Auditing and Assurance Services, 17e (Arens/Elder/Beasley)

Chapter 12 Assessing Control Risk and Reporting on Internal Controls

12.1 Learning Objective 12-1

1) When the auditor attempts to understand the operation of the accounting system by tracing a
few transactions through the accounting system, the auditor is said to be
A) tracing.
B) vouching.
C) performing a walkthrough.
D) testing controls.

Terms: Tracing transactions through accounting system

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

2) For financial statement audits, auditors need to understand controls that are relevant to the
audit in order to
A) identify and assess the risks of material misstatements.
B) perform preliminary analytical procedures.
C) detect fraud.
D) assess inherent risk.

Terms: Process for understanding internal control and assessing risk

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

3) Narratives, flowcharts, and internal control questionnaires are three common methods of
A) testing the internal controls.
B) documenting the auditor's understanding of internal controls.
C) designing the audit manual and procedures.
D) documenting the auditor's understanding of a client's organizational structure.

Terms: Narratives, flowcharts, and internal control questionnaires

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

1
Copyright © 2020 Pearson Education, Inc.
4) When dealing with the documentation of internal control,
A) in a narrative, most questions simply require a "yes" or "no" response.
B) questionnaires offer useful checklists to remind the auditor of the many different types of
internal controls that should exist.
C) questionnaires and flowcharts should not be used together.
D) flowcharts fail to show the segregation of duties in the company.

Terms: Internal controls

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

5) Which type of evidence is not used by the auditor to obtain an understanding of the design
and implementation of internal control?
A) inquiry
B) observation
C) confirmation
D) inspection

Terms: Audit evidence and internal control

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

6) Walkthroughs combine observation, inspection, and inquiry to assure that the controls
designed by management have been implemented.

Terms: Walkthroughs; understanding internal control

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

7) A narrative should describe the disposition of every document and record in the system.

Terms: Understanding internal controls

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

8) Flowcharts are harder to read and update than narratives.

Terms: Flowcharts
Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

2
Copyright © 2020 Pearson Education, Inc.
9) When documenting their understanding of a client's internal controls, auditors are required to
use narratives.

Terms: Understanding internal controls; narratives

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

10) The level of understanding of a client's internal controls required is less than what is required
for an audit of only the financial statements.

Terms: Obtaining and documenting an understanding internal control

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

11) For integrated audits of large, publicly traded companies, the level of understanding of
internal controls and the extent of testing of those controls need to be sufficient for the auditor to
issue an opinion on the effectiveness of internal controls over financial reporting.

Terms: Obtaining and documenting an understanding internal control

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

12) Management's documentation is not a major source of information for auditors in gaining an
understanding of the design of internal controls.

Terms: Obtaining and documenting an understanding internal control

Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

13) Evaluating the design of a control involves considering whether the control is effective in
preventing, detecting, or correcting material misstatements in the financial statements.

Terms: Obtaining and documenting an understanding internal control

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

3
Copyright © 2020 Pearson Education, Inc.
14) As Section 404 of the Sarbanes-Oxley Act requires management to assess and to document
the design effectiveness of internal controls over financial reporting, management may have
already prepared narratives and flowcharts which the auditor can the use in documenting their
understanding of the design of such internal controls.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

15) An adequate system flowchart should include the same characteristics required for system
narratives.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

16) Flowcharts have two advantages over narratives: typically, they are easier to read and easier
to update.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

17) It is typical to use both a narrative and a flowchart to describe the same system.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

18) When using questionnaires, "no" responses typically indicate a potential internal control
deficiency requiring follow up by the auditor.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

4
Copyright © 2020 Pearson Education, Inc.
19) The two disadvantages of using questionnaires are their inability to provide an overview of
the system and their inapplicability for some audits, especially smaller ones.

Terms: Obtaining and documenting understanding of internal control design

Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

20) Name four types of evidence which the auditor uses to obtain an understanding of the design
and implementation of controls.
Terms: Obtaining and documenting an understanding internal control
Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

21) Name three types of documents which auditors commonly use to obtain and to document
their understanding in the audit working paper of the design of internal controls.
Terms: Obtaining and documenting an understanding internal control
Difficulty: Easy
Objective: LO 12-1
AACSB: Reflective thinking

22) A proper narrative of an accounting system and the related controls should include which
four characteristics?
Terms: Obtaining and documenting understanding of internal control design
Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

23) Auditors should obtain an understanding of IT general controls. Name four procedures which
the auditor should employ to document their understanding of IT general controls.
Terms: Obtaining and documenting understanding of internal control design
Difficulty: Moderate
Objective: LO 12-1
AACSB: Reflective thinking

12.2 Learning Objective 12-2

1) When making a preliminary assessment of control risk, the starting point for most auditors is
A) IT assessment controls.
B) assessment of entity level controls.
C) transaction-related controls.
D) fraud controls.

