1.

In assessing the competence and objectivity of an entity’s internal auditor, an independent auditor would least likely
consider information obtained from d. The results of analytical procedures.

2. For which of the following judgments may an independent auditor share responsibility with an entity’s internal auditor
who is assessed to be both competent and objective? Materiality of Misstatements/Evaluation of Significant Accounting
Estimates: d. No and No.

3. In assessing the competence of an internal auditor, an independent CPA most likely would obtain information about
the a. Quality of the internal auditor’s documentation.

4. In assessing the objectivity of internal auditors, an independent auditor should d. Determine the organizational level
to which the internal auditors report.

5. For which of the following judgments may an independent auditor share responsibility with an entity’s internal auditor
who is assessed to be both competent and objective? Assessment of Inherent Risk/Assessment of Control Risk: d. No and
No.

6. During an audit, an internal auditor may provide direct assistance to an independent CPA in Obtaining an
Understanding of Internal Control / Performing Test of Controls/ Performing Substantive tests: d. Yes, Yes, and Yes.

7. An internal auditor’s work would most likely affect the nature, timing, and extent of an independent auditor’s auditing
procedures when the internal auditor’s work relates to assertions about the c. Existence of fixed asset additions.

8. Which approach to planning, performing, supervising, reviewing, and documenting internal audit activities
distinguishes it from other monitoring controls that may be performed within the entity? A systematic and disciplined
approach.

9. Miller Retailing, Inc., maintains a staff of three full-time internal auditors. The independent auditor has found that they
are competent and objective. Moreover, the work of the internal auditors is relevant to the audit, and it is efficient to
consider how that work may affect the audit. The independent auditor most likely will a. Nevertheless need to make
direct tests of assertions about material financial statement amounts for which the risks of material misstatement are
high.

10. The work of internal auditors may affect the independent auditor’s I. Procedures performed in obtaining an
understanding of internal control, II. Procedures performed in assessing the risks of material misstatement, III.
Substantive procedures performed in gathering direct evidence: d. I, II and III.

11. When assessing an internal auditor’s competence, an auditor ordinarily obtains information about all of the following
except d. Access to information about related parties.

12. An auditor might consider the procedures performed by the internal auditors because b. They are employees whose
work may affect the nature, timing, and extent of audit procedures.

13. The independent auditor should understand the internal audit function as it relates to internal control because c.
The work performed by internal auditors may be a factor in determining the nature, timing, and extent of the
independent auditor’s procedures.

14. In connection with the audit of financial statements by an auditor, the client suggests that members of the internal
audit staff be used to minimize audit costs. For which of the following tasks may the auditor most appropriately request
direct assistance from the internal audit staff? b. Preparation of schedules for negative accounts receivable responses.
15. If the auditors decide that it is efficient to consider how the work performed by the internal auditors may affect the
nature, timing, and extent of audit procedures, they should assess the internal auditors’ a. Competence and objectivity.

16. Buldger Retailing, Inc., has an internal auditing staff of four full-time auditors. The auditor has determined that the
internal auditors are competent and objective. The auditor may share which of the following responsibilities with
Buldger’s internal auditors? b. Performing substantive procedures.

17. An internal auditor would least likely provide direct assistance to the auditor in d. Evaluating accounting estimates.

18. When assessing the internal auditors’ competence, the auditor should obtain information about the b. Educational
background and professional certification of the internal auditors.

19. When assessing an internal auditor’s objectivity, an auditor should c. Consider the organizational level to which the
internal auditor reports.

20. In assessing the competence of a client’s internal auditor, an auditor most likely would consider the a. Internal
auditor’s compliance with professional internal auditing standards.

21. In assessing the competence of internal auditors, an independent CPA most likely would obtain information about
the c. Quality of the internal auditors’ working paper documentation.

22. Which of the following factors most likely would assist an auditor in assessing the objectivity of the internal auditor?
a. The organizational status of the director of internal audit.

23. When assessing the competence of the internal auditors, an auditor should obtain information about the b. Quality
of the internal auditors’ working paper documentation.

24. When assessing internal auditors’ objectivity, an auditor should a. Consider the policies that prohibit the internal
auditors from auditing areas where they were recently assigned.

25. The company being audited has an internal auditor that is both competent and objective. The auditor wants to assign
tasks for the internal auditor to perform. Under these circumstances, the auditor may a. Allow the internal auditor to
perform tests of internal controls.

26. Which of the following factors should an external auditor obtain updated information about when assessing an
internal auditor’s competence? b. The educational level and professional experiences of the internal auditor.

27. Which of the following statements is correct regarding an independent auditor’s reliance on a client’s internal audit
staff? b. An independent auditor should assess the organizational status of the director of internal audit.

28. In which of the following circumstances is an auditor most likely to rely on work done by internal auditors? For
financial statement amounts judged by the auditor to require little or no subjectively evaluated audit evidence.

29. The primary objective of procedures performed to obtain an understanding of internal control is to provide an
auditor with a. Knowledge necessary for audit planning.

