Who is responsible for the effectiveness of internal controls over financial reporting quizlet?

1. Deficiency
-least severe
-no need for auditor to report these to anyone

2. Significant Deficiency:
-More severe than a deficiency, less severe than a material weakness
-Auditors must report significant deficiencies to audit committee

3. Material Weakness
-Most severe - really, really bad (so companies don't like to have these)
-Auditors must report material weaknesses to audit committee
-If one or more material weaknesses exist, the company's IC over financial reporting cannot be considered effective (That means material weaknesses show up in annual reports)

a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

Reliability of financial reporting.
Effectiveness and efficiency of operations (maintaining a good business reputation, ensuring a positive return on investment, increasing market share, promoting new product innovation, and using assets effectively and efficiently)
Compliance with applicable laws and regulations

All companies must follow the Sarbanes-Oxley Act requirements.

False

Most public companies must follow Sarbanes-Oxley requirements.

True

In a public company, management must assess and report on internal control over financial reporting.

True

In a public company, management's report on internal control must be signed by the members of the audit committee.

False

Based on PCAOB guidelines, the audit of ICFR and financial statements audit should be conducted as an "integrated audit."

True

The PCAOB makes it clear that the CEO and CFO are responsible for the internal control over financial reporting and the preparation of the statements.

True

The likelihood of an event is "more than remote" when it is "reasonably possible."

False

When auditing a public company, the auditor must form an opinion on the effectiveness of internal control over financial reporting, or issue a disclaimer in the event of a scope limitation.

True

In order for an external auditor to complete an audit of a public company, the entity's management must comply with all of the following except:

A) accept responsibility for the effectiveness of the entity's internal control over financial reporting.

B) evaluate the effectiveness of the entity's internal control over financial reporting using suitable control criteria.

C) support its evaluation with sufficient evidence, including documentation.

D) present an oral assessment of the effectiveness of the entity's internal control over financial reporting as of the end of the entity's most recent fiscal year.

D) present an oral assessment of the effectiveness of the entity's internal control over financial reporting as of the end of the entity's most recent fiscal year.

An "integrated audit" as stated in Section 404 of the Sarbanes-Oxley Act means:

A) the auditor must consider the integrated thoughts and ideas of everyone on the audit staff.

B) the auditor must conduct two audits, one on the effectiveness of internal control and one on the financial statements, in an integrated way.

C) the auditor must integrate the same objectives whether auditing internal control or auditing the financial statements.

D) two independent CPA firms must work together on the audit.

B) the auditor must conduct two audits, one on the effectiveness of internal control and one on the financial statements, in an integrated way.

The PCAOB Auditing Standards require the auditor to provide which of the following?

A) Reasonable assurance on the financial statements, absolute assurance on internal control.

B) Reasonable assurance on internal control, absolute assurance on the financial statements.

C) Absolute assurance on both the financial statements and internal control.

D) Reasonable assurance on both the financial statements and internal control.

D) Reasonable assurance on both the financial statements and internal control.

According to the PCAOB, who is responsible for the reliability of the internal controls over financial reporting process of an entity?

A) The entity's CEO and/or CFO.

B) The entity's board of directors.

C) An internal control specialist.

D) The external auditor.

A) The entity's CEO and/or CFO.

The person in charge of authorizing credit to customers does not properly understand what constitutes a credit risk. This is an example of:

A) A material weakness.

B) A design deficiency.

C) A deficiency in operation.

D) This is not an internal control deficiency.

C) A deficiency in operation.

A deficiency that implies that there is a reasonable possibility of misstatement in the financial statements that is significant but not material is:

A) a material weakness.

B) a significant deficiency.

C) an insignificant deficiency.

D) a probable deficiency.

a significant deficiency.

Which of the following is not a topic that requires special consideration by management during management's internal control assessment process and by the auditor during the audit of internal control?

A) Multiple locations and business units.

B) Service organizations.

C) The role of the auditor in internal control.

D) Safeguarding assets.

C) The role of the auditor in internal control.

Management documentation of the ICFR assessment should include all of the following except:

A) documentation regarding every control in a process.

B) documentation regarding reasonable support for the basis for management's assessment and conclusion.

C) documentation regarding the design of controls management has placed in operation.

D) documentation on the controls management concludes are adequate to address the entity's financial reporting risks.

A) documentation regarding every control in a process.

Which of the following is not a primary objective of internal control as established by COSO?

A) Efficiency and effectiveness of operations.