Terms: Control risk

Difficulty: Moderate
Objective: LO 12-2
5
Copyright © 2020 Pearson Education, Inc.
AACSB: Reflective thinking

2) You are performing the audit of internal control for Clifton Company. Which of the following
would represent a material weakness in internal control?
A) The company's audit committee has experienced an unusual turnover of members.
B) The company's CFO was indicted for embezzling from the company.
C) Bank reconciliations are done monthly.
D) The CEO retired after twenty years of service to the company.

Terms: Material weaknesses in internal control

Difficulty: Challenging
Objective: LO 12-2
AACSB: Reflective thinking

3) The employee in charge of authorizing credit to the company's customers does not fully
understand the concept of credit risk. This lack of knowledge would
A) constitute a deficiency in operation of internal controls.
B) constitute a deficiency in design of internal controls.
C) constitute a deficiency of management.
D) not constitute a deficiency.

Terms: Design and operation of internal control

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

6
Copyright © 2020 Pearson Education, Inc.
4) When assessing whether the financial statements are auditable, the auditor must consider
A) that the integrity of management and the adequacy of accounting records are the two primary
factors determining auditability.
B) that the integrity of management and the adequacy of risk management are the two primary
factors determining auditability.
C) that if all of the transaction information is available only in electronic form without a visible
audit trail, the company cannot be audited.
D) the control risk before determining if the entity is auditable.

Terms: Auditability of financial statements

Difficulty: Moderate
Objective: LO 12-2
AACSB: Ethical understanding and reasoning

5) Once auditors determine that entity level controls are designed and placed in the operation,
they
A) make a preliminary assessment for each transaction-related audit objective for each major
type of transaction.
B) make a preliminary assessment of control risk.
C) obtain an understanding of the design and implementation of internal control.
D) prepare audit documentation in order to express their opinion on the company's internal
control system.

Terms: Entity level controls

Difficulty: Moderate
Objective: LO 12-2
AACSB: Analytic thinking

6) Which of the following is the correct definition of "control deficiency"?

A) A control deficiency exists if the design or operation of controls does not permit company
personnel to prevent or detect misstatements on a timely basis.
B) A control deficiency exists if one or more deficiencies exist that adversely affect a company's
ability to prepare external financial statements reliably.
C) A control deficiency exists if the design or operation of controls results in a more than remote
likelihood that controls will not prevent or detect misstatements.
D) A control deficiency exists if the design or operation of controls results in a more than
probable likelihood that controls will prevent or detect misstatements.

Terms: Control deficiency

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

7
Copyright © 2020 Pearson Education, Inc.
7) Which deficiency exists if a necessary control is missing or not properly implemented?
A) control
B) significant
C) design
D) operating

Terms: Design deficiency

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

8) To determine if significant internal control deficiencies are material weaknesses, they must be
evaluated on their
A)
Likelihood Significance
Yes Yes

B)
Likelihood Significance
No No

C)
Likelihood Significance
Yes No

D)
Likelihood Significance
No Yes

Terms: Internal control deficiencies are material weaknesses

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

9) The auditor should identify and include only ________ controls since they will be sufficient to
achieve the transaction-related audit objectives and will also provide audit efficiency.
A) key
B) significant
C) material
D) compensating

Terms: Key controls

Difficulty: Easy
Objective: LO 12-2
AACSB: Reflective thinking

10) Before making the final assessment of internal control at the end of an audit, the auditor must
8
Copyright © 2020 Pearson Education, Inc.
A)
Test controls Perform substantive tests
Yes Yes

B)
Test controls Perform substantive tests
No No

C)
Test controls Perform substantive tests
Yes No

D)
Test controls Perform substantive tests
No Yes

Terms: Final assessment of internal control for an audit

Difficulty: Moderate
Objective: LO 12-2
AACSB: Analytic thinking

11) When identifying audit objectives and existing controls,

A) audit objectives are identified for classes of transactions, account balances, and presentation
and disclosure.
B) the auditor identifies controls to satisfy each objective.
C) it is helpful for the auditor to use the five control activities as reminders of controls.
D) all of the above.

