Consideration of Entity’s Internal Control

Philippine School of Business Administration

Manila
/

Integrated Review - Auditing BLD

2nd Semester 2020-2021

ENTITY’S INTERNAL CONTROL

The auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the
audit and develop an effective audit approach.

Accounting system means the series of tasks and records of an entity by which transactions are processed as a
means of maintaining financial records. Such systems identify, assemble, analyze, calculate, classify, record,
summarize and report transactions and other events.

Internal Control System means all the policies and procedures (internal controls) adopted by the management of an
entity to assist in achieving management’s objective of ensuring, as far as practicable,:
• orderly and efficient conduct of its business, including adherence to management policies;
• safeguarding of assets;
• prevention and detection of fraud and error;
• accuracy and completeness of the accounting records; and
• timely preparation of reliable financial information.

The internal control system extends beyond those matters which relate directly to the functions of the accounting
system.

Other Essential Concepts of Internal Control: Internal control is (a):

1. Process – a means of achieving the entity's objectives

2. Effected by:
a. Those charged with governance: ensure the integrity of accounting and financial
reporting systems through oversight of management
b. Management: design, implement and maintain internal control
c. Staff personnel: perform their respective functions

3. Provides reasonable assurance about the achievement of a n entity’s objectives – internal control
is be designed to prevent, or detect and correct problems to help in achieving entity’s objectives

• Inherent limitations of internal control system: Even a well designed and effective internal
control system cannot eliminate material misstatements, whether due to fraud or error.
Examples of inherent limitations of internal control:
1. Management overriding the internal control.
2. Circumvention of internal controls through the collusion among employees.
3. Cost-benefit considerations (concept of reasonable assurance) – the costs of a control to be
established should not exceed its expected benefits
4. Most controls tend to be directed at routine transactions rather than non-routine
transactions.
5. Human error (such as due to careless ness, distraction, mistakes of judgment, the
misunderstanding of instructions, errors in the design or use of automated controls
6. The possibility that procedures may become inadequate due to changes in conditions, and
compliance with procedures ma y deteriorate.
7. Segregation of duties may be difficult to achieve in a smaller entity.

4. Helps to achieve the entity's objectives

• Objectives represent what an entity strives to achieve.

Auditing Theory by: Bee Jay L. De Leon, CPA 1

Consideration of Entity’s Internal Control

• Categories of entity's objectives:

1. Financial reporting objective – this objective relates to reliability of financial reporting
2. Operational objective – this objective is intended to enhance effectiveness and efficiency of
operations
3. Compliance objective – this objective relates to entity’s compliance with applicable laws
and regulations.

Benefits of Strong Internal Control:

• Reliability of financial information for decision-making purposes

• Enhances the effectiveness and efficiency of operations
• Assurance of compliance with applicable laws and regulations
• Protection of assets and important documents and records
• Reduced cos t of a n external audit – because the auditor may rely on the effectiveness of internal
control

Classification of Internal Control:

1. According to objectives:
a. Financial reporting controls – controls to achieve reliability of financial reporting objective
b. Operational effectiveness controls – controls to achieve operational effectiveness objective
c. Compliance controls – controls to achieve compliance objective

Relationship between the entity’s objectives and internal control:

There is a direct relationship between the entity’s objectives and the internal control it
implements to provide reasonable assurance about their achievement.

2. According to functions:
a. Preventive controls – controls that deter problems before they arise (for example, segregation of
incompatible employee functions/duties and control physical access to assets, facilities and
information)

b. Detective controls – controls that discover or detect problems as they arise (for example,
preparing bank reconciliation and preparing monthly trial balance)

c. Corrective controls – controls that remedy problems discovered with detective controls (for
example, maintaining backup copies of transactions and master

Components of Internal Control:

Obtaining understanding of internal control means obtaining understanding of the five interrelated
and essential components or aspects of internal control as follows:

1. Control environment – it includes the governance and management functions and the attitudes,
awareness, and actions of those charged with governance and management concerning the
entity’s internal control and its importance in the entity
• It sets the tone of a n organization, influencing the control consciousness of its people.
• It is a set of characteristics that defined good control working relationships in a n entity.

Auditing Theory by: Bee Jay L. De Leon, CPA 2

Consideration of Entity’s Internal Control

• It is the foundation for effective internal control for it provides an appropriate foundation for
other components of internal control.

Elements of control environment:

1. Communication and enforcement of integrity and ethical values – These

influence the effectiveness of the design, administration and monitoring of controls.
2. Commitment to competence – Management’s consideration of the competence levels
for particular jobs and how those levels translate into requisite skills and knowledge.
3. Participation by those charged with governance (BOD and audit committee)
4. Management’s philosophy and operating style – Management’s approach to ta
king and managing business risks, attitudes and actions toward financial reporting, and
attitudes toward information processing and accounting functions and personnel.
5. Organizational structure – The framework within which an entity’s activities for
achieving its objectives are planned, executed, controlled and reviewed.
6. Assignment of authority and responsibility – How authority and responsibility for
operating activities are assigned and how reporting relations hips and authorization
hierarchies are established. Appropriate methods of assigning responsibility must be
implemented to avoid incompatible functions and to minimize the possibility of errors
because of too much work load assigned to an employee.
7. Personnel or Human resource policies and procedures – Policies and practices
that relate to recruitment/hiring, orientation, training, evaluation, counseling,
promotion, compensation, and remedial actions.