B) Effective purchasing systems.

C) Compliance with laws and regulations.

D) Reliable financial reporting.

B) Effective purchasing systems.

An auditor performing an audit of internal control over financial reporting would be required to:

A) rely on the work of internal auditors.

B) test all of the entity's internal controls.

C) form an opinion on the effectiveness of internal control.

D) randomly identify accounts for an audit of internal control.

C) form an opinion on the effectiveness of internal control.

In determining the extent to which the auditor may use the work of others in the audit of ICFR, the auditor should do all of the following except:

A) be ready to document the extent to which he or she relied on the work.

B) evaluate the risks associated with the controls subjected to the work of others.

C) evaluate the competence and objectivity of the individuals who performed the work.

D) All of these are required.

D) All of these are required.

Which of the following is least likely to represent a material weakness in internal control for Flynt Corporation?

A) Flynt Corporation's computer systems were not working properly for two days; consequently, employees needed to do all reconciliations manually.

B) Flynt Corporation's CFO was arrested last year for embezzling money from the entity.

C) For the current year, the auditor found a material misstatement in Flynt's sales recognition that was undetected by the internal controls.

D) Flynt's audit committee is deemed to be ineffective.

A) Flynt Corporation's computer systems were not working properly for two days; consequently, employees needed to do all reconciliations manually.

S&H Associates has just performed an audit of Bob's Bikes. S&H was unable to obtain a written representation from management about internal control. Which of the following is true?

A) S&H must still assume that management has assessed the effectiveness of internal control.

B) Depending on other factors in the audit, S&H can still issue an unqualified opinion.

C) S&H should consider this situation a limitation on the scope of the audit.

D) Management does not need to give S&H a letter if it has disclosed all known internal control deficiencies.

C) S&H should consider this situation a limitation on the scope of the audit.

Public reporting on the effectiveness of internal control over financial reporting, as required by the Sarbanes-Oxley Act, includes:

A) a statement that the public accounting firm that audited the financial statements has provided input on the design of internal controls.

B) the auditor provides an opinion on whether the entity maintained, in all material respects, effective ICFR as of the specified date, based on the control criteria.

C) an explicit statement as to whether management agrees with the public accounting firm's assessment of internal controls.

D) a detailed statement describing changes or additions to the internal control environment that occurred in the current year.

B) the auditor provides an opinion on whether the entity maintained, in all material respects, effective ICFR as of the specified date, based on the control criteria.

Which of the following concerning the auditor's report on internal control over financial reporting is correct?

A) The auditor's report contains an opinion on the effectiveness of internal control over financial reporting based on the auditor's independent work.

B) In the report on internal control over financial reporting, the auditor can issue only a qualified or an unqualified opinion.

C) The auditor needs to state management's assessment of internal control over financial reporting, but does not necessarily need to comment on whether he or she agrees.

D) An unqualified opinion is required if a material weakness is identified.

A) The auditor's report contains an opinion on the effectiveness of internal control over financial reporting based on the auditor's independent work.

Prior to issuing a report on internal controls over financial reporting, an auditor is required to:

A) perform procedures sufficient to identify all control deficiencies.

B) communicate to management, in writing, all control deficiencies previously included in written communication from the internal auditors.

C) communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

D) represent that no significant deficiencies were noted during the audit of internal control.

C) communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

Which of the following is not true?

A) The auditor should not communicate with management until the audit of internal control over financial reporting is finished.

B) Written communication between the auditor and management about internal control over financial reporting should include the definitions of control deficiencies, significant deficiencies, and material weaknesses.

C) The auditor should not include in the audit report that no significant deficiencies were noted during an audit of internal control over financial reporting.

D) If fraud is discovered, the auditor must report it to the appropriate level of management.

A) The auditor should not communicate with management until the audit of internal control over financial reporting is finished.

An "integrated audit":

A) will, in most cases, lead to a substantive audit strategy.

B) denies the auditor access to information about the entity's controls.

C) may be performed by two separate audit firms.

D) is comprised of audits of internal control over financial reporting and of financial statements.

D) is comprised of audits of internal control over financial reporting and of financial statements.

One of the advantages of generalized audit software is that:

A) it involves auditing after the entity has processed the data rather than while the data are being processed.

B) it provides a limited ability to verify programming logic because its application is usually directed to testing entity files or databases.

C) it is limited to audit procedures that can be conducted on data available in electronic form.

D) limited IT expertise or programming skills are required.