30. An auditor uses the knowledge provided by the understanding of internal control and the assessed risks of material
misstatement primarily to d. Determine the nature, timing, and extent of substantive procedures for financial
statement assertions.
31. In an audit of financial statements, an auditor’s primary consideration regarding an internal control is whether the
control b. Affects management’s financial statement assertions.

32. Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an
entity’s internal control? a. Incompatible duties.

33. Internal control can provide only reasonable assurance of achieving an entity’s control objectives. The likelihood of
achieving those objectives is affected by which limitation inherent to internal control? c. The cost of internal control
should not exceed its benefits.

34. Internal control cannot be designed to provide reasonable assurance that b. Fraud will be eliminated.

35. Although substantive tests may support the accuracy of underlying information used in monitoring, these tests may
provide no affirmative evidence of the effectiveness of monitoring controls because b. The information used in
monitoring may be accurate even though it is subject to ineffective control.

36. Which of the following factors would most likely be considered an inherent limitation to an entity’s internal control?
b. Human judgment in the decision making process.

37. Which of the following is an inherent limitation in internal control? c. Faulty human judgment.

38. Which of the following is an inherent limitation of internal control? b. Collusion.

39. Which of the following represents an example of an inherent limitation of internal controls? b. The CEO can override
a control and request a check with no purchase order.

40. An auditor is concerned about management override as a limitation of internal control. Which of the following tests
would best assess the validity of the auditor’s concern? b. Verifying that approved spending limits are not exceeded.

41. Which of the following statements is correct regarding internal control? b. An inherent limitation of internal control
is that controls can be circumvented by management override.

42. Internal controls are designed to provide reasonable assurance that a. Material errors or fraud will be prevented, or
detected and corrected, within a timely period by employees in the course of performing their assigned duties.

43. The design or operation of a control may not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. According to AU-C 265, this
circumstance is a c. Control deficiency.

44. An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects
this philosophy for a large dollar investment in heavy machine tools? c. Imprinting a controlled identification number
on each tool.

45. An auditor is evaluating a client’s internal controls. Which of the following situations would be the most difficult
internal control issue for an auditor to detect? c. Two employees, who work in different departments, are
circumventing an internal control.

46. Which of the following items is an example of an inherent limitation in an internal control system? b. Human error in
decision making.
47. Which of the following situations represents a limitation, rather than a failure, of internal control? A purchasing
employee and an outside vendor participate in a kickback scheme.

48. An auditor would most likely be concerned with controls that provide reasonable assurance about the d. Entity’s
ability to initiate, authorize, record, process, and report financial data.

49. Which of the following is a management control method that most likely could improve management’s ability to
supervise company activities effectively? c. Establishing budgets and forecasts to identify variances from expectations.

50. Which of the following are considered control environment elements? Detection Risk/ Commitment to Competence:
c. No and Yes.

51. Which of the following is not a component of internal control? a. Control risk.

52. Which of the following factors are included in an entity’s control environment? Audit Committee Participation/
Integrity and Ethical Values/ Organizational Structure: d. Yes, Yes, and Yes.

53. Which of the following components of internal control includes development and use of training policies that
communicate prospective roles and responsibilities to employees? b. Control environment.

54. Proper segregation of duties reduces the opportunities to allow persons to be in positions both to d. Perpetrate and
conceal fraud and error.

55. Proper segregation of functional responsibilities to achieve effective internal control calls for separation of the
functions of b. Authorization, recording, and custody.

56. An auditor is concerned with controls designed to safeguard assets that are relevant to the reliability of financial
reporting. Adequate safeguards over access to and use of assets means protection from d. Losses arising from access by
unauthorized persons.

57. Internal control is a function of management, and effective control is based upon the concept of charge and
discharge of responsibility and duty. Which of the following is one of the overriding principles of internal control? b.
Responsibility for the performance of each duty must be fixed.

58. Which of the following statements about internal control is correct? d. The cost-benefit relationship is a primary
criterion that should be considered in designing internal control.

59. Which of the following best describes an inherent limitation that should be recognized by an auditor when
considering the potential effectiveness of internal control? a. Controls, whether manual or automated, whose
effectiveness depends on segregation of duties can be circumvented by collusion.

60. Which of the following is not a valid concept of internal control? a. When one person is responsible for all phases of
a transaction, there should be a clear designation of that person’s responsibility.

61. Transaction authorization within an organization may be either specific or general. An example of specific transaction
authorization is the b. Approval of a detailed construction budget for a warehouse.

62. It is important for the auditor to consider the competence of the audit client’s employees, because their competence
bears directly and importantly upon the b. Achievement of the objectives of internal control.
63. Effective internal control in a small company that has an insufficient number of employees to permit proper division
of responsibilities can best be enhanced by b. Direct participation by the owner of the business in the recordkeeping
activities of the business.

64. The control environment may decrease the effectiveness of control activities when b. Management has substantial
incentives for meeting earnings projections.

65. Internal control has five components: the control environment, risk assessment, information and communication,
monitoring, and control activities. Control activities relevant to an audit may be categorized as policies and procedures
that pertain to a. Reviewing actual performance.

66. Which of the following factors is most relevant when an auditor considers the client’s organizational structure in the
context of the risks of material misstatement? d. The suitability of the client’s lines of reporting.