Considering the control environment:

The auditor shall obtain understanding of control environment and evaluate:

a. Whether the management, with the oversight of those charged with governance, has created
and maintained a culture of honesty and ethical behavior
b. Whether the strengths in the control environment provide foundation for the other components
of internal control
c. Whether other components of internal control are not undermined by control environment
weaknesses

2. Entity’s risk assessment process – entity’s own process of identification, analysis, and management
of risks relevant to the preparation and fair presentation of financial statements

Considering the entity’s risk assessment process:

The auditor shall obtain understanding of whether the entity has a process for:
a. Identifying business risks relevant to financial reporting objectives
b. Estimating the significance of the risks
c. Assessing the likelihood of their occurrence
d. Deciding about actions to address those risks

3. Information system ( including the related business processes, relevant financial reporting and
communication) – information and communication systems support the identification, capture,
and exchange of information in a timely and useful manner
• The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the methods and records established to record, process,
summarize, and report entity transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities, and equity.
• Communication involves providing a n understanding of individual roles and responsibilities
pertaining to internal control over financial reporting. Communication may take such forms as
policy manuals and financial reporting manuals. Open communication channels help ensure
that exceptions are reported and acted on.

Auditing Theory by: Bee Jay L. De Leon, CPA 3

Consideration of Entity’s Internal Control

Considering the information system:

The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:

a. The classes of transactions in the entity’s operations that are significant to the financial statements;
b. The procedures, within both information techno logy (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements;
c. The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the
correction of incorrect information and how information is transferred to the general ledger.
d. The records may be in either manual or electronic form;
e. How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
f. The financial reporting process used to prepare the entity’s financial statements, including
significant accounting estimates and disclosures; and
g. Controls surrounding journal entries, including non-standard journal entries used to record non-
recurring, unusual transactions or adjustments.

4. Control activities – the policies and procedures that help ensure management’s directives are
carried out and that necessary steps to address risks are ta ken. Control activities address risks that
if not mitigated would threaten the achievement of the entity’s objectives.

Examples of specific control activities include those relating to:

• Authorization
• Performance reviews
• Information processing
• Physical controls
• Segregation activities

Considering the control activities:

The auditor shall obtain understanding of control activities relevant to the audit. Control activities
relevant to the audit are those that the auditor judges it necessary to understand in order to:

a. Assess the risks of material misstatement at the assertion level and

b. Design further audit procedures responsive to the assessed risks.

An audit does not require an understanding of all the control activities. In understanding the entity’s
control activities, the auditor shall obtain understanding of how the entity has responded to risks arising
from IT.

5. Monitoring – the process to assess the effectiveness (or quality) of internal control performance
over time
Management’s monitoring of controls includes:
• Assessing the effectiveness of controls on a timely basis and ta king necessary corrective actions
• Monitoring of controls through ongoing activities
• Using information from communications from external parties such as customer complaints
and regulator comments that ma y indicate problems, highlight areas in need of improvement

Considering the monitoring of controls:

The auditor shall obtain understanding of:

a. The major activities that the entity uses to monitor control over financial reporting, including
those related to those activities relevant to the audit
b. How the entity initiates corrective actions to its controls
c. Sources of the information used in the entity’s monitoring activities

Auditing Theory by: Bee Jay L. De Leon, CPA 4

Consideration of Entity’s Internal Control

d. The basis upon which management considers the information to be sufficiently reliable for the
purpose

CONSIDERING INTERNAL CONTROL

Internal control is relevant to the entire entity and each of the five components of internal control ma
y affect any of the three entity objectives, but not all of a n entity's objectives and related controls are
relevant to the audit.

The auditor shall obtain a n understanding of internal control relevant to the audit. Generally, those
controls that pertain to financial reporting objective are most relevant to the audit. Thus, the auditor s
hall consider and understand financial reporting controls. The auditor need not assess all controls related
to financial reporting, but rather applies professional judgment in determining which controls to assess.

Purpose of Understanding of Internal Control:

• Primary purpose: To provide a basis for planning the audit to determine the nature, timing, and
extent of further audit procedures
Specifically, such understanding is used by the auditor in:
1. Identifying types of potential misstatements
2. Identifying factors that affect the risks of material misstatements, and
3. Designing the nature, timing, and extent of further audit procedures
• Secondary purpose: To provide a basis for constructive suggestions to management about
improvements in internal control

Steps in Accounting and Internal Control Assessment

1st Understanding of accounting and internal control system
2nd Plan the assessed level of control risk
3rd Performance of tests of controls (if appropriate)
4th Reassessment of control risk
5th Final assessment of control risk

1. The auditor shall obtain a n understanding of internal control relevant to the audit – involves
performing procedures to evaluate the design of relevant controls and determine whether they
have been implemented (placed in operation)
• This procedure includes understanding of the five interrelated components of internal control
to evaluate the design and determine if the control has been implemented.
a. Evaluate the design of re levant controls – involves determining whether those controls,
individually or in combination with other controls, is capable of effectively preventing or
detecting and correcting material misstatements
• The design refers to capability of a control to prevent or detect and correct material
misstatements
Major emphasis in the design of effective control:

a. Assets are properly protected

b. Incompatible duties are segregated
c. Transactions are authorized
An improperly designed control ma y represent a material weakness in the entity’s internal
control.
b. Determine whether the controls have been implemented – involves determining whether the
control is placed in operation; implementation of a control means that the control exists and is
being used by the entity