D) limited IT expertise or programming skills are required.

Which of the following audit procedures would an auditor be least likely to perform using a generalized audit software?

A) Searching records of accounts receivable balances for credit balances.

B) Investigating inventory for possible damaged goods.

C) Selecting accounts receivable for positive and negative confirmations.

D) Listing of unusually large inventory balances.

B) Investigating inventory for possible damaged goods.

The auditor is least likely to use generalized audit software to:

A) perform analytical procedures on the entity's data.

B) access information stored on the entity's IT files.

C) identify material weaknesses in the entity's IT controls.

D) test the accuracy of the entity's computations.

C) identify material weaknesses in the entity's IT controls.

The five step process in the audit of ICFR includes:

A) form an opinion on the safeguarding of the entity's assets.

B) identify controls to test using a top-down, risk-based approach.

C) form an opinion on the fairness of the presentation of the financial statements.

D) plan the audit of the financial statements.

B) identify controls to test using a top-down, risk-based approach.

Which of the following is an advantage of generalized audit software?

A) They are all written in one identical computer language.

B) They can be used for audits of entities that use differing IT equipment and file formats.

C) They have reduced the need for the auditor to study input controls for IT-related procedures.

D) Their use can be substituted for a relatively large part of the required compliance testing.

B) They can be used for audits of entities that use differing IT equipment and file formats.

IDEA is an example of:

A) an EDI software package.

B) custom Audit Software.

C) a GAS program that is widely used in practice.

D) a type of networking.

C) a GAS program that is widely used in practice.

Which of the following is not an element of management's assessment process for the effectiveness of internal control?

A) Identifying financial reporting risks and related controls.

B) Determining the locations and business units to include in the evaluation.

C) Evaluating evidence about the operating effectiveness of ICFR.

D) Obtaining the auditor's assessment of the internal control effectiveness.

D) Obtaining the auditor's assessment of the internal control effectiveness.

Which of the following is true regarding management's documentation of internal controls?

A) Some documentation should focus on controls management has placed in operation to adequately address identified financial reporting risks.

B) Documentation should focus on controls over the interim financial reporting process.

C) Documentation must be done on paper.

D) Inadequate documentation is usually considered an insignificant deficiency in internal control.

A) Some documentation should focus on controls management has placed in operation to adequately address identified financial reporting risks.

Which of the following statements is false?

A) Management identifies controls that are in place to address the financial reporting risks.

B) Management is required to base internal controls on a recognized control framework.

C) Nearly all reporting companies use the internal control framework developed by COSO.

D) All controls relevant to financial reporting are accounting controls.

D) All controls relevant to financial reporting are accounting controls.

Management's written representations concerning internal control are:

A) addressed to the users of the financial statements.

B) normally drafted by management.

C) included in the auditor's final report.

D) signed by the CEO and CFO.

D) signed by the CEO and CFO.

In the context of an audit of internal controls, the auditor must document all of the following except:

A) the extent to which he or she relied upon work performed by others.

B) the auditor's understanding and evaluation of the design of each of the components of the entity's internal control over financial reporting.

C) transcripts of the auditor's discussion with management concerning the points at which misstatements could occur.

D) the evaluation of any deficiencies discovered that could result in a modification of the auditor's report.

C) transcripts of the auditor's discussion with management concerning the points at which misstatements could occur.

Examples of entity-level controls include:

A) management's risk assessment process.

B) controls to monitor results of operations.

C) the period-end financial reporting process.

D) All of these are examples of entity-level controls.

D) All of these are examples of entity-level controls.

Which of the following statements included in management's assessment of the effectiveness of internal control over financial reporting would not cause the auditor to disclaim an opinion?

A) Management includes disclosures about corrective actions taken by the entity after the date of management's assessment.

B) The entity plans to implement new controls.

C) Management believes the cost of correcting a material weakness would exceed the benefits derived from implementing the new controls.

D) Disclosure of material weaknesses corrected during the period.

D) Disclosure of material weaknesses corrected during the period.

A modification of the standard report is required for all of the following conditions except:

A) there is a restriction on the scope of the engagement.

B) the presence of a material weakness at the end of the period.

C) management has concluded that internal controls are effective.

D) the auditor was not able to apply all the procedures necessary.

C) management has concluded that internal controls are effective.

AAA & Associates recently finished auditing LinktheEarth Corporation's internal control over financial reporting. AAA found a number of material weaknesses in the entity's internal control. LinktheEarth's management remediated all of the weaknesses that AAA found. However, the auditors did not have sufficient time to retest the controls. What report should AAA issue with regards to internal control over financial reporting at year-end?