Terms: Audit objectives and existing controls

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

12) A(n) ________ control is a control elsewhere in the system that offsets the absence of a key
control.
A) significant
B) alternate
C) design
D) compensating

Terms: Compensating control; key control

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

13) A ________ exists if one or more control deficiencies exist that are less severe than a
material weakness, but are important enough to merit attention by those responsible for oversight
9
Copyright © 2020 Pearson Education, Inc.
of the company's financial reporting.
A) potential misstatement
B) significant weakness
C) significant deficiency
D) fraud symptom

Terms: Significant deficiencies

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

14) A five-step approach can be used to identify deficiencies, significant deficiencies, and
material weaknesses. The first step in this approach is
A) identify the absence of key controls.
B) consider the possibility of compensating controls.
C) determine potential misstatements that could result.
D) identify existing controls.

Terms: Control risk

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

15) When assessing control risk,

A) many auditors use actuarial tables to assist in the control risk assessment process.
B) each control can be used to satisfy only one audit objective.
C) many auditors use a control risk matrix to assist in the control risk assessment process.
D) all controls, including key controls, should be considered.

Terms: Assessed level of control risk

Difficulty: Challenging
Objective: LO 12-2
AACSB: Reflective thinking

16) When a compensating control exists, the absence of a key control

A) is no longer a concern because there is no longer a significant deficiency or material
weakness.
B) is still a major concern to the auditor.
C) could cause a material loss, so it must be tested using substantive procedures.
D) is magnified and must be removed from the sampling process and examined in its entirety.

Terms: Compensating control; key control

Difficulty: Challenging
Objective: LO 12-2
AACSB: Analytic thinking

17) The assessment of control risk is the measure of the auditor's expectation that internal
10
Copyright © 2020 Pearson Education, Inc.
controls will prevent material misstatements from occurring or detect and correct them if they
have occurred.

Terms: Internal control risk assessment

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

18) Key controls are not sufficient to achieve the transaction-related audit objectives.

Terms: Key controls

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

19) A design deficiency exists if the person performing the control is not qualified.

Terms: Design deficiency

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

20) A significant internal control deficiency is always considered a material weakness.

Terms: Significant deficiencies and material weaknesses

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

21) In some cases, management can correct deficiencies and material weaknesses before the
auditor does significant testing, which may permit a reduction in control risk.

Terms: Control risk assessment

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

22) In a small business, the daily involvement of the owner in the business is not sufficient to
overcome significant deficiencies or material weaknesses in internal controls.

Terms: Compensating controls

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

23) If the likelihood that a material misstatement would be prevented, detected, or corrected by
the controls in place, then the control risk is low in the revenue transaction cycle.
11
Copyright © 2020 Pearson Education, Inc.
Terms: Control risk assessment
Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

24) In order for the auditor to determine whether a significant internal control deficiency is a
material weakness, the deficiency should be evaluation along one of the following two
dimensions: likelihood or significance.

Terms: Evaluation of potential material weakness

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

25) If there is more than a reasonable possibility that a material misstatement could result from a
significant deficiency found during the audit, then that deficiency is considered a material
weakness in internal control.

Terms: Evaluation of significant deficiency in controls

Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

26) You are the audit manager for a new audit client. Your staff auditors are unsure of what
constitutes a control deficiency. Discuss the terms control deficiency, design deficiency, and
operating deficiency.
control deficiency exists if the design and implementation or operation of controls does not
permit company personnel to prevent or detect misstatements on a timely basis in the normal
course of performing assigned functions.

A design deficiency exists if a necessary control is missing, is not properly designed, or is not
properly implemented.

