The quality of an organization's internal controls affects which of

the following?
a. reliability of financial data
b. ability of management to make good decisions
c. ability of the organization to remain in business
d. approach used by the auditor in auditing the financial
statements
e. all of the above
E

Which of the following creates an opportunity for committing

fraudulent financial reporting in an organization?
a. management demands financial success
b. poor internal control
c. commitments tied to debt covenants
d. management is aggressive in its application of accounting rules
B

What are the components of internal control per COSO's updated

Internal Control-Integrated Framework?
a. organizational structure, management philosophy, planning,
risk assessment, and control activities
b. control environment, risk assessment, control activities,
information and communication, and monitoring
c. risk assessment, control structure, backup facilities,
responsibility accounting, and natural laws
d. legal environment of the firm, management philosophy,
organizational structure, control activities, and control assessment
B

Which of the following statements regarding internal control is

false?
a. internal control is a process consisting of ongoing tasks and
activities
b. internal control is primarily about policy manuals, forms, and
procedures
c. internal control is geared toward the achievement of multiple
objectives
d. a limitation of internal control is faulty human judgement
e. all of the above statements are true
B

Which of the following would not be considered a principle of an

organization's control environment?
a. independence and competence of the board
b. competence of accounting personnel
c. structures, reporting lines, and authorities and responsibilities
d. commitment to integrity and ethical values
e. they would all be considered principles of the controls
environment
E

Which of the following components of internal control over

financial reporting sets the tone for the organization?
a. control risk assessment
b. control environment
c. information and communication
d. monitoring
B

Which of the following statements is false regarding the risk

assessment component of internal control?
a. risk assessment includes assessing fraud risk
b. risk assessment includes assessing internal and external
sources of risk
c. risk assessment includes the identification and analysis of
significant changes
d. economic changes would not be considered a risk that needed
to be analyzes as part of the risk assessment process
D

Which of the following is not part of management's fraud risk

assessment process?
a. the assessment considers ways the fraud could occur
b. the assessment considers the role of the external auditor in
preventing fraud
c. fraud risk assessments serve as an important basis for
determining the control activities needed to mitigate fraud risks
d. the assessment considers pressures that might lead to fraud in
the financial statements
B

Segregation of duties is best achieved in which of the following

scenarios?
a. employees perform only one job, even though they might have
access to other records
b. the internal audit department performs an independent test of
transactions throughout the year and reports any errors to
departmental managers
c. the person responsible for reconciling the bank account is
responsible for cash disbursement but not for cash receipts
d. the payroll department cannot add employees to the payroll or
change pay rates without the explicit authorization of the
personnel department
D

Which of the following statements about application controls is

true?
a. organizations can have manual application controls or
automated application controls, but not a combination of the two
b. application controls are intended to mitigate risks associated
with data input, data processing, and data output
c. application controls are a part of the monitoring component of
internal control
d. self-checking digits are an output control
B

Which of the following would be considered an effective

implementation of the information and communication component
of COSO's updated Internal Control-Integrated Framework?
a. the organization has one-way communication with parties
external to the organization
b. the organization has a whistleblower function that allows
parties internal and external to the organization to communicate
concerns about possible inappropriate actions in the
organization's operations
c. the organization has a robust process for assessing risks
internal and external to the organization
d. the organization builds in edit checks to determine whether all
purchases are made form authorized vendors
e. all of the above
B

Which of the following is not a principle of the information and

communication component of COSO's updated Internal Control-
Integrated Framework?
a. the organization identifies, obtains, and uses relevant
information
b. the organization communicates internally
c. the organization communicates externally
d. all of the above
D
Which of the following would not be considered an effective
implementation of the monitoring component of COSO's updated
Internal Control-Integrated Framework?
a. internal audit periodically performs an evaluation of internal
controls that have been documented and tested in prior years
b. management reviews current economic performance against
expectations and investigates to determine causes of significant
deviations from the expectations
c. the company implements software that captures all instances in
which the underlying program is designed to capture processed
transactions that exceed company-authorized limits
d. the company builds in edit checks to determine whether all
purchases are made from authorized vendors
D

Which of the following is the most accurate statement related to

the monitoring component of COSO's updated Internal Control-
Integrated Framework?
a. monitoring is a process that is relevant only to the control
activities component of COSO's updated IC-IF.
b. separate evaluations are more timely than ongoing evaluations
in identifying control deficiencies
c. monitoring is a process that provides feedback on the
effectiveness of each component of internal control
d. monitoring includes automated edit checks to determine
whether all purchases are made from authorized vendors
C

Assume that an organization sells software. The sales contracts

with the customers often have nonstandard terms that impact may
the timing of revenue recognition. Thus, there is a risk that
revenue may be recorded inappropriately. To mitigate that risk,
the organization has implemented a policy that requires all
nonstandard contracts greater than $1 million to be reviewed on a
timely basis by an experienced and competent revenue
accountant for appropriate accounting; prior to the recording of
revenue. Management tested this control and found several
instances in which the control was not working. Management has
classified this deficiency as a material weakness. Which of the
following best describes the conclusion made by management?
a. there is more than a remote possibility that a material
misstatement could occur
b. the likelihood of misstatements is reasonably possible
c. there is more than a remote possibility that a misstatement
could occur
d. there is a reasonable possibility that a material misstatement
could occur
e. there is a reasonable possibility that a misstatement could
occur
D

Which one of the following represents a control deficiency?

a. a missing control that is required for achieving objectives
b. a control that operates as designed
c. a control that provides reasonable, but not absolute assurance,
about the reliability of financial reporting
d. an immaterial individual misstatement in internal control
A