A) Unqualified report.

B) Adverse report.

C) Qualified report.

D) Disclaimer on opinion.

B) Adverse report.

According to the COSO definition of safeguarding of assets:

A) controls over financial reporting are effective if they provide reasonable assurance that asset losses will not occur.

B) controls over financial reporting are effective if they provide reasonable assurance that losses are properly reflected in the financial statements.

C) controls over financial reporting are effective if they provide reasonable assurance that asset losses will not occur and that losses are properly reflected in the financial statements.

D) there is no way to create controls that will provide reasonable assurance that asset losses will not occur.

B) controls over financial reporting are effective if they provide reasonable assurance that losses are properly reflected in the financial statements.

An auditor will use the IT test data method in order to gain certain assurances with respect to the

A) Input data.

B) Machine capacity.

C) Application controls contained within the program.

D) Degree of keypunching accuracy.

C) Application controls contained within the program.

Which of the following is true of generalized audit software packages?

A) They can be used only in auditing online computer systems.

B) It involves auditing while data is being processed.

C) They can be used to examine an entire population and eliminate the need for sampling.

D) They enable the auditor to perform all manual test procedures less expensively.

C) They can be used to examine an entire population and eliminate the need for sampling.

The advantages of generalized audit software include all of the following except:

A) it involves auditing while the data are being processed (real-time).

B) it is easy to use.

C) the time to develop the application is usually short.

D) an entire population can be examined in some instances.

A) it involves auditing while the data are being processed (real-time).

Section 404 of the Sarbanes-Oxley Act includes which of the following?

A) A requirement that management of a publicly traded company issues an assessment of internal control that covers the entire year.

B) Specific guidance on what constitutes adequate internal control.

C) A requirement that management of a publicly traded company accepts responsibility for establishing and maintaining adequate internal controls.

D) A requirement that management of a publicly traded company issues an assessment regarding the efficiency of internal control for the year.

C) A requirement that management of a publicly traded company accepts responsibility for establishing and maintaining adequate internal controls.

For which of the following internal controls would an auditor be least likely to perform tests of internal controls closer to the "as of" date?

A) Withdrawals from Federal Bank of more than $5 million must include a manager's signature.

B) At the end of each day at Federal Bank, the total cash in the vault is reconciled with daily registers of deposits and withdrawals.

C) Federal Bank has just started establishing trusts for its customers and it has only set up ten such trusts. Before making an investment for a trust, bank employees must verify that the investment is in accordance with stated investment policies.

D) On an annual basis, Federal Bank management performs credit checks on its loan customers before determining the value of loans it will not be able to collect on.

B) At the end of each day at Federal Bank, the total cash in the vault is reconciled with daily registers of deposits and withdrawals.

Which of the following is false?

A) Regardless of the achieved level of control risk in connection with the audit of the financial statements, auditing standards require the auditor to perform some substantive procedures for all significant accounts and disclosures.

B) The absence of misstatements in financial statements is considered convincing evidence that existing controls are effective.

C) The audit of internal control is intended to draw conclusions about the effectiveness of internal control over financial reporting as of a specific date.

D) The auditor is required by AS5 to evaluate the implications of the financial statement audit for the effectiveness of internal control over financial reporting.

B) The absence of misstatements in financial statements is considered convincing evidence that existing controls are effective.

When testing a computerized accounting system, which of the following is false regarding the test data approach?

A) The test data need to consist of only those valid and invalid conditions in which the auditor is interested.

B) Only one transaction of each type needs be tested.

C) Test data are processed by the entity's computer programs under the auditor's control.

D) The test data must consist of all possible valid and invalid conditions.

D) The test data must consist of all possible valid and invalid conditions.

When an auditor tests a computerized accounting system, which of the following is true of the test data approach?

A) Test data are processed by the entity's computer programs under the auditor's control.

B) Test data must consist of all possible valid and invalid conditions.

C) Testing a program at year end provides assurance that the entity's processing was accurate for the entire year.

D) Several transactions of each type must be tested.

A) Test data are processed by the entity's computer programs under the auditor's control.

Who is responsible for the effectiveness of internal controls over financial reporting?

Who is responsible for an effective system of internal control?

Who is responsible for a company's internal control system quizlet?

Who is responsible for establishing and maintaining the internal controls to achieve the objectives of effective and efficient operations?