67. Which of the following procedures is an auditor most likely to include in the planning phase of a financial statement
audit? a. Obtain an understanding of the entity’s risk assessment process.

68. Proper segregation of duties reduces the opportunities to allow any employee to be in a position to both d. Record
and conceal fraudulent transactions in the normal course of assigned tasks

69. Each of the following types of controls is considered to be an entity-level control, except those c. Regarding the
company’s annual stockholder meeting.

70. Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small
organization? d. Allowing for greater management oversight of incompatible activities.

71. Which of the following best describe the interrelated components of internal control? b. Control environment; risk
assessment process; control activities; the information system, including related business processes; and monitoring
of controls.

72. Which of the following are considered control environment factors? Detection Risk/ Human Resources Policies and
Practices: c. No and Yes.

73. Control activities constitute one of the five components of internal control described in the COSO model. Control
activities do not encompass d. An internal auditing function.

74. Basic to a proper control environment are the quality and integrity of personnel who must perform the prescribed
procedures. Which is not a factor in providing for competent personnel? a. Segregation of duties.

75. A proper segregation of duties requires that an individual d. Recording a transaction not compare the accounting
record of the asset with the asset itself.

76. A small private entity may use less formal means to ensure that internal control objectives are achieved. For example,
extensive accounting procedures, sophisticated accounting records, or formal controls are least likely to be needed if a.
Management is closely involved in operations.

77. Although substantive procedures may support the accuracy of underlying records, these tests frequently provide no
affirmative evidence of segregation of duties because b. The records may be accurate even though they are maintained
by a person who performs incompatible functions.

78. Which of the following is a factor in the control environment? d. Management’s philosophy and operating style.
79. Which of the following is a component of internal control? c. Risk assessment.

80. Which of the following would an auditor most likely consider in evaluating the control environment of an audit
client? d. Management’s operating style.

81. Which of the following components of internal control would be considered the foundation for the other
components? Control environment

82. Which of the following activities by small business clients best demonstrates management integrity in the absence of
a written code of conduct? Emphasizing ethical behavior through oral communication and management example.

83. In obtaining an understanding of internal control in a financial statement audit, an auditor is not obligated to d.
Search for significant deficiencies in the operation of internal control.

84. As part of understanding internal control relevant to the audit of a non issuer, an auditor does not need to d. Obtain
knowledge about the operating effectiveness of internal control.

85. An auditor should obtain an understanding of an entity’s information system, including b. Process used to prepare
significant accounting estimates.

86. In obtaining an understanding of controls that are relevant to audit planning, an auditor is required to obtain
knowledge about the a. Design of the controls included in the internal control components.

87. When obtaining an understanding of an entity’s internal control, an auditor should concentrate on their substance
rather than their form because b. Management may establish appropriate controls but not enforce compliance with
them.

88. In obtaining an understanding of a manufacturing entity’s internal control concerning inventory balances, an auditor
most likely would a. Review the entity’s descriptions of inventory policies and procedures.

89. In an audit of financial statements in accordance with generally accepted auditing standards, an auditor should d.
Document the auditor’s understanding of the entity’s internal control.

90. The auditor should document the understanding of internal control. For example, a narrative memorandum may be
used to b. Provide a written description of the process and flow of documents and of the control points.

91. The auditor observes client employees while obtaining an understanding of internal control to c. Obtain knowledge
of the design and implementation of relevant controls.

92. A conceptually logical approach to the auditor’s consideration of relevant controls consists of the following four
steps: I. Determine whether the relevant controls are capable of preventing, or detecting and correcting, material
misstatements and have been implemented. II. Evaluate the operating effectiveness of relevant controls. III. Assess the
risks of material misstatement. IV. Design further audit procedures. What is the most logical order in which these four
steps are performed? c. I, III, IV, II.

93. The auditor’s understanding of internal control is documented to substantiate b. Compliance with generally
accepted auditing standards.

94. Which of the following statements regarding auditor documentation of the understanding of the client’s internal
control components obtained to plan the audit is correct? d. No one particular form of documentation is necessary, and
the extent of documentation may vary.
95. Which of the following audit techniques ordinarily would provide an auditor with the least assurance about the
operating effectiveness of an internal control activity? d. Preparation of system flowcharts.

96. Which of the following factors is least likely to affect the extent of the auditor’s understanding of the entity’s internal
controls? a. The amount of time budgeted to complete the engagement.

97. Which of the following procedures most likely will provide an auditor with sufficient evidence about whether an
entity’s controls are suitably designed and have been implemented to prevent, or detect and correct, material
misstatements? d. Observing the entity’s personnel applying the controls.

98. An auditor uses the audit evidence provided by the understanding of internal control and the assessment of the risks
of material misstatement to determine the nature, timing, and extent of d. Further audit procedures.

99. Which of the following is not a medium that can normally be used by an auditor to record information concerning
internal control? b. Procedures manual.

100. Which of the following is the most logical order of performing steps I through III below? I. Tests of controls, II.
Understanding of internal control, III. Substantive procedures: c. II, I, III.

101. In planning an audit, the auditor’s knowledge about the design of relevant controls should be used to a. Identify the
types of potential misstatements that could occur.