Auditing Theory by: Bee Jay L. De Leon, CPA 5

Consideration of Entity’s Internal Control

Risk assessment procedures to obtain audit evidence about the design and implementation
of relevant controls:
• Inquiry of entity personnel (inquiry alone is not sufficient obtain audit evidence
about the design and implementation of relevant controls)
• Observing the application of specific controls
• Inspecting documents and records
• Performing a “walk-through” test – tracing a transaction through the information
system relevant to financial reporting, from initial recording to presentation in the
financial statements

2. Perform preliminary assessment of control r is k – assessing the level of control risk (such as high,
medium or low) based on understanding of internal control (the design of controls and whether
they have been implemented)
• The ultimate purpose of assessing control risk at the assertion level for each material
account balance or class of transactions is to contribute to the auditor's evaluation of the
risk that material misstatements exist in the financial statements.
• The assessment of control risk is the process of evaluating the effectiveness of an entity’s
internal control in preventing or detecting and correcting material misstatements.
• Control risk is assess in terms of financial statement assertions.

a. Maximum level: Control risk is assessed a t high/maximum level if:

• Controls are poorly designed, or
• Properly designed controls have not been implemented, or
• It is inefficient to rely on internal control (inefficient to perform tests of controls) – for
example, it is inefficient to obtain evidence to justify the assessment of control risk at less
than high level
Auditor’s response if control r is k is assessed at a high/ maximum level:

• Auditor will not perform tests of controls

• Auditor will primarily rely on substantive tests
b. Less than high/ maximum level: Control risk is assessed at less than high/maximum level if
controls are properly designed and have been implemented; the auditor should perform tests
of operating effectiveness of relevant controls.
The PSA requires the auditor to document the basis or the evidence to justify the assessment
of control risk a t less than high/maximum level.

3. Perform tests of controls if preliminary assessment of control r isk is below high/ maximum level
(performed when the auditor intends to rely on the internal control)
• Tests of controls are audit procedures designed to evaluate the opera ting effectiveness of internal
controls that are likely to detect or prevent material misstatements in support of a reduced assessed
level of control risk. In other words, tests of controls are performed to confirm that the controls
tested are working effectively in order to substantiate the reduced assessed level of control risk.

Auditing Theory by: Bee Jay L. De Leon, CPA 6

Consideration of Entity’s Internal Control

• When to perform tests of controls:

a. When the auditor intends to rely on the operating effectiveness of relevant controls
in determining the nature, timing and extent of substantive procedures; or
Ø Tests of controls are performed only on those controls that the auditor has
determined are suitably designed to prevent, or detect and correct, a material
misstatement in an assertion.
b. When substantive procedures alone cannot provide sufficient appropriate evidence
at the assertion level
• Unlike substantive tests of details, tests of controls are not required audit procedure.
• The greater the reliance the auditor plans to place on internal control, the more
extensive the tests of those controls that need to be performed.
• Tests of controls generally consist of one (or combination of the following evidence
gathering
techniques:
a. Inquiry
b. Observation
c. Inspection
d. Reperformance of a control by the auditor

4. Reassessment of control risk

Based on the results of the tests of control, the auditor should evaluate whether the internal controls are
designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of
deviations may result in the auditor concluding that the assessed level of control risk needs to be revised.
In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures.

5. Final Assessment of Control Risk

Before the conclusion of the audit, based on the results of the substantive procedures and other audit
evidence obtained by the auditor, the auditor should consider whether the assessment of control risk is
confirmed.

Results of tests of controls:

a. Results do not confirm effectiveness of controls – the auditor should revise the preliminary risk
assessment of control risk from less than high to high level
In addition, the auditor shall also make the necessary revision on the overall audit strategy,
audit plan and preliminary audit program.
In this case, the auditor’s general approach to audit would be to use the substantive approach (an
approach w hose emphasis is on substantive procedures).

b. Results confirm effectiveness of controls – the auditor relies on the entity’s internal control and
decrease substantive testing
In this case, the auditor’s general approach to audit would be the reliance or combined
approach (an approach that uses both tests of controls and substantive procedures).

Require d Documentation:

1. Document the understanding of accounting and internal control systems

• Form of documentation ma y vary
• One form or a combination of forms of documentation may be used a t the same time
• Forms of documentation:
1. Internal control questionnaire – consists of a list of questions on internal control be answered by
"Yes" or "No" response. A negative response is designed to draw attention to a possible weakness
in internal control. Written explanations are required for "No" answers.
2. Flowcharts – pictorial/symbolic diagram depicting the operation of a program/system or the
sequential flow of authority, processes, transactions and documents. T he use of standard
symbols makes flowcharts easy to understand.

Auditing Theory by: Bee Jay L. De Leon, CPA 7

Consideration of Entity’s Internal Control

a. Systems flowcharts – used to evaluate internal control because it shows the origin of each
document in the system, its subsequent processing, and its final disposition
b. IT flowcharts – used in evaluating the internal control in a n automated/computerized accounting
environment. The auditor ca n use these flowcharts to evaluate both the flow of the program
and the internal controls related to the IT function in general.
3. Internal control checklists – a detailed listing of ideal control measures (the auditor tickmarks the
controls adopted by the client)
4. Narrative memoranda – a written version of a flowchart. It is a description of the auditor's
understanding of the system of internal control. Note that flow charts are more appropriate for
documenting complex control structures, w hile written narratives are more appropriate for less
complex structures.
5. Decision trees or tables –
a. Decision trees – are graphic illustrations that depict the logic of a n operation or process. They
generally employ questions with "Yes " or "No" answers, which direct the user to the next
relevant questions.
b. Decision tables – are graphic illustrations that depict the logical relationships of a system in table
form. Both approaches document the auditor's understanding of a process.