An operating deficiency exists if a well-designed control does not operate as designed or if the
person performing the control is insufficiently qualified or authorized.
Terms: Control deficiency; Design deficiency; Operating deficiency
Difficulty: Moderate
Objective: LO 12-2
AACSB: Reflective thinking

12
Copyright © 2020 Pearson Education, Inc.
27) The text suggested a five-step approach to identify deficiencies, significant deficiencies, and
material weaknesses. Describe this approach.
Terms: Five-step approach to identify deficiencies
Difficulty: Challenging
Objective: LO 12-2
AACSB: Reflective thinking; Analytic thinking

12.3 Learning Objective 12-3

1) If the results of tests of controls support the design and operations of controls as expected, the
auditor uses ________ control risk as the preliminary assessment.
A) a lower
B) the same
C) a higher
D) either a lower or higher

Terms: Control risk as preliminary assessment

Difficulty: Moderate
Objective: LO 12-3
AACSB: Analytic thinking

13
Copyright © 2020 Pearson Education, Inc.
2) An auditor is likely to use four types of procedures to support the operating effectiveness of
internal controls. Which of the following would generally not be used?
A) make inquiries of appropriate client personnel
B) examine documents, records, and reports
C) reperform client procedures
D) inspect design documents

Terms: Operating effectiveness of internal controls

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

3) Which of the following represents a correct statement regarding internal control testing?
A) When auditors plan to use evidence about the operating effectiveness of internal control
contained in prior audits, auditing standards require tests of the controls' effectiveness at least
every other year.
B) The greater the risk, the less audit evidence the auditor should obtain that controls are
operating effectively.
C) The auditor uses control risk assessment and results of tests of controls to determine planned
detection risk and the related substantive tests for the financial statement audit.
D) Testing of internal controls can only be performed by the auditor at the end of the fiscal year.

Terms: Internal control risk assessment

Difficulty: Challenging
Objective: LO 12-3
AACSB: Analytic thinking

4) An auditor traces the sales prices to the authorized price list in effect at the date of the
transaction. Which of the following procedures has the auditor performed?
A) inquiry
B) observation
C) reperformance
D) examination

Terms: Procedures for tests of controls

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

14
Copyright © 2020 Pearson Education, Inc.
5) Tests of controls
A) are the procedures used to test the effectiveness of controls in support of a reduced assessed
control risk.
B) are used to support the ending balances in the balance sheet and income statement accounts.
C) are performed at the end of the audit.
D) are designed to detect fraud.

Terms: Tests of controls

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

6) Which of the following is an accurate statement relating to the extent of procedures?

A) If an auditor wants a lower assessed control risk than the preliminary assessed control risk,
the number of controls tested increases while the extent of the tests for each control decrease.
B) The extent of testing depends on the frequency of the operation of the controls.
C) All controls must be tested only at year-end.
D) The frequency of testing is the same for both manual and computer controls.

Terms: Extent of tests of controls procedures

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

7) When testing manual or automated controls,

A) automated controls are always subject to random error or manipulation.
B) automated controls cannot be altered by making a change to the software application.
C) when there are effective general controls and automated application controls, the auditor will
need to select a larger sample size of transactions to verify.
D) the extent of testing depends on whether it is a manual or automated control.

Terms: Extent of tests of controls procedures

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

15
Copyright © 2020 Pearson Education, Inc.
8) Which of the following is true regarding the relationship between tests of controls and
procedures to obtain an understanding?
A) In obtaining an understanding of internal control, the procedures to obtain an understanding
are applied to all controls identified during that phase.
B) Tests of controls are applied only when the assessed control risk has not been satisfied by the
procedures to obtain an understanding.
C) Procedures to obtain an understanding are performed only on one or a few transactions.
D) All of the above are correct.

Terms: Relationship between tests of controls and procedures to obtain an understanding

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

9) When a client uses a service center for processing transactions,

A) the auditor can assume that the controls are adequate because it is an independent enterprise.
B) auditing standards require the auditor to test the service center's controls if the service center
application involves processing significant financial data.
C) and the user auditor decides to rely on the service auditor's report, the user auditor must make
reference to the report of the service auditor in the opinion on the user organization's financial
statements.
D) none of the above.

Terms: Outsourced services

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

10) An auditor traces the cost of sales entry for a sample of product sales to the inventory unit
costs in effect at the date of each transaction. Which of the following procedures has the auditor
performed?
A) inquiry
B) observation
C) reperformance
D) examination

Terms: Procedures for tests of controls

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

16
Copyright © 2020 Pearson Education, Inc.
11) The procedures to obtain an understanding of internal control are only applied when the
assessed control risk is high.

Terms: Internal controls

Difficulty: Easy
Objective: LO 12-3
AACSB: Analytic thinking

12) Controls that are applied throughout the accounting period must be tested both at an interim
date and then again on the balance sheet date.

