9) When a client uses a service center for processing transactions,
A) the auditor can assume that the controls are adequate because it is an independent enterprise.
B) auditing standards require the auditor to test the service center’s controls if the service center
application involves processing significant financial data.
C) and the user auditor decides to rely on the service auditor’s report, the user audit must make
reference to the report of the service auditor in the opinion on the user organization’s financial
statements.
D) none of the above
10) In evaluating the operational effectiveness of internal controls, the auditor is likely to use
four types of audit procedures. List the procedures below.
11) The procedures to obtain an understanding of internal control are only applied when the
assessed control risk is high.
12) Controls that are applied throughout the accounting period must be tested both at an interim
date and then again on the balance sheet date.
13) When there are a number of controls tested in prior audits that have not been changed,
auditing standard require auditors to test some of those controls each year to ensure there is a
rotation of controls testing throughout the three-year period.
12.4 Learning Objective 12-4
1) Which of the following is a correct statement?
A) The auditor uses the control risk assessment and results of tests of controls to determine
planned detection risk.
B) The auditor links the inherent risk assessments to the balance-related audit objectives.
C) The audit risk model is used determine the level of audit risk.
D) All of the above are correct statements.
2) The auditor assesses control risk for each related audit objective and supports control risk
assessments with tests of controls.
12.5 Learning Objective 12-5
1) How must significant deficiencies and material weaknesses be communicated to those charged
with governance?
A) Either oral or written communication is acceptable.
B) Oral communication is required.
C) Written communication is required.
D) Written communication is required for material weaknesses, but oral communication is
allowed for significant deficiencies.
2) Auditors often identify less significant internal control-related issues, as well as opportunities
for the client to make operational improvements in the
A) adverse opinion.
B) Section 404 report.
C) management letter.
D) Type 1 report.
3) The auditor will issue an unqualified opinion on internal control over financial reporting when
A) there are no identified material weaknesses as of the end of the fiscal year.
B) there have been no restrictions on the scope of the auditor’s work.
C) both a and b
D) either a or b
4) What type of report is issued when one or more material internal control weaknesses exist?
A) unqualified opinion
B) disclaimer of opinion
C) adverse opinion
D) qualified opinion
5) Which of the following is true regarding the auditor’s opinion on the effectiveness of internal
control?
A) The auditor is attesting to the effectiveness of internal controls as of the end of the fiscal year.
B) If the client remedies a material weakness before the end of the fiscal year, the auditor must
still issue a qualified opinion or a disclaimer of opinion.
C) A scope limitation requires the auditor to issues an adverse opinion.
D) Section 404 requires that the auditor design the audit to detect all deficiencies in internal
control.
6) When determining what type of report to issue on internal control under Section 404,
A) an adverse opinion on internal control must be given if any weaknesses in a key internal
control is discovered.
B) a scope limitation requires the auditor to disclaim an opinion on internal controls.
C) if the auditor gives a qualified opinion on the financial statements, they must give a qualified
opinion on internal controls.
D) a scope limitation requires the auditor to express a qualified opinion or a disclaimer of
opinion on internal controls.
7) The scope of the auditor’s report on internal control is limited to obtaining reasonable
assurance that significant weaknesses in internal control are identified.
8) To issue an unqualified opinion on internal control over financial reporting, there must be no
identified material weaknesses and no restrictions on the scope of the audit.
12.6 Learning Objective 12-6
1) It is generally possible for small companies to have all of the following except for
A) adequate documents and records.
B) physical controls over assets.
C) competent, trustworthy personnel.
D) internal auditors.
2) The auditor designs and performs a combination of tests of controls and substantive
procedures to obtain reasonable assurance that the financial statements are fairly stated when
control risk
A) is assessed above the maximum.
B) is assessed below the maximum.
C) cannot be assessed.