2. Document the assessed level of control r isk

• If the control risk is assessed at a high level, the auditor should document his conclusion that
control risk is at a high level.
• If the control risk is assessed a t less than high level, the auditor should document:
a. His conclusion that control risk is a t less than high level, and
b. The basis for that assessment – results of tests of controls confirming the assessment of
control risk at below high/maximum level

Communication of Weaknesses

As a result of obtaining an understanding of the accounting and internal control systems and tests of control,
the auditor may become aware of weaknesses in the systems. The auditor should make management aware,
as soon as practical and at an appropriate level of responsibility, of material weaknesses in the design or
operation of the accounting and internal control systems, which have come to the auditor’s attention. The
communication to management of material weaknesses would ordinarily be in writing. However, if the
auditor judges that oral communication is appropriate, such communication would be documented in the
audit working papers. It is important to indicate in the communication that only weaknesses which have come
to the auditor’s attention as a result of the audit have been reported and that the examination has not been
designed to determine the adequacy of internal control for management purposes.

MULTIPLE CHOICE QUESTIONS

1. According to PSA, which of the following is correct regarding internal control system?
a. Internal control system refers to all the policies and procedures adopted by the auditor to assist in
achieving management’s objective.
b. A strong environment, by itself, ensure the effectiveness of the internal control system.
c. In the audit of financial statements, the auditor is only concerned with those policies and procedures
within the accounting and internal control systems that are relevant to the financial statements.
d. The internal control system is confined to those matters which relate directly to the functions of the
accounting system.

2. Which of the following is correct about internal control?

a. Accounting and internal control systems provide management with conclusive evidence that objectives
are reached.
b. One of the inherent limitations of accounting and internal control systems is the possibility that the
procedures may become inadequate due to changes in conditions, and compliance with procedures may
deteriorate.

Auditing Theory by: Bee Jay L. De Leon, CPA 8

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
c. Most internal controls tend to be directed at non-routine transactions.
d. Management does not consider costs of the accounting and internal control systems.

3. Corporate directors, management, external auditors, and internal auditors all play important roles in
creating a proper control environment. Top management is primarily responsible for
a. Establishing a proper environment and specifying overall internal control.
b. Reviewing the reliability and integrity of financial information and the means used to collect and report
such information.
c. Ensuring that external and internal auditors adequately monitor the control environment.
d. Implementing and monitoring controls designed by the board of directors.

4. Which of the following best describe the interrelated components of internal control?
a. Organizational structure, management philosophy, and planning.
b. Control environment, risk assessment, control activities, information and communication systems, and
monitoring.
c. Risk assessment, backup facilities, responsibility accounting and natural laws.
d. Legal environment of the firm, management philosophy, and organizational structure.

5. In an audit of financial statements, an auditor’s primary consideration regarding a control is whether it

a. Reflects management’s philosophy and operating style.
b. Affects management’s financial statement assertions.
c. Provides adequate safeguards over access to assets.
d. Enhances management’s decision-making processes.

6. Effective internal control

a. Eliminates risk and potential loss to the organization.
b. Cannot be circumvented by management.
c. Is unaffected by changing circumstances and conditions encountered by the organization.
d. Reduces the need for management to review exception reports on a day-to-day basis.

7. Which of the following statements about internal control is correct?

a. Properly maintained internal controls reasonably assure that collusion among employees cannot occur.
b. Establishing and maintaining internal control is the internal auditor’s responsibility.
c. Exceptionally strong control allows the auditor to eliminate substantive tests.
d. The cost-benefit relationship should be considered in designing internal control.

8. The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the risk that
a. Tests of controls may fail to identify controls relevant to assertions.
b. Material misstatements may exist in the financial statements.
c. Specified controls requiring segregation of duties may be circumvented by collusion.
d. Entity policies may be overridden by senior management.

9. A proper understanding of the client’s internal control is an integral part of the audit planning process. The
results of the understanding
a. Must be reported to the shareholders and the SEC.
b. Bear no relationship to the extent of substantive testing to be performed.
c. Are not reported to client management.
d. May be used as the basis for withdrawing from an audit engagement.

10. An entity should consider the cost of a control in relationship to the risk. Which of the following controls
best reflects this philosophy for a large peso investment in heavy machine tools?
a. Conducting a weekly physical inventory.
b. Placing security guards at every entrance 24 hours a day.
c. Imprinting a controlled identification number on each tool.
d. Having all dispositions approved by the vice president of sales.

11. Audit evidence concerning segregation of duties ordinarily is best obtained by

a. Performing tests of transactions that corroborate management’s financial statement assertions
b. Observing the employees as they apply specific controls.
c. Obtaining a flowchart of activities performed by available personnel.
d. Developing audit objectives that reduce control risk.

12. Which of the following statements about preliminary assessment of control risks is correct?

Auditing Theory by: Bee Jay L. De Leon, CPA 9

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
a. After obtaining an understanding of the accounting and internal control systems, the auditor should
make a preliminary assessment of control risks, at the assertion level, for all accounts or transaction
classes.
b. The preliminary assessment of control risk can be done only after completing tests of controls.
c. The preliminary assessment of control risk for a financial assertion is normally low, unless the auditor is
able to identify weaknesses that may indicate ineffectiveness of accounting and internal control system.
d. The auditor ordinarily assesses control risk at high level for some or all assertions when it is not cost
efficient to do tests of controls.