102. For the audit of a nonissuer, the primary objective of procedures performed to obtain an understanding of internal
control is to provide an auditor with b. Knowledge necessary to plan the audit.

103. Which of the following factors is most likely to affect the extent of the documentation of the auditor’s
understanding of a client’s system of internal controls? b. The degree to which information technology is used in the
accounting function.

104. Obtaining an understanding of an internal control involves evaluating the design of the control and determining
whether the control has been b. Implemented.

105. When obtaining an understanding of an entity’s control environment, an auditor should concentrate on the
substance of controls rather than their form because c. Management may establish appropriate controls but not act on
them.

106. After obtaining an understanding of the entity and its environment, including its internal control, the auditor
assesses d. Control risk and inherent risk to determine the acceptable level of detection risk.

107. The primary purpose of obtaining an understanding of the entity and its environment, including its internal control,
is to provide an auditor with b. A frame of reference within which to plan the audit.

108. The ultimate purpose of understanding internal control is to contribute to the auditor’s evaluation of the risk that b.
Material misstatements may exist in the financial statements.

109. The following are steps in the financial statement audit process: I. Prepare flowchart, II. Gather exhibits of all
documents, III. Interview personnel. The most logical sequence of steps is c. III, II, I.

110. In obtaining an understanding of internal control, the auditor may trace several transactions through the control
process, including how the transactions interface with any service organizations whose services are part of the
information system. The primary purpose of this task is to b. Determine whether the controls have been implemented.
111. According to AU-C 315, Understanding the Entity and its Environment and Assessing the Risks of Material
Misstatement, not all controls are relevant to a financial statement audit. Which one of the following would most likely
be considered in an audit? b. Maintenance of control over unused checks.

112. In order to obtain an initial understanding of internal control sufficient to assess the risk of material misstatement of
the financial statements, an auditor would most likely perform which of the following procedures? Risk-assessment
procedures to evaluate the design of relevant controls.

113. An auditor’s flowchart of a client’s accounting system is a diagrammatic representation that depicts the auditor’s
Understanding of the system.

114. The following is a section of a system flowchart for a payroll application: Symbol X could represent b. An error
report.

115. An advantage of using systems flowcharts to document information about internal control instead of using internal
control questionnaires is that systems flowcharts b. Provide a visual depiction of clients’ activities.

116. When documenting internal control, the independent auditor sometimes uses a systems flowchart, which can best
be described as a d. Symbolic representation of a system or series of sequential processes.

117. The normal sequence of documents and operations on a well-prepared systems flowchart is a. Top to bottom and
left to right.

118. Decision tables differ from program flowcharts in that decision tables emphasize b. Logical relationships among
conditions and actions.

119. In an audit of financial statements of a nonissuer in accordance with GAAS, an auditor is required to a. Document
the auditor’s understanding of the entity’s internal control components.

UNIT 9.1 TO 9.4

2. Which of the following matters would an auditor most likely consider to be a significant deficiency or material
weakness to be communicated to those charged with governance? c. Evidence of a lack of objectivity by those
responsible for accounting decisions.

3. During consideration of internal control in a financial statement audit, an auditor is not obligated to a. Search for
significant deficiencies in the operation of internal control.

4. Management may already know of the existence of significant deficiencies or material weaknesses in internal control.
Which of the following is a true statement about the auditor’s communication in this situation? d. The auditor should
communicate these control conditions in writing regardless of a decision by management and those charged with
governance not to remedy them.

5. Which of the following issues related to internal control over financial reporting are required to be communicated in
writing to management and those charged with governance? I. Deficiencies in internal control, II. Significant
deficiencies, III. Material weaknesses: b. II and III only.
6. Which of the following statements is true about the auditor’s communication of a material weakness in internal
control? c. Suggested corrective action for management’s consideration concerning a material weakness need not be
communicated to the client.

7. The development of constructive suggestions to a client for improvements in its internal control is a d. Desirable by-
product of an audit engagement.

8. Under the AICPA’s auditing standards, which of the following statements about an auditor’s communication of
significant control deficiencies is true? c. An auditor’s report on significant control deficiencies should include a
restriction on the use of the report.

9. When communicating significant deficiencies in internal control noted in a financial statement audit of a nonissuer, the
communication should indicate that d. The purpose of the audit was to report on the financial statements, not to
provide assurance on internal control.

10. Which of the following statements is true about significant deficiencies identified in an audit? d. The auditor should
identify those significant deficiencies considered to be material weaknesses.

11. Which of the following statements about an auditor’s communication of internal control related matters identified in
an audit of a nonissuer is true? d. The auditor should communicate significant internal control related matters no later
than 60 days after the report release date.

12. When reporting to the audit committee on conditions relating to an entity’s internal control observed during an audit
of a nonissuer’s financial statements, the auditor should include a d. Restriction on the use of the report.

13. Which of the following statements about significant deficiencies and material weaknesses in internal control is true
for an audit of a nonissuer? c. An auditor may communicate significant deficiencies and material weaknesses during
an audit or after the audit’s completion.

14. A secondary result of the auditor’s understanding of internal control for a nonissuer is that the understanding may c.
Bring to the auditor’s attention possible control conditions required to be communicated to the client.

