Internal auditing

1. Which of the following would be least likely to be regarded as a test of control?
   1. Tests of the additions to property by physical inspection
   2. Tests of the signatures on cancelled checks to the authorized check signer list
   3. Test of signatures on purchase orders
   4. Recalculation of payroll deductions
2. Which of the following is least likely to be evidence of operating effectiveness?
   1. Cancelled supporting documents
   2. Confirmations of accounts payable
   3. Records of documenting usage of computer programs
   4. Signatures on authorized forms
3. Which is the most likely change, among the following, in audit procedures when the assessed level of control risk increases?
   1. Change from performing substantive tests at year-end to an interim date.
   2. Perform substantive tests directed inside the entity rather than tests directed toward parties outside the entity.
   3. Use the maximum number of dual purpose tests.
   4. Use a larger sample size for substantive tests.
4. The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) includes the reliability of financial reporting, the effectiveness and efficiency of operations, and
   1. compliance with applicable laws and regulations.
   2. effectiveness of prevention of fraudulent occurrences.
   3. safeguarding of entity assets.
   4. incorporation of ethical business practice standards.

5.     After considering the client’s internal control, the auditors have concluded that it is well designed and is functioning as anticipated.  Under the circumstances, the auditors would most likely

1. 1. cease to perform further substantive tests.
   2. reduce substantive tests in areas where the internal control was found to be effective.
   3. increase the extent of anticipated analytical procedures.
   4. perform all tests of controls to the extent outlined in the preplanned audit program.
2. Which of the following is least likely to be considered an appropriate response relating to risks the auditors identify at the financial statement level?

1. 1. Assign more experienced staff.

1. 1. Incorporate additional elements of unpredictability in the selection of audit procedures.

1. 1. Increase the scope of auditor procedures.

1. 1. Emphasize the need to remain neutral, rather than to exercise professional skepticism.
2. A client’s internal control appears strong, but the CPA has chosen not to test it.  The planned assessed level of control risk is at what level?
   1. Zero
   2. Low

c.     Moderate

1. 1. Maximum
2. Which of the following matters would an auditor most likely consider to be a significant deficiency to be communicated to the audit committee?
   1. Management’s failure to renegotiate unfavorable long-term purchase commitments.
   2. Recurring operating losses that may indicate going concern problems.
   3. Evidence of a lack of objectivity by those responsible for accounting decisions.
   4. Management’s current plans to reduce its ownership equity in the entity.
3. The internal control provisions of the Sarbanes-Oxley Act of 2002 apply to which companies in the United States?

1. 1. All companies

1. 1. SEC registrants

1. 1. Only those companies included in the Fortune 500

1. 1. All nonpublic companies
2. In assessing the objectivity of a client’s internal auditors, the CPA would be most likely to consider the internal auditors’
   1. education levels.
   2. experience.

c.     organizational status within the company.

1. 1. training and supervisory skills.
2. he Sarbanes-Oxley Act of 2002 requires that the audit committee
   1. annually reassess control risk using information from the CPA firm.
   2. be directly responsible for the appointment, compensation and oversight of the work of the CPA firm.
   3. require that the company’s CPA firm rotate the partner in charge of the audit.
   4. review the level of management compensation.
3. When performing an audit of internal controls under PCAOB requirements, auditors evaluate the controls of
   1. both design effectiveness and operating effectiveness.
   2. design effectiveness but not operating effectiveness.
   3. operating effectiveness but not design effectiveness.
   4. neither design effectiveness nor operating effectiveness.
4. For effective internal control, which of the following functions should not be assigned to the company’s accounting department?
   1. Reconciling accounting records with existing assets
   2. Recording financial transactions
   3. Signing payroll checks
   4. Preparing financial reports
5. Which of the following is an advantage of describing internal control through the use of a standardized questionnaire?
   1. Questionnaires highlight weaknesses in the system.
   2. Questionnaires are more flexible than other methods of describing internal control.
   3. Questionnaires usually identify situations in which internal control weaknesses are compensated for by other strengths in the system.
   4. Questionnaires provide a clearer and more specific portrayal of a client’s system than other methods of describing internal control.

1. (CPA, adapted)  The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with
   1. knowledge necessary for audit planning.
   2. evidential matter to use in assessing inherent risk.
   3. a basis for modifying tests of controls.
   4. an evaluation of the consistency of application of management’s policies.
2. (CPA, adapted)  An advantage of using systems flowcharts to document information about internal control instead of using internal control questionnaires is that systems flowcharts
   1. identify internal control weaknesses more prominently.
   2. provide a visual depiction of clients’ activities.
   3. indicate whether controls are operating effectively.
   4. reduce the need to observe clients’ employees performing routine tasks.
3. (CPA, adapted)  Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity’s internal control?
   1. Incompatible duties
   2. Management override
   3. Faulty judgment
   4. Collusion among employees
4. An auditor may decide not to perform tests of controls related to the control activities within the computer portion of the client’s internal control.  Which of the following would not be a valid reason for choosing to omit such tests?
   1. The controls duplicate operative controls existing elsewhere.
   2. There appear to be major weaknesses that would preclude reliance on the stated procedure.
   3. The time and dollar costs of testing exceed the time and dollar savings in substantive testing if the tests show the controls to be operative.
   4. The controls appear adequate.
5. Which of the following would the auditors consider to be a weakness in an IT system?
   1. Operators have access to terminals.
   2. Programmers are allowed access to the file library.
   3. A data control group handles reprocessing of exceptions detected by the computer.
   4. More than one employee is present when the computer facility is in use.
6. A problem for a CPA associated with advanced IT systems is that
   1. the audit trail normally does not exist.
   2. the audit trail is sometimes generated only in machine readable form.

c.     the client’s internal auditors may have been involved at the design stage.

22. 1. tests of controls are not possible.
23. When erroneous data are detected by computer program controls, such data may be excluded from processing and printed on an exception report.  The exception report should most probably be reviewed and followed up on by the
    1. supervisor of computer operations.
    2. systems analyst.
    3. data control group.
    4. computer programmer.
24. The report of a service auditor may provide assurance on whether

1. (CPA, adapted)  For control purposes, which of the following should be organizationally segregated from the computer operations function?
   1. Data conversion
   2. Surveillance of CRT messages

c.     Systems development

1. 1. Minor maintenance according to a schedule
2. (CPA, adapted)  Which of the following passwords would be most difficult to crack?
   1. O?Ca!FiSi
   2. language
   3. 12 HOUSE 24
   4. pass56word
3. (CPA, adapted)  When online, real-time processing is used, the grandfather-father-son updating backup concept is relatively difficult to implement because
   1. locating information points on files is an extremely time-consuming task.
   2. magnetic fields and other environmental factors cause off-site storage to be impracticable.
   3. information must be dumped in the form of hard copy if it is to be reviewed before used in updating.
   4. the process of updating old records is destructive.
4. (CPA, adapted)  Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
   1. Hoax virus
   2. Web crawler
   3. Trojan horse
   4. Killer application