13. Which of the following statements concerning control risk is correct?

a. When control risk is at the maximum level, an auditor is required to document the basis for that
assessment.
b. Control risk may be assessed sufficiently low to eliminate substantive testing for significant transaction
classes.
c. When assessing control risk, an auditor should not consider evidence obtained in prior audits about the
operation of controls.
d. Assessing control risk and obtaining an understanding of an entity’s internal control may be performed
concurrently.

14. Based on a consideration of internal control completed at an interim date, the auditor assessed control risk
at a low level and performed interim substantive tests. The records and procedures would most likely be
tested again at year-end if
a. Tests of controls were not performed by the internal auditor during the remaining period.
b. Internal control provides a basis for limiting the extent of substantive testing.
c. The auditor used nonstatistical sampling during the interim period testing of controls.
d. Inquiries and observations lead the auditor to believe that conditions have changed.

15. Although substantive tests may support the accuracy of underlying records, these tests frequently provide
no affirmative evidence of segregation of duties because
a. Substantive tests rarely guarantee the accuracy of the records if only a person who performs
incompatible functions.
b. The records may be accurate even though they are maintained by a person who performs incompatible
functions.
c. Substantive tests relate to the entire period under audit, but tests of controls ordinarily are confined to
the period during which the auditor is on the client’s premises.
d. Many computerized procedures leave no audit trail of who performed them, so substantive tests may
necessarily be limited to inquiries and observation of office personnel.

16. After obtaining an understanding of internal control and assessing control risk, an auditor decided not to
perform additional tests of controls. The auditor most likely concluded that the
a. Additional evidence to support a further reduction in control risk was not cost-beneficial to obtain.
b. Assessed level of inherent risk exceeded the assessed level of control risk.
c. Internal control was properly designed and justifiably may be relied on.
d. Evidence obtainable through tests of controls would not support an increased assessment of control
risk.

17. The objective of tests of details of transactions performed as tests of controls is to

a. Monitor the design and use of entity documents such as prenumbered shipping form
b. Determine whether controls have been placed in operation.
c. Detect material misstatements in the account balances of the financial statements.
d. Evaluate whether controls operated effectively.

18. An auditor wishes to perform tests of controls on a client’s cash disbursements procedures. If the controls
leave no audit trail of documentary evidence, the auditor most likely will test the procedures by
a. Confirmation and observation. c. Analytical procedures and confirmation.
b. Observation and inquiry. d. Inquiry and analytical procedures

19. Which of the following would not be a method used to conduct tests of controls?
a. Inquiry b. Walkthrough c. Confirmation d. Observation

20. The auditor is examining copies of sales invoices only for the initials of the person responsible for checking
the extensions. This is an example of a

Auditing Theory by: Bee Jay L. De Leon, CPA 10

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
a. Test of controls c. Dual purpose test
b. Substantive test d. Test of balances

21. Which of the following types of evidence would an auditor most likely examine to determine whether
controls are operating as designed?
a. Confirmations of receivables verifying account balances.
b. Letters of representations corroborating inventory pricing.
c. Attorneys’ responses to the auditor’s inquiries.
d. Client records documenting the use of computer programs.

22. Which of the following procedures concerning accounts receivable is an auditor most likely to perform to
obtain evidential matter in support of an assessed level of control risk below the maximum level?
a. Sending confirmation requests to an entity’s principal customers to verify the existence of accounts
receivable.
b. Inspecting an entity’s analysis of accounts receivable for unusual balances.
c. Comparing an entity’s uncollectible accounts expense to actual uncollectible accounts receivable.
d. Observing an entity’s employee prepare the schedule of past due accounts receivable.

23. An auditor is least likely to test controls that provide for

a. Classification of revenue and expense transactions by product line
b. Approval of the purchase and sale of trading securities
c. Segregation of the functions of recording disbursements and reconciling the bank account
d. Comparison of receiving reports and vendors’ invoices with purchase orders

24. In a small company that doesn't employ an adequate number of employees to permit proper division of
responsibilities, effective internal control can be strengthened by
a. Direct participation by the owner of the business in the record keeping activities of the business.
b. Employment of temporary personnel to aid in the separation of duties.
c. Delegation of full, clear-cut responsibility to each employee for the functions assigned to each.
d. Engaging a CPA to perform monthly "write up" work.

25. Which of the following is true of the communication to management of material weaknesses in accounting
and internal control?
a. Communication must be in writing.
b. Oral communication of material weaknesses, when appropriate, would be documented in the audit
working papers.
c. The communication should indicate that the auditor had extensively examined the accounting and
internal control system of the client.
d. The auditors should indicate in the communication that the examination is primarily designed to
determine whether the accounting and internal control is adequate.

26. The fundamental purpose of an internal control structure is to

a. safeguard the resources of the organization

b. encourage compliance with organization objectives
c. ensure the accuracy, reliability, and timeliness of information
d. provide reasonable assurance that the objectives of the organization are achieved

27. Which of the following is not one of the three primary objectives of effective internal control?
a. Reliability of financial reporting
b. Compliance with laws and regulations
c. Efficiency and effectiveness of operations
d. Each of the above is a primary objective of effective internal control

28. Which of the following would be least likely to be considered an objective of the internal control structure?
a. Safeguarding assets.
b. Detecting management fraud.
c. Encouraging adherence to managerial policies.
d. Checking the accuracy and reliability of accounting data.