15. Which of the following is least likely indicative of a significant deficiency or material weakness in internal control? b.
A potential future internal control problem having no effect on the current period.

16. An auditor is required to establish an understanding with a client regarding the services to be performed for each
engagement. For an auditor of a nonissuer, this understanding generally includes c. The auditor’s responsibility for
ensuring that management and those charged with governance are aware of any significant deficiencies or material
weaknesses in control that come to the auditor’s attention.

17. Which of the following is true regarding significant deficiencies and material weaknesses in control for a nonissuer?
b. Auditors should communicate them to management and those charged with governance.

18. Which of the following best describes the responsibility of an auditor of a private entity with respect to significant
deficiencies and material weaknesses under AU-C 265, Communication of Internal Control Related Matters Identified in
an Audit? c. The communication by the auditor must be in writing.

19. Which of the following representations should not be included in a written report on internal control related matters
identified in an audit under the AICPA’s auditing standards? b. There are no significant deficiencies or material
weaknesses in the design or operation of internal control.
20. A CPA had previously communicated a significant control deficiency in connection with an audit of prior financial
statements of a nonissuer. As of the current audit date, the deficiency has not been corrected. What communication
should be made by the CPA? d. The condition should be reported.

21. Which of the following circumstances would be inappropriate for the auditor to communicate to those charged with
governance? b. No significant deficiencies in internal control exist that would affect the financial statements.

22. An auditor would least likely initiate a discussion with a client’s audit committee concerning b. The maximum dollar
amount of misstatements that could exist without causing the financial statements to be materially misstated.

23. Which of the following is true about the auditor’s communication with those charged with governance? b. The
communication should be a two-way discourse between the auditor and those charged with governance.

24. Which of the following matters should an auditor communicate to those charged with governance? b. The process
used by management in formulating sensitive accounting estimates.

25. In an audit engagement, should an auditor communicate the following matters to those charged with governance?
Auditors’ Judgments About the Quality of the Client’s Accounting Principles, Issues Discussed with Management Prior to
the Auditors Retention: a. Yes and Yes.

26. During the planning phase of an audit, an auditor is identifying matters for communication to those charged with
governance. The auditor most likely would ask management whether c. There were changes in the application of
significant accounting policies.

27. Which of the following statements is true about an auditor’s communication to those charged with governance? b.
The auditor is required to inform those charged with governance about misstatements discovered by the auditor and
not subsequently corrected by management.

28. Which of the following statements is true about an auditor’s communication with those charged with governance? b.
This communication should include management changes in the application of significant accounting policies.

29. Which of the following statements is true about an auditor’s communication with those charged with governance? a.
This communication should include disagreements with management about audit adjustments, whether or not
satisfactorily resolved.

30. It would not be appropriate for the auditor to initiate discussion with the audit committee concerning b. Details of
the procedures that the auditor intends to apply.

31. An auditor has withdrawn from an audit engagement of an issuer after finding fraud that may materially affect the
financial statements. The auditor should set forth the reasons and findings in communication to the d. Board of
directors.

32. In identifying matters for communication with an entity’s audit committee, an auditor most likely would ask
management whether b. It consulted with another CPA firm about accounting matters.

33. Which of the following matters is an auditor not required to communicate to an entity’s audit committee? d. The
degree of reliance the auditor placed on the management representation letter.

34. Which of the following matters is an auditor required to communicate to those in the entity charged with
governance? I. Disagreements with management about matters significant to the entity’s financial statements that have
been satisfactorily resolved, II. Initial selection of significant accounting policies in emerging areas that lack authoritative
guidance: c. Both I and II.

35. An auditor’s communication with those charged with governance is required to include the c. Discussion of
disagreements with management about matters that significantly affect the entity’s financial statements.

36. Which of the following matters is an auditor required to communicate to those charged with governance? a.
Adjustments that were suggested by the auditor and recorded by management that have a significant effect on the
entity’s financial reporting process.

37. Which of the following disagreements between the auditor and management do not have to be communicated by
the auditor to those charged with governance? d. Disagreements of the amount of the LIFO inventory layer based on
preliminary information.

38. In communicating with those charged with governance, the auditor must decide whether to communicate with the
audit committee or the client’s entire board of directors. Which of the following considerations will be least relevant to
this decision? Management’s preference.

39. Firms subject to the reporting requirements of the Securities Exchange Act of 1934 are required by the Foreign
Corrupt Practices Act of 1977 to maintain satisfactory internal control. Moreover, the Sarbanes-Oxley Act of 2002
requires that annual reports include (1) a statement of management’s responsibility for establishing and maintaining
adequate internal control and procedures for financial reporting, and (2) management’s assessment of their
effectiveness. The role of the registered auditor relative to the assessment made by management is to d. Determine
whether management’s report is complete and properly presented.

40. Which of the following best describes a CPA’s responsibility to report on an issuer’s (public company’s) internal
control over financial reporting? a. To examine the effectiveness of its internal control.

41. The auditor of an issuer must express an opinion on the effectiveness of internal control. The opinion should be
expressed As of a Specified Date, For a Specified Period of Time: b. Yes and No.

42. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued a document in 1992 that has
been embraced by numerous organizations, including the AICPA and the GAO. That document is titled b. Internal
Control--Integrated Framework.

43. An auditor is auditing internal control in conjunction with the audit of financial statements for an issuer. The auditor
is considering the appropriate materiality level for planning the audit of internal control. Relative to the materiality level
for the audit of the financial statements, materiality levels for the audit of internal control are c. The same.

44. In obtaining an understanding of an issuer’s internal control, an auditor does all the following except d. Send
confirmations to customers.

45. The audit of internal control over financial reporting should test Design Effectiveness, Operating Effectiveness: a. Yes
and Yes.

46. In an examination of internal control over financial reporting, which deficiencies in control should be communicated
in writing to those charged with governance? d. Both material weaknesses and significant deficiencies.
47. An auditor is conducting an integrated examination of internal control with the audit of a nonissuer’s financial
statements. In applying the top-down approach, the auditor first a. Focuses on entity-level controls and then significant
accounts.

48. Management of an issuer subject to SEC requirements requests the auditor to report on whether a previously
reported material weakness in internal control continues to exist. The request comes 3 months after the annual audited
financial statements and report on internal control were released. c. The auditor may accept the engagement if
management provides a statement that the identified material weakness no longer exists.

49. Brown, CPA, has accepted an engagement to examine the effectiveness of the internal control over financial
reporting of Crow Company (a nonissuer) and to issue a report on such examination. In what form does Crow present its
written assertion about effectiveness? I. In a separate report that accompanies Brown’s report, II. In a representation
letter to Brown: a. I and II.

50. Snow, CPA, was engaged by Master Co., a nonissuer, to examine the effectiveness of Master’s internal control over
financial reporting as part of an integrated audit. Snow’s report should state that a. Because of inherent limitations,
internal control may not prevent, or detect and correct, misstatements.

51. An auditor expresses an unmodified opinion directly on internal control over financial reporting after an examination
integrated with a financial statement audit. As a result, the d. Auditor believes that controls are effective.

52. Cain Company’s management engaged Bell, CPA, to examine the effectiveness of Cain’s internal control over financial
reporting. Bell’s report, which was accompanied by management’s separate report presenting its written assertion about
the effectiveness of internal control, described several material weaknesses and potential errors and fraudulent activities
that could occur. Subsequently, management included Bell’s report in its annual report to the board of directors with a
statement that the cost of correcting the weaknesses would exceed the benefits. Bell should a. Disclaim an opinion as to
management’s cost-benefit statement.

53. In the audit of a nonissuer, the auditor reports on the effectiveness of an entity’s internal control over financial
reporting. Which of the following is not a condition of that engagement? c. Management provides assurance that
limitations inherent to internal control have been eliminated.

54. The auditor’s report expressing an opinion directly on the effectiveness of an entity’s internal control over financial
reporting should include all the following except d. A statement that the entity’s internal control is consistent with that
of the prior year after giving effect to subsequent changes.

55. In reporting on an examination of an issuer’s internal control over financial reporting, an auditor should include a
paragraph that describes the d. Limitations inherent to all internal control.

56. An auditor’s report on an examination of internal control over financial reporting is least likely to be issued as a result
of b. A review of the annual financial statements of a large corporation.

57. When engaged to express an opinion about the effectiveness of a nonissuer’s internal control over financial
reporting, the auditor should a. Obtain management’s written representation acknowledging responsibility for
establishing and maintaining internal control.

58. An auditor reports on an examination of the effectiveness of an entity’s internal control over financial reporting. If
the control criteria used are established by a regulatory agency, the report should c. Contain a statement of restriction
on use if the criteria have not been subjected to due process procedures and are appropriate only for a limited
number of users.
59. An issuer who is an accelerated filer subject to the Securities Exchange Act of 1934 is required to include in its annual
report an auditor’s opinion on whether internal control over financial reporting was b. Properly designed and operated
effectively.

60. The Sarbanes-Oxley Act of 2002 (SOX) requires management of issuers to do all of the following except d. Provide a
statement that the board approves changes in internal control procedures.

61. A CPA’s understanding of internal control in a financial statement audit of a nonissuer a. Is usually more limited than
that made in an examination of internal control integrated with an audit of financial statements.

62. Which of the following best describes a CPA’s engagement to report on an entity’s internal control over financial
reporting? a. An attest engagement that results in issuance of an examination report relating to the effectiveness of
internal control.

63. Which of the following is a true statement concerning an attest engagement to examine an entity’s internal control
over financial reporting? b. The responsible party evaluates the effectiveness of internal control.

64. Section 404 of the Sarbanes-Oxley Act of 2002 requires each annual report of an issuer to include which of the
following? d. Management’s assessment of the effectiveness of internal control over financial reporting.

65. To ensure that the audit report for an issuer is prepared in accordance with Section 404 of the Sarbanes-Oxley Act of
2002, the report must b. Attest to and report on the internal control assessment made by the management of the
issuer.

66. In an integrated audit of a nonissuer, an auditor should issue an adverse opinion on the effectiveness of an entity’s
internal control in which of the following situations? b. A material weakness exists.