D) none of the above
3) In the audit of a private company, the auditor will test internal controls when control risk is
initially assessed at
A)
Low
Moderate
High
Yes
No
Yes
B)
Low
Moderate
High
No
No
Yes
C)
Low
Moderate
High
Yes
Yes
No
D)
Low
Moderate
High
No
Yes
No
4) Which of the following may represent the biggest challenge smaller public companies and
nonpublic companies face in implementing effective internal control?
A) a lack of competent, trustworthy personnel
B) no clear lines of authority
C) no adequate separation of duties
D) a lack of adequate documents and records
5) Which of the following is most correct for audits of non-public companies?
A) An audit of internal control is required.
B) An audit of internal control is not required.
C) An audit of the design of internal controls is required.
D) An audit of the operational effectiveness of internal controls is required.
6) If, when obtaining an understanding of control activities of a relatively small client, the
auditor identified no control activities, the auditor would probably set a high assessment of
control risk.
7) The auditor obtains a sufficient understanding of internal control to assess the risk of material
misstatement at the overall financial statement level and at the relevant assertion level.
8) The procedures used to gain an understanding of internal control do not vary from client to
client.
9) In an audit of a nonpublic company, the less control risk there is, the smaller the amount of
planned substantive evidence that is required.
10) The assessment of control risk does not impact the testing of controls.
11) A company’s size should have no impact on the nature of internal control and the controls
that are implemented.
12) Control risk is generally set at minimum for most private companies.
12.7 Learning Objective 12- 7
1) The auditor’s objective in determining whether the client’s computer program correctly
processes valid and invalid transactions is accomplished through the
A) test data approach.
B) generalized audit software approach.
C) microcomputer-aided auditing approach.
D) generally accepted auditing standards.
2) When using the test data approach,
A) auditors process test data supplied by the client.
B) auditors often obtain assistance from a computer audit specialist.
C) the tests must be performed at the end of the year.
D) the test data must remain in the client’s records.
3) Which of the following is not seen as an advantage to using generalized audit software
(GAS)?
A) Auditors can learn the software in a short period of time.
B) It can be applied to a variety of clients after detailed customization.
C) It can be applied to a variety of clients with minimal adjustments to the software.
D) It greatly accelerates audit testing over manual procedures.
4) When using the test data approach,
A) test data should include data that the client’s system should accept or reject.
B) application programs tested by the auditor’s test data must be different from those used by the
client throughout the year.
C) select data may remain in the client system after testing.
D) None of the above statements is correct.
5) Auditing by testing automated internal controls and account balances electronically, generally
because effective general controls exist, is known as
A) auditing through the computer.
B) auditing around the computer.
C) embedded audit module approach.
D) parallel simulation testing.
6) Which of the following computer-assisted auditing techniques inserts an audit module in the
client’s application system to identify specific types of transactions?
A) parallel simulation testing
B) test data approach
C) embedded audit module
D) generalized audit software testing
7) Which of the following best describes the test data approach?
A) Auditors process their own test data using the client’s computer system and application
program.
B) Auditors process their own test data using their own computers that simulate the client’s
computer system.
C) Auditors use auditor-controlled software to do the same operations that the client’s software
does, using the same data files.
D) Auditors use client-controlled software to do the same operations that the client’s software
does, using auditor created data files.
8) Describe three computer auditing techniques available to the auditor.
9) Discuss the advantages and benefits of using generalized audit software.
10) Auditors often use Generalized Audit Software during their testing of a client’s internal
controls. For the following uses of the software provide a description and an example.
Verify extensions and footings
Print confirmation requests
Compare data on separate files
11) The embedded audit module approach requires the auditor to insert an audit module in the
client’s application system to to identify specific types of transactions.
12) The objective of the test data approach is to determine whether the client’s computer
programs can correctly process valid and invalid transactions.
13) Parallel simulation is used primarily to test internal controls over the client’s IT systems,
whereas the test data approach is used primarily for substantive testing.
14) Generalized audit software is used to test automated controls.