Auditing Theory by: Bee Jay L. De Leon, CPA 11

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
29. Which of the following parties is responsible for establishing an entity’s internal controls?
a. Auditors
b. Management
c. Management and auditors
d. Committee of Sponsoring Organizations

30. The primary responsibility for establishing and maintain an internal control structure rests with
a. the internal auditors
b. the external auditors
c. the controller or the treasurer
d. management and those charged with governance

31. In order to ensure unbiased information, record-keeping is typically included in a separate department
under the:
a. Controller c. Treasurer
b. Internal auditor d. VP-operations

32. Effective internal control requires organizational independence of departments. Organizational

independence would be impaired in which of the following situations?
a. The cashier reports to the treasurer
b. The controller reports to the vice president for production.
c. The payroll accounting department reports to the chief accountant.
d. The internal auditors report to the audit committee of the board of directors.

33. Which of the following best describes the inherent limitations that should be recognized by an auditor when
considering the potential effectiveness of internal control?
a. The benefits expected to be derived from effective internal accounting control usually do not exceed the
cost of such control
b. The competence and integrity of client personnel provides an environment conclusive to accounting
control and provides assurance that effective control will be achieved.
c. Procedures designed to assure the execution and recording of transactions in accordance with proper
authorizations are effective against irregularities perpetrated by management.
d. None of the above

34. When considering the effectiveness of a system of internal accounting control, the auditor should recognize
that inherent limitations do exist. Which of the following is an example of an inherent limitation in a system of
internal accounting control?
a. The effectiveness of procedures depends on the segregation of employee duties.
b. In the performance of most control procedures, there are possibilities of errors arising from mistakes in
judgment.
c. Procedures for handling large numbers of transactions are processed by electronic data processing
equipment.
d. Procedures are designed to assure the execution and recording of transactions in accordance with
management’s authorization.

35. Inherent limitations in an internal control structure must be considered in evaluating its effectiveness in
preventing and detecting errors and irregularities. Inherent limitations do not include
a. collusions among employees
b. incompatible functions performed by the same person
c. management override of certain policies of procedures
d. misunderstanding of instructions, mistakes of judgment, personal carelessness, distraction, or fatigue

36. Internal controls are not designed to provide reasonable assurance that
a. All frauds will be eliminated
b. Transactions are executed in accordance with management’s authorization
c. Access to assets is permitted only in accordance with management’s authorization
d. The recorded accountability for assets is compared with the existing assets at reasonable intervals

37. Which of the following internal control objectives would be most relevant to the audit?
a. Administrative control objective
b. Compliance objective
c. Financial reporting objective
d. Operational objective

Auditing Theory by: Bee Jay L. De Leon, CPA 12

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL

38. The use of pre-numbered invoices, then accounting for their numeric sequence, meets primarily the:
a. Completeness assertion.
b. Existence or occurrence assertion.
c. Rights and obligations assertion.
d. Valuation or allocation assertion.

39. Internal controls can never be regarded as completely effective. Even if company personnel could design an
ideal system, its effectiveness depends on the
a. Adequacy of the computer system
b. Proper implementation by management
c. Ability of the internal audit staff to maintain it
d. Competency and dependability of the people using it

40. It is important for the CPA to consider the competence of the audit client’s employees because their
competence bears directly and importantly upon the
a. Timing of the tests to be performed
b. Achievement of the objectives of internal control
c. Comparison of recorded accountability with assets
d. Cost/ benefit relationship of the system of internal control

41. Competence of the personnel is necessary to proper recording of transactions and supports financial
statements that are fairly presented. In reviewing the organization for necessary competence, which of the
following job types would be of least interest to the auditor?
a. Chief accountant.
b. Corporate controller.
c. Vice-president for marketing.
d. Manager of electronic data processing.

42. Authorizations can be either general or specific. Which of the following is not an example of a general
authorization?
a. A sales price list for merchandize
b. Credit limits for various classes of customers
c. A sales manager’s authorization for a sales return
d. Automatic reorder points for raw materials inventory

43. Internal control is a function of management, and effective control is based upon the concept of change and
discharge of responsibility or duty. Which of the following is one of the overriding principles of internal control?
a. Responsibility for the performance of each duty must be fixed.
b. Responsibility for accounting and financial duties should be assigned to one responsible officer.
c. Responsibility for accounting duties must be borne by the audit committee of the company.
d. Responsibility for accounting activities and duties must be assigned only to employees who are bonded.

44. Proper segregation of functional responsibilities calls for separation of the functions of
a. Custody, execution, and reporting
b. Authorization, recording, and custody
c. Authorization, payment, and recording
d. Authorization, execution, and payment

45. Proper segregation of functional responsibilities in an effective structure of internal control calls for
separation of the functions of
a. Authorization, execution, and payment
b. Authorization, payment and recording
c. Authorization, recording, and custody
d. Custody, execution, and reporting

46. Which of the following activities would be an example of Physical Control?

a. Blank stock of all purchase orders and sales invoices are pre- numbered
b. Access to computer facilities and records is limited to authorized personnel.
c. Control and subsidiary accounts are reconciled on a regularly scheduled basis
d. Training programs are conducted to develop competence of newly hired personnel

47. The use of fidelity bonds protects a company from embezzlement losses and also:

Auditing Theory by: Bee Jay L. De Leon, CPA 13

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
a. Reduces the company’s need to obtain expensive business interruption insurance.
b. Allows the company to substitute the fidelity bonds for various parts of internal control.
c. Minimizes the possibility of employing persons with dubious records in position of trust.
d. Protects employees who made unintentional errors from possible monetary damages resulting from
such errors.

48. The use of pre-numbered documents is meant to prevent:

a. The failure to bill or record sales.
b. Duplicate billings and recording of sales.
c. All of the answers.
d. None of the answers.