Terms: Internal controls

Difficulty: Moderate
Objective: LO 12-3
AACSB: Analytic thinking

13) When there are a number of controls tested in prior audits that have not been changed,
auditing standard require auditors to test some of those controls each year to ensure there is a
rotation of controls testing throughout the three-year period.

Terms: Reliability of evidence

Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

14) The AICPA guide to data analytics indicates audit data analysis can be used throughout the
audit process, but not including tests of controls.

Terms: Using audit software and data analytics to perform test of controls
Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

15) A company requires the controller's e-approval for all fixed asset purchases in excess of
$50,000. Audit software can be used to identify if there are any instances where a fixed asset
purchase in excess of $50,000 lacked the controller's e-approval, instead of manual checking.

Terms: Using audit software and data analytics to perform test of controls
Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

17
Copyright © 2020 Pearson Education, Inc.
16) An example of substantive testing and also a test of controls is using audit software to
identify purchases where the vendor's invoice, the receiving report, and the purchase order did
not match prior to payment of the vendor's invoice.

Terms: Using audit software and data analytics to perform test of controls
Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

17) In evaluating the operational effectiveness of internal controls, the auditor is likely to use
four types of audit procedures. List the procedures below.
Terms: Operational effectiveness; internal controls; audit procedures
Difficulty: Moderate
Objective: LO 12-3
AACSB: Reflective thinking

12.4 Learning Objective 12-4

1) Which of the following is a correct statement?

A) The auditor uses the control risk assessment and results of tests of controls to determine
planned detection risk.
B) The auditor links the inherent risk assessments to the balance-related audit objectives.
C) The audit risk model is used determine the level of audit risk.
D) All of the above are correct statements.

Terms: Planned detection risk and design substantive tests

Difficulty: Moderate
Objective: LO 12-4
AACSB: Reflective thinking

2) The auditor assesses control risk for each related audit objective and supports control risk
assessments with tests of controls.

Terms: Planned detection risk and design substantive tests

Difficulty: Easy
Objective: LO 12-4
AACSB: Reflective thinking

18
Copyright © 2020 Pearson Education, Inc.
3) In October 2013, the PCAOB Staff Audit Practice Alert No.11, titled "Considerations for
Audits of Internal Control over Financial Reporting". In this Staff Audit Practice Alert, the
PCAOB highlighted three common deficiencies related to audits of internal control. Name these
three common deficiencies.
Terms: Planned detection risk and design substantive tests
Difficulty: Moderate
Objective: LO 12-4
AACSB: Reflective thinking

12.5 Learning Objective 12-5

1) How must significant deficiencies and material weaknesses be communicated to those charged
with governance?
A) Either oral or written communication is acceptable.
B) Oral communication is required.
C) Written communication is required.
D) Written communication is required for material weaknesses, but oral communication is
allowed for significant deficiencies.

Terms: Significant deficiencies and material weaknesses

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

2) Auditors often identify less significant internal control-related issues, as well as opportunities
for the client to make operational improvements in the
A) adverse opinion.
B) Section 404 report.
C) management letter.
D) Type 1 report.

Terms: Management representation letter

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

19
Copyright © 2020 Pearson Education, Inc.
3) The auditor will issue an unqualified opinion on internal control over financial reporting when
A) there are no identified material weaknesses as of the end of the fiscal year.
B) there have been no restrictions on the scope of the auditor's work.
C) both a and b
D) either a or b

Terms: Types of opinions on internal control

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

4) What type of report is issued when one or more material internal control weaknesses exist?
A) unqualified opinion
B) disclaimer of opinion
C) adverse opinion
D) qualified opinion

Terms: Types of opinions on internal control

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

5) Which of the following is true regarding the auditor's opinion on the effectiveness of internal
control?
A) The auditor is attesting to the effectiveness of internal controls as of the end of the fiscal year.
B) If the client remedies a material weakness before the end of the fiscal year, the auditor must
still issue a qualified opinion or a disclaimer of opinion.
C) A scope limitation requires the auditor to issues an adverse opinion.
D) Section 404 requires that the auditor design the audit to detect all deficiencies in internal
control.