67. Each of the following statements is correct regarding the likely sources of potential misstatements in an integrated
audit of a nonissuer except a. An evaluation of the entity’s information technology risk and controls should be
performed separately from the top-down approach.

68. In the integrated audit of an issuer, which of the following would not be considered an entity-level control? d. The
outside auditor’s assessment process of internal auditor competence and objectivity.

69. During the audit of internal controls integrated with the audit of the financial statements, the auditor discovered a
material weakness in internal control. The auditor most likely will express a(n) a. Adverse opinion on internal control.

70. Which of the following is not a role of the risk assessment in an integrated audit of a nonissuer? a. Concluding on
the effectiveness of a given control.

71. In an integrated audit of a nonissuer, if an auditor concludes that a material weakness exists as of the date specified
in management’s assertion, the auditor should take which of the following actions? c. Issue an adverse opinion.

72. When planning an engagement to examine the effectiveness of the entity’s internal control in an integrated audit of a
nonissuer, a practitioner would least likely consider which of the following factors? The evaluation of the operating
effectiveness of the controls.

73. AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, applies to a financial statement
audit of an entity that uses services of another organization as part of its information system. For this purpose, the user
auditor may need to obtain a service auditor’s report. Which of the following is a true statement about a service
auditor’s report? b. It should include an opinion.

74. Computer Services Company (CSC) processes payroll transactions for schools. Drake, CPA, is engaged to report on
CSC’s controls implemented as of a specific date. These controls are relevant to the schools’ internal control, so Drake’s
report will be useful in providing the schools’ independent auditors with information necessary to plan their audits.
Drake’s report expressing an opinion on CSC’s controls implemented as of a specific date should contain a(n) a.
Description of the scope and nature of Drake’s procedures.

75. Lake, CPA, is auditing the financial statements of Gill Co. Gill uses the EDP Service Center, Inc., to process its payroll
transactions. EDP’s financial statements are audited by Cope, CPA, who recently issued a report on EDP’s internal control.
Lake is considering Cope’s report on EDP’s internal control in assessing control risk on the Gill engagement. What is Lake’s
responsibility concerning making reference to Cope as a basis, in part, for Lake’s own unmodified opinion? d. Lake may
not refer to Cope under the circumstances above.

76. The activities of the user entity and the service organization have a high degree of interaction. The user auditor d.
Need not test the service organization’s internal control if the user entity has effective controls related to service
organization processing.

77. Payroll Data Co. (PDC) processes payroll transactions for a retailer. Cook, CPA, is engaged to issue a report on PDC’s
internal controls implemented as of a specific date. These controls are relevant to the retailer’s internal control, so
Cook’s report may be useful in providing the retailer’s independent auditor with information necessary to plan a financial
statement audit. Cook’s report should a. Contain a disclaimer of opinion on the operating effectiveness of PDC’s
controls.

78. A service auditor’s report on internal control may be issued on management’s description of a service organization
system and the suitability of the design of controls or management’s description of a service organization system and the
suitability and operating effectiveness of controls. Which of the following is true about a type 1 report? a. It should state
that the auditor did not test the effectiveness of the controls.

79. Dunn, CPA, is auditing the financial statements of Taft Co. Taft uses Quick Service Center (QSC) to process its payroll.
Price, CPA, is expressing an opinion on management’s description of the controls implemented and their suitability of
design at QSC regarding the processing of its customers’ payroll transactions. Dunn expects to consider the effects of
Price’s report on the Taft engagement. Price’s report should contain a(n) a. Description of the scope and nature of
Price’s procedures.

80. An auditor (the user auditor) may decide to make use of another auditor’s (the service auditor’s) report on internal
control at a service organization that provides certain services to the user auditor’s client. When the client’s transactions
flow through the service organization’s accounting system, consideration of internal control may be necessary. The most
efficient approach is often to obtain a service auditor’s report. Which of the following is a true statement about the
relationship of the user and service auditors? c. When reporting on an audit of financial statements, the user auditor
should not refer to the service auditor’s report if the opinion is unmodified.

81. When an auditor is to conduct an audit of a service organization, what considerations should the auditor make in the
planning stages regarding internal controls of the organization? c. The auditor should determine whether management
has adequately described complementary user controls.

82. An auditor is auditing a mutual fund company that uses a transfer agent to handle accounting for shareholders.
Which of the following actions by the auditor would be most efficient for obtaining information about the transfer
agent’s internal controls? a. Review reports on the suitability of design and operating effectiveness of controls
produced by the agent’s own auditor.

83. Green, CPA, is auditing the financial statements of Ajax Co. Ajax uses the DP Service Center to process its payroll. DP’s
financial statements are audited by Blue, CPA, who recently issued a report on DP’s policies and procedures regarding the
processing of other entities’ transactions. In considering whether Blue’s report is satisfactory for Green’s purposes, Green
should a. Make inquiries about Blue’s professional reputation.

84. Which of the following procedures should a user auditor include in the audit plan to create the most efficient audit
when an audit client uses a service organization for several processes? a. Review the service auditor’s type 1 report.