49. The frequency of the comparison of recorded accountability with assets (for the purpose of safeguarding
assets) should be determined by:
a. The auditor in consultation with client management.
b. The amount of assets without reference to the cost of comparison.
c. The nature and amount of the asset and cost of making the comparison.
d. The cost of the comparison and whether the susceptibility to loss results from unintentional errors or
intentional irregularities and/or defalcations.

50. Effective internal control in a small company that has an insufficient number of employees to permit proper
division of responsibilities can best be enhanced by
a. Engaging a CPA to perform monthly “write- up” work
b. Employment of temporary personnel to aid in the separation of duties
c. Delegation of full, clear- cut responsibility to each employee for the functions assigned to each
d. Direct participation by the owner of the business in the record- keeping activities of the business

QUIZZERS
1. Transaction authorization within an organization may be either specific or general. An example of specific
transaction authorization is the
a. Approval of a construction budget for a new warehouse
b. Setting of automatic reorder points
c. Establishment of a customer’s credit limits
d. Establishment of sales prices

2. Internal control should provide reasonable (but not necessarily absolute) assurance which means that:
a. The cost of control activities should not exceed the benefits.
b. Internal control is management’s, not auditor’s, responsibility.
c. An attestation engagement about management’s internal control assertions may not necessarily detect
all reportable conditions.
d. There is always a risk that reportable conditions may result in material misstatements.

3. Which of the following statements is an example of an inherent limitation of internal control.

a. Errors may arise from mistakes in judgments.
b. The effectiveness of control procedures depends on segregation of duties.
c. Procedures are designed to assure that transactions are executed as management authorities.
d. Computers process large numbers of transactions.

4. Proper segregation of functional responsibilities calls for separation of the functions of

a. Authorization, execution, and recording. c. Custody, execution, and reporting.
b. Authorization, execution, and payment. d. Authorization, payment, and recording.

5. Which of the following is a responsibility that should not be assigned to only one employee?
a. Access to securities in the company’s safe deposit box.
b. Custodianship of the cash working fund.
c. Reconciliation of bank statement.
d. Custodianship of tools and small equipment.

6. Which of the following activities would be least likely to strengthen a company’s internal control?
a. Maintaining insurance for fire and theft.
b. Separating accounting from other financial operations.

Auditing Theory by: Bee Jay L. De Leon, CPA 14

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
c. Fixing responsibility for the performance of employee duties.
d. Carefully selecting and training employees.

7. As generally conceived, the “audit committee” of a publicly held company should be made up of
a. Members of the board of directors who are not officers or employees.
b. Representatives of the major equity interests (bonds, preferred stock, common stock).
c. The audit partner, the chief financial officer, the legal counsel, and at least one outsider.
d. Representatives from the client’s management, investors, suppliers, and customers.

8. When considering internal control, the auditor’s primary concern is to determine

a. The reliability of the accounting information system.
b. The possibility of fraud occurring.
c. Compliance with policies, plans, and procedures.
d. The type of an opinion he will issue.

9. Of the following, the best statement of the CPA’s primary objective in considering internal control is that the
review is intended to provide
a. A basis for reliance on the system and determining the scope of other auditing procedures.
b. Reasonable protection against client fraud and defalcations by client employees.
c. A basis for constructive suggestions to the client for improving his internal control system.
d. A method for ensuring that there is reasonable assurance that the financial statements are reliable.

10. When an auditor assesses control risk below the maximum level, the auditor is required to document the
auditor’s
Basis for concluding that control Understanding of the entity’s internal
risk is below the maximum level control structure elements
a. Yes Yes
b. No No
c. Yes No
d. No Yes

11. The sequence of steps in gathering evidence as the basis of the auditor’s opinion is
a. Substantive tests, documentation of control structure, and tests of controls
b. Documentation of control structure, tests of controls, and substantive tests
c. Documentation of control structure, substantive tests, and tests of controls
d. Tests of controls, documentation of control structure, and substantive tests

12. In obtaining an understanding of an entity’s internal control structure, an auditor is required to obtain
knowledge about the
Operating effectiveness of Design of policies
Policies and procedures and procedures
a. Yes Yes
b. No Yes
c. Yes No
d. No No

13. Which of the following audit techniques most likely would provide an auditor with the most assurance about
the effectiveness of the operation on an internal control procedure?
a. Confirmation with outside parties c. Recomputation of account balance
b. Observation of client personnel d. Inquiry of client personnel

14. Which of the following is the correct order for performing the auditing procedures A through C below
A = Tests of Controls
B = Preparation of a flowchart depicting the client’s internal control structure
C = Substantive tests
a. ABC b. BAC c. ACB d. BCA

15. After considering a client’s internal control, an auditor has concluded that the system is well designed and is
functioning as anticipated. Under these circumstances, the auditor would most likely
a. Cease to perform further substantive tests
b. Not increase the extent of planned substantive tests

Auditing Theory by: Bee Jay L. De Leon, CPA 15

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
c. Increase the extent of anticipated analytical procedures
d. Perform all tests of controls to the extent outlined in the preplanned audit program

16. After considering internal control, an auditor might decide to

a. Increase the extent of tests of controls and substantive tests in areas where internal control is strong
b. Increase the extent of substantive tests in areas where internal control is weak
c. Reduce the extent of tests of controls in areas where internal control is strong
d. Reduce the extent of both substantive tests and tests of controls in areas where internal control is
strong

17. To obtain an understanding of the relevant policies and procedures of internal control, the auditor performs
all of the following except:
a. Make inquiries c. Make observations
b. Design substantive tests d. Inspect documents and records

18. In an auditor’s consideration of internal control, the completion of a questionnaire is most closely associated
with which of the following?
a. Separation of duties c. Flowchart accuracy
b. Understanding the system d. Tests of controls

19. Before relying on the system of internal control, the auditor obtains a reasonable degree of assurance that
the internal control procedures are in use and operating as planned. The auditor obtains this assurance by
performing planned
a. Substantive tests c. Transaction tests
b. Tests of controls d. Tests of trends and ratios

20. After obtaining an understanding of a client’s controls, an auditor may decide to omit tests of the controls.
Which of the following in not appropriate reason to omit tests of controls?
a. The controls duplicate other controls.
b. The controls appear adequate.
c. Reportable conditions preclude assessing control risk below the maximum.
d. The effort to test controls exceeds the effort saved by not performing substantive tests.