Terms: Types of opinions on internal control

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

20
Copyright © 2020 Pearson Education, Inc.
6) When determining what type of report to issue on internal control under Section 404,
A) an adverse opinion on internal control must be given if any weaknesses in a key internal
control is discovered.
B) a scope limitation requires the auditor to disclaim an opinion on internal controls.
C) if the auditor gives a qualified opinion on the financial statements, they must give a qualified
opinion on internal controls.
D) a scope limitation requires the auditor to express a qualified opinion or a disclaimer of
opinion on internal controls.

Terms: Internal control audit requirements of auditor

Difficulty: Easy
Objective: LO 12-5
AACSB: Reflective thinking

7) The scope of the auditor's report on internal control is limited to obtaining reasonable
assurance that significant weaknesses in internal control are identified.

Terms: Section 404 of the Sarbanes-Oxley Act

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

8) To issue an unqualified opinion on internal control over financial reporting, there must be no
identified material weaknesses and no restrictions on the scope of the audit.

Terms: Unqualified opinion on internal control

Difficulty: Moderate
Objective: LO 12-5
AACSB: Reflective thinking

12.6 Learning Objective 12-6

1) It is generally possible for small companies to have all of the following except for
A) adequate documents and records.
B) physical controls over assets.
C) competent, trustworthy personnel.
D) internal auditors.

Terms: Control; smaller company

Difficulty: Easy
Objective: LO 12-6
AACSB: Reflective thinking

21
Copyright © 2020 Pearson Education, Inc.
2) The auditor designs and performs a combination of tests of controls and substantive
procedures to obtain reasonable assurance that the financial statements are fairly stated when
control risk
A) is assessed above the maximum.
B) is assessed below the maximum.
C) cannot be assessed.
D) none of the above

Terms: Control risk assessment

Difficulty: Easy
Objective: LO 12-6
AACSB: Reflective thinking

3) In the audit of a private company, the auditor will test internal controls when control risk is
initially assessed at
A)
Low Moderate High
Yes No Yes

B)
Low Moderate High
No No Yes

C)
Low Moderate High
Yes Yes No

D)
Low Moderate High
No Yes No

Terms: Control risk

Difficulty: Moderate
Objective: LO 12-6
AACSB: Reflective thinking

22
Copyright © 2020 Pearson Education, Inc.
4) Which of the following may represent the biggest challenge smaller public companies and
nonpublic companies face in implementing effective internal control?
A) a lack of competent, trustworthy personnel
B) no clear lines of authority
C) no adequate separation of duties
D) a lack of adequate documents and records

Terms: Internal control, biggest challenge

Difficulty: Challenging
Objective: LO 12-6
AACSB: Reflective thinking

5) Which of the following is most correct for audits of non-public companies?

A) An audit of internal control is required.
B) An audit of internal control is not required.
C) An audit of the design of internal controls is required.
D) An audit of the operational effectiveness of internal controls is required.

Terms: Audits of non-public companies

Difficulty: Moderate
Objective: LO 12-6
AACSB: Reflective thinking

6) If, when obtaining an understanding of control activities of a relatively small client, the
auditor identified no control activities, the auditor would probably set a high assessment of
control risk.

Terms: Control activities; control risk

Difficulty: Easy
Objective: LO 12-6
AACSB: Analytic thinking

7) The auditor obtains a sufficient understanding of internal control to assess the risk of material
misstatement at the overall financial statement level and at the relevant assertion level.

Terms: Understanding internal controls

Difficulty: Easy
Objective: LO 12-6
AACSB: Reflective thinking

8) The procedures used to gain an understanding of internal control do not vary from client to
client.

Terms: Understanding internal controls

Difficulty: Easy
Objective: LO 12-6
AACSB: Reflective thinking
23
Copyright © 2020 Pearson Education, Inc.
9) In an audit of a nonpublic company, the less control risk there is, the smaller the amount of
planned substantive evidence that is required.

Terms: Nonpublic company; control risk; substantive evidence

Difficulty: Moderate
Objective: LO 12-6
AACSB: Analytic thinking

10) The assessment of control risk does not impact the testing of controls.

Terms: Control risk

Difficulty: Easy
Objective: LO 12-6
AACSB: Reflective thinking

11) A company's size should have no impact on the nature of internal control and the controls
that are implemented.

Terms: Internal controls for smaller companies

Difficulty: Moderate
Objective: LO 12-6
AACSB: Reflective thinking

12) Control risk is generally set at minimum for most private companies.

