. C) Testing the operating effectiveness of the controls would be inefficient.
  • Document that control risk is being set as high and substantive procedures are designed and performed based on the assessment of a high level of control risk. Reliance Strategy correct answer: - Means that the auditor intends to rely on the entity's control.
  • May need a more detailed understanding of IC to develop a preliminary or "planned" assessment of control risk.
  • Next step would be to plan and perform tests of controls; results are used to assess the "achieved" level of control risk.
  • If tests of controls support the planned level of control risk, then no revisions of the planned substantive procedures are required; otherwise will probably have to increase the planned substantive procedures. Assertions about Classes of Transactions and Events and Related Control Procedures correct answer: Obtain an Understanding of Internal Control correct answer: - Must obtain an understanding of all five components.
  • Auditor uses this knowledge to:
  1. Identify types of potential misstatements
  2. Pinpoint the factors that affect the RMM
  3. Design tests of controls and substantive procedures
  • Audit Procedures used to understand IC:
  1. Inquiry of management, supervisory, and staff personnel
  2. Inspection of entity documents and reports
  3. Observation of entity activities and operations Use of IT Specialist in Understanding of Internal Control correct answer:
  1. IC questionnaires - provide a systematic means for the auditor to investigate various areas, like IC; generally used for entities with complex IC structure.
  2. Flowcharts - provide a diagrammatic representation (picture) of the entity's accounting system; outlines the configuration of the system in terms of functions, documents, processes, and reports.
  3. Narrative description - memorandums; most appropriate when the entity has a simple IC system. Limitations of Entity's Internal Control correct answer: - Management override of internal control (raises questions about management's integrity)
  • Human errors or mistakes
  • Collusion To Set Control Risk as Moderate or Low (Not High) correct answer: Auditor must:
  • Identify specific controls that will be relied upon
  • Perform tests of the identified controls
  • Conclude on the achieved level of control risk given results of testing Tests of Controls correct answer: - Performed in order to provide evidence to support lower level of control risk when using a reliance strategy.
  • Tests of controls directed toward the effectiveness of the design of a control are concerned with evaluating whether that control is suitably designed to prevent or detect and correct material misstatements.
  • Tests of controls directed toward operating effectiveness are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period and by whom it was applied.
  • If designed properly, auditor usually needs to run fewer tests of controls on automated controls versus manual controls (human error). Concluding on Achieved Level of Control Risk correct answer:
  • Comes after planned tests of controls have been completed.
  • Auditor uses combination of achieved level of control risk and assessed level of inherent risk to determine the level of detection risk that is needed in order to bring audit risk to an acceptably low level.
  • If tests of controls indicate that the controls are not operating as originally assessed, this means the achieved level of control risk is higher than the planned level and thus the nature, timing, and extent of planned substantive procedures will have to be modified. Substantive Procedures Examples correct answer: 1) Audit Risk = low, RMM = high >>> to achieve a low detection risk, auditor must (1) obtain more reliable types of substantive evidence, like confirmation and reperformance, (2) conduct most of the substantive audit work at year-end, and (3) make the tests more extensive (larger sample size) >>> auditor must fill assurance bucket almost entirely with substantive evidence.
  1. Audit Risk = low, RMM = low >>> high detection risk, auditor can (1) have less reliable types of evidence, like analytical procedures, (2) conduct much of the audit work at an
  • Entity staff accountants are generally less busy at interim dates then at year-end.
  • If controls are not operating effectively, interim tests give the auditor more time to reassess control risk / modify audit plan, as well as provide management with details of areas that are likely to have misstatements to be corrected before year-end.
  • At year-end, auditor should at least inquire about nature and extent of any changes in policies, procedures or personnel for that occurred subsequent to interim period.
  • For public companies, significant testing of controls around year-end is necessary. Interim Substantive Procedures:
  • Conducting only at interim date may increase the risk that material misstatements are present in F/S.
  • Additional substantive procedures normally required in remaining period, even if many substantive procedures are performed at interim dates.
  • If control risk is assessed as high, fewer substantive procedures should be performed at interim dates.
  • See attached picture for more details. SOC 1 Reports correct answer: Type 1 Report:
  • Report on management's description of a service organization's system and suitability of design of controls.
  • Includes management's description of service organization's system, written assertion by management stating the description fairly presents the system, and the auditor's opinion as to whether the service organization's controls are suitably designed to achieve management's control objectives. Type 2 Report:
  • Report not only on the auditor's opinion on the suitability of the design of the service organization's controls, but also on the operating effectiveness of those controls.
  • Auditor may reduce control risk below high for a client that uses a service organization on the basis of a service auditor's SOC 1, Type 2 Report. Deficiencies and Material Weakness correct answer: - Control Deficiency in IC exists when the design or operation of a control does not allow management or employees to prevent or detect and correct misstatements on a timely basis.
  • Significant Deficiency is a deficiency in IC that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Material Weakness is a deficiency in IC, such that there is a reasonable possibility that a material misstatement of the entity's F/S will not be prevented or detected and corrected on a timely basis.