21. In general, a material weakness in internal control may be defined as a condition in which material errors or
irregularities may occur and not be detected within a timely period by
a. An independent auditor during tests of controls.
b. Management when reviewing interim financial statements and reconciling account balances.
c. Employees in the normal course of performing their assigned functions.
d. Outside consultants who issue a special-purpose report on internal control structure.

22. Internal control procedures are not designed to provide reasonable assurance that
a. Transactions are executed in accordance with management's authorization.
b. Access to assets is permitted only in accordance with management's authorization.
c. Irregularities will be eliminated.
d. The recorded accountability for assets is compared with the existing assets at reasonable intervals.

23. A secondary purpose of the auditor's consideration of internal control is to provide

a. A basis for assessing control risk.
b. An assurance that the records and documents have been maintained in accordance with existing
company policies and procedures.
c. A basis for constructive suggestions about improvements in internal control structure.
d. A basis for the determination of the resultant extent of the tests to which auditing procedures are to be
restricted.

24. The auditor's review of the client's internal control is documented in order to substantiate
a. Conformity of the accounting records with GAAP.
b. Adherence to requirements of management.
c. Compliance with generally accepted auditing standards.
d. The fairness of the financial statement presentation.

Auditing Theory by: Bee Jay L. De Leon, CPA 16

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
25. A consideration of internal control made during an audit is usually not sufficient to express an opinion on an
entity's controls because
a. Weaknesses in the system may go unnoticed during the audit engagement.
b. A consideration of internal control is not necessarily made during an audit engagement.
c. Only those controls on which an auditor intends to rely are reviewed, tested, and evaluated.
d. Controls can change each year.

26. The accountant's report expressing an opinion on an entity's internal controls should state that the
a. Objectives of the client's internal controls are being met.
b. Consideration of the internal controls was conducted in accordance with generally accepted auditing
standards.
c. Establishment and maintenance of internal control is the responsibility of management.
d. Inherent limitations of the client's internal controls were examined.

27. The primary objective of procedures performed to obtain an understanding of internal control is to provide
an auditor with
a. Evidential matter to use in reducing detection risk.
b. A basis from which to modify tests of controls.
c. Knowledge necessary to plan the audit.
d. Information necessary to prepare flowcharts.

28. Which of the following is not part of the control environment?

a. Management philosophy and operating style.
b. Organizational structure and methods of assigning authority and responsibility.
c. Information and communication systems.
d. The function of the board of directors and its committees.

29. When obtaining an understanding of the accounting and internal control system the auditor may trace a few
transactions through the accounting system. This technique is:
a. Reperformance test c. Walk-through test
b. Test of transactions d. Validity test

30. Which of the following least likely affects the nature, timing, and extent of the procedures performed by the
auditor to obtain an understanding of the accounting and internal control systems of an audit client?
a. Materiality considerations
b. The auditor’s assessment of inherent risk
c. The level of acceptable detection risk
d. The size and complexity of the entity and of its computer system

31. The evaluation of deviations that were observed upon completing tests of controls
a. May require the need for doing more extensive understanding of control.
b. May require more extensive tests of controls.
c. Always requires documentation of the basis of assessment of control risk.
d. May require modification of the nature, timing, and extent of planned substantive procedures.

32. The following statements are true about observation when used as tests of control procedures, except.
a. The auditor may supplement his observations with other tests of control capable of providing audit
evidence.
b. Audit evidence obtained by doing observation pertains only to the point in time at which the procedure
was applied.
c. Observation of who applies a control procedure is useful as a test of control procedures when evaluating
control effectiveness of both computerized and manual system
d. Ordinarily, making inquiries provides more reliable audit evidence than doing observation when testing
segregation of functional responsibilities.

33. Tests of controls may include the following, except:

a. Reperformance of internal control procedures
b. Inquiries about, and observation of, internal controls which leave no audit trail.
c. Inspection of documentary support for transactions evidencing authorization
d. Analytical procedures involving comparison of operating expenses with budgeted amount.

Auditing Theory by: Bee Jay L. De Leon, CPA 17

CONSIDERATIONS OF ENTITY’S INTERNAL CONTROL
34. Tests of controls are performed to obtain audit evidence about the effectiveness of the
a. Operation of the internal controls at the time the tests are being applied.
b. Operations of the internal controls in eliminating fraud and errors.
c. Design of the internal controls in eliminating fraud and errors.
d. Design of the accounting and internal controls systems.

35. The auditor should consider whether the assessment of control risk is confirmed
a. Upon completion of understanding of internal control.
b. Upon completion of tests of controls
c. Before the final audit program is completed.
d. Upon the conclusion of the audit, based on the results of substantive procedures and other audit
evidence obtained.

Auditing Theory by: Bee Jay L. De Leon, CPA 18