Terms: Internal controls for smaller companies

Difficulty: Moderate
Objective: LO 12-6
AACSB: Reflective thinking

12.7 Learning Objective 12-7

1) The auditor's objective in determining whether the client's computer program correctly
processes valid and invalid transactions is accomplished through the
A) test data approach.
B) generalized audit software approach.
C) microcomputer-aided auditing approach.
D) generally accepted auditing standards.

Terms: Test data approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

24
Copyright © 2020 Pearson Education, Inc.
2) When using the test data approach,
A) auditors process test data supplied by the client.
B) auditors often obtain assistance from a computer audit specialist.
C) the tests must be performed at the end of the year.
D) the test data must remain in the client's records.

Terms: Test data approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

3) Which of the following is not seen as an advantage to using generalized audit software
(GAS)?
A) Auditors can learn the software in a short period of time.
B) It can be applied to a variety of clients after detailed customization.
C) It can be applied to a variety of clients with minimal adjustments to the software.
D) It greatly accelerates audit testing over manual procedures.

Terms: Generalized audit software

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

4) When using the test data approach,

A) test data should include data that the client's system should accept or reject.
B) application programs tested by the auditor's test data must be different from those used by the
client throughout the year.
C) select data may remain in the client system after testing.
D) None of the above statements is correct.

Terms: Test data approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

5) Auditing by testing automated internal controls and account balances electronically, generally
because effective general controls exist, is known as
A) auditing through the computer.
B) auditing around the computer.
C) embedded audit module approach.
D) parallel simulation testing.

Terms: IT auditing environment

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

25
Copyright © 2020 Pearson Education, Inc.
6) Which of the following computer-assisted auditing techniques inserts an audit module in the
client's application system to identify specific types of transactions?
A) parallel simulation testing
B) test data approach
C) embedded audit module
D) generalized audit software testing

Terms: Computer-assisted auditing techniques allow fictitious and real transactions

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

7) Which of the following best describes the test data approach?

A) Auditors process their own test data using the client's computer system and application
program.
B) Auditors process their own test data using their own computers that simulate the client's
computer system.
C) Auditors use auditor-controlled software to do the same operations that the client's software
does, using the same data files.
D) Auditors use client-controlled software to do the same operations that the client's software
does, using auditor created data files.

Terms: Test data approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

8) The embedded audit module approach requires the auditor to insert an audit module in the
client's application system to identify specific types of transactions.

Terms: Embedded audit module approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

9) The objective of the test data approach is to determine whether the client's computer programs
can correctly process valid and invalid transactions.

Terms: Test data approach

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

26
Copyright © 2020 Pearson Education, Inc.
10) Parallel simulation is used primarily to test internal controls over the client's IT systems,
whereas the test data approach is used primarily for substantive testing.

Terms: Parallel simulation

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

11) Generalized audit software is used to test automated controls.

Terms: Generalized audit software

Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

12) Describe three computer auditing techniques available to the auditor.

omputer auditing techniques available to the auditor are:
• Test data approach. Using this approach, the auditors process their own test data using the
client's computer system and application program to determine whether the automated controls
correctly process the test data.
• Parallel simulation. The auditors use auditor-controlled software to do the same operations
that the client's software does, using the same data files. The purpose is to determine the
effectiveness of automated controls and to obtain evidence about electronic account balances.
• Embedded audit module. Using this approach, the auditor inserts an audit module into the
client's application system to identify specific types of transactions.
Terms: Computer auditing techniques
Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

13) Discuss the advantages and benefits of using generalized audit software.
dvantages and benefits of using generalized audit software include:
• It is relatively easy to train the audit staff in its use, even if they have little formal IT training.
• The software can be applied to a wide variety of clients with minimal customization.
• It has the ability to do audit tests much faster and, in more detail, than using traditional
manual procedures.
Terms: Advantages of using generalized audit software
Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

27
Copyright © 2020 Pearson Education, Inc.
14) Auditors often use Generalized Audit Software during their testing of a client's internal
controls. For the following uses of the software provide a description and an example.

Verify extensions and footings

Print confirmation requests
Compare data on separate files
Terms: Generalized Audit Software and testing of internal controls
Difficulty: Moderate
Objective: LO 12-7
AACSB: Reflective thinking

28
Copyright © 2020 Pearson Education, Inc.