85. An audit client has substantial assets held in a trust that is managed by the trust department of a bank. Which of the
following actions by the auditor is the most efficient way to obtain information about the trust department’s internal
controls? c. Rely on the trust department’s audit report on internal controls placed in operation and their operating
effectiveness.

UNIT 5.5 ,8.3, 10.4

2. Which of the following statements most likely represents a disadvantage for an entity that keeps digital computer files
rather than manually prepared files? b. It is usually easier for unauthorized persons to access and alter the files.

3. The client’s computer exception reporting system helps an auditor to conduct a more efficient audit because it b.
Highlights abnormal conditions.

4. A small client recently put its cash disbursements system on a server. About which of the following internal control
features would an auditor most likely be concerned? b. The server is operated by employees who have cash custody
responsibilities.

5. Misstatements in a batch computer system caused by incorrect programs or data may not be detected immediately
because c. There are time delays in processing transactions in a batch system.

6. An auditor anticipates relying on the operating effectiveness of controls in a computerized environment. Under these
circumstances, on which of the following activities would the auditor initially focus? d. General controls.

7. In which of the following circumstances would an auditor expect to find that an entity implemented automated
controls to reduce risks of misstatement? d. When transactions are high-volume and recurring.

8. Some data processing controls relate to all computer processing activities (general controls) and some relate to
specific tasks (application controls). General controls include c. Controls for documenting and approving programs and
changes to programs.

9. Which of the following controls most likely could prevent computer personnel from modifying programs to bypass
programmed controls? b. Separation of duties for computer programming and computer operations.

10. For control purposes, which of the following should be organizationally separated from the computer
operations function? c. Systems development.
11. A client is concerned that a power outage or disaster could impair the computer hardware’s ability to
function as designed. The client desires off-site backup hardware facilities that are fully configured and ready
to operate within several hours. The client most likely should consider a d. Hot site.

12. Which of the following procedures would an entity most likely include in its computer disaster recovery
plan? b. Store duplicate copies of critical files in a location away from the computer center.

13. Which of the following procedures would an entity most likely include in its disaster recovery plan? d.
Store duplicate copies of files in a location away from the computer center.

14. If High Tech Corporation’s disaster recovery plan requires fast recovery with little or no downtime, which
of the following backup sites should it choose? a. Hot site.

15. Which of the following is a computer program that appears to be legitimate but performs some illicit
activity when it is run? c. Trojan horse.

16. An Internet firewall is designed to provide adequate protection against which of the following? b.
Unauthenticated logins from outside users.

17. A client communicates sensitive data across the Internet. Which of the following controls would be most
effective to prevent the use of the information if it were intercepted by an unauthorized party? d.
Encryption.

18. A client who recently installed a new accounts payable system assigned employees a user identification
code (UIC) and a separate password. Each UIC is a person’s name, and the individual’s password is the same
as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire.
Which of the following statements does not reflect a limitation of the client’s computer-access control? d.
Employees are not required to take regular vacations.

19. An auditor is obtaining an understanding of a client’s Internet controls. Which of the following is most
likely the least effective control? b. The client requires users to share potentially useful downloaded
programs from public electronic sources with only authorized employees.

20. The firewall system that limits access to a computer by routing users to replicated Web pages is c. A proxy
server.

21. The use of message encryption software c. Increases system processing costs.

22. Kelly Corporation needs an internal communication network that provides high speed communication
among nodes. Which of the following is appropriate for Kelly? b. Local area network (LAN).

23. Which of the following is a network security system that is used to control network traffic and to set up a
boundary that prevents traffic from one segment from crossing over to another? c. Firewall.

24. Which of the following is an encryption feature that can be used to authenticate the originator of a
document and ensure that the message is intact and has not been tampered with? d. Digital signatures.
25. Which of the following is an example of how specific internal controls in a database environment may
differ from controls in a nondatabase environment? a. Controls should exist to ensure that users have access
to and can update only the data elements that they have been authorized to access.

26. Which of the following is the most serious password security problem? a. Users are assigned passwords
when accounts are created, but they do not change them.

27. A client installed sophisticated controls using the biometric attributes of employees to authenticate user
access to the computer system. This technology most likely replaced which of the following controls? c.
Passwords.

28. Which of the following passwords would be most difficult to crack? a. O?Ca!FlSi.

29. An entity has many employees who access a database with numerous access points. The database
contains sensitive information about the customers of the entity. Access controls prevent employees from
entry to those areas of the database for which they have no authorization. All salespersons have certain
access permission to customer information. Which of the following is a true statement about the nature of
the controls and risks? d. A salesperson’s access to customer information should extend only to what is
necessary to perform his or her duties.

30. An entity has the following invoices in a batch: Invoice Number: 201, 202,203,204, Product: F10, G15,
H20,K35. Quantity: 150,200,250,300. Unit Price: $5.00, 10.00, 25.00, 30.00. Which of the following numbers
represents the record count? b. 4.

31. An entity has the following invoices in a batch: Invoice Number: 201, 202,203,204, Product: F10, G15,
H20,K35. Quantity: 150,200,250,300. Unit Price: $5.00, 10.00, 25.00, 30.00. Which of the following numbers
represents the record count? d. 810.

32.