The quality of an organization's internal controls affect which of

the following?
a. The reliability of financial data.
b. The ability of management to make good decisions.
c. The ability to remain in business
d. All of the above.
D
With whom does the tone of internal control typically originate?
a. Auditors.
b. Employees.
c. Management.
d. Stockholders.
C

Which one of the following COSO components of internal controls

influences the tone for the organization?
a. Control risk assessment.
b. Control environment.
c. Information and communication.
d. Monitoring.
B

Which of the following services does the PCAOB require auditors

of public companies to perform?
a. A financial statement audit and an attest audit.
b. A financial statement audit and an assurance audit.
c. A financial statement audit and agreed upon procedures.
d. A financial statement audit and an examination of the
effectiveness of internal controls.
D

Which one of the following represents a control deficiency?

a. A missing control that is required for achievement objectives.
b. A control that operates as designed.
c. A control that ensures the reliability of financial reporting.
d. A control that does not prevent immaterial errors.
A
The COSO principle that an organization should identify and
assess changes that significantly impact the system of internal
control is related to which COSO component?
a. Control Environment
b. Risk Assessment
c. Control Activities
d. Monitoring
B

Requiring the mail clerk to prepare a listing of all checks received,

with copies of the list going to the cashier and to accounting, is an
example of which type of control?
a. Preventive.
b. Corrective.
c. Detective.
d. Directive.
A

Which of the following is another name for transaction controls?

a. Entity-wide controls.
b. Application controls.
c. Supporting controls.
d. Detail controls.
B

Internal control is a process affected by the organization's board

of directors, management, and other personnel to provide
reasonable assurance of achieving certain objectives. Which of
the following does not fit into one of these categories of
objectives?
a. Reliability of financial reporting.
b. Compliance with laws and regulations.
c. Continuing existence.
d. Effectiveness and efficiency of operations.
C

In a large company, who usually monitors the internal control?

a. External auditors.
b. PCAOB.
c. CFO.
d. Internal auditors. D
D

Internal control is primarily established within a company to do

which of the following?

A) Prevent fraud.
B) Provide reasonable assurance that the company's objectives
will be achieved.
C) Catch all errors that may occur in the company.
D) Aid in the effective auditing of the company.
B) Provide reasonable assurance that the company's objectives
will be achieved

Providing reasonable assurance with respect to which of the

following is not required under the internal control provisions of
the Foreign Corrupt Practices Act?

a. Management is responsibility for knowledge and authorization

of transactions.
b. Transactions are recorded to maintain accountability for assets.
c. Access to assets is limited to members of management.
d. Transactions are recorded to permit the preparation of reliable
financial statements.
c. Access to assets is limited to members of management.

Which of the following is considered a control environment factor

by the COSO definition of internal control?
A) Control objectives
B) Integrity and ethical values
C) Reasonable assurance
D) Risk assessment
B) Integrity and ethical values

Billy Jo is responsible for custody of the finished goods in the

warehouse. If his company wishes to maintain strong internal
control, which of the following responsibilities are incompatible
with his primary job?
A) He is also responsible for the company's fixed asset control
ledger.
B) He is responsible for receiving of goods into the warehouse.
C) He is responsible for the accounting records for all receipts
and shipments of goods from the warehouse.
D) He is responsible for issuing goods for shipment.
B) He is responsible for receiving of goods into the warehouse.

Which of the following is least likely when an auditor performs an

integrated audit of a public company's financial statements?
A) Issuing an audit report on internal control over financial
reporting.
B) Issuing an audit report on the financial statements.
C) Omitting tests of controls for several major accounts.
D) Performing tests of internal control design effectiveness.
C) Omitting tests of controls for several major accounts.

Which of the following describes the function of a fidelity bond?

A) An insurance policy that covers theft by a bonded employee.
B) A short term investment that is secured by a bank.
C) It is a procedure to separate the duties of employees.
D) A contract between parents and their children to remain
celibate.
A) An insurance policy that covers theft by a bonded employee.

Tests of controls are used to test whether controls are:

A) Operating effectively.
B) Implemented (placed in operation).
C) Properly accumulated into balance sheet totals.
D) Properly documented by the client.
A) Operating effectively.

Tests of controls are least likely to include:

A) Inquiries of appropriate client vendors.
B) Reperformance of a control.
C) Observation of the application of an accounting procedure.
D) Inspection of documents.
A) Inquiries of appropriate client vendors.

Which of the following is most likely to be considered an inherent

limitation of a client's internal control?
A) Complexity of the information system.
B) Human errors.
C) Management's interest in a profitable enterprise.
D) An ineffective audit committee.
B) Human errors.

Which of the following is one of the most fundamental and

effective controls?
A) Increased use of computers for recording accounting
transactions.
B) Increased reliance on internal auditors to monitor accounting
systems.
C) Segregation of incompatible duties across several people.
D) Having internal auditors report only to the Board of Directors.
D) Having internal auditors report only to the Board of Directors.

Control risk is most likely to be assessed at a level below the

maximum when?
A) No tests of controls have been performed.
B) Tests of controls have been performed.
C) Externally generated evidence supports management's
contentions relating to internal control.
D) The results of the consideration of internal control suggest that
controls are not operating effectively.
B) Tests of controls have been performed.

The results of the consideration of internal control are least likely

to affect the auditors' decisions pertaining to:
A) The use of analytical procedures.
B) The assessment of control risk.
C) The assessment of inherent risk.
D) Detailed tests of ending balance.
C) The assessment of inherent risk.

11. Which of the following matters would an auditor most likely

consider to be a significant deficiency to be communicated to the
audit committee?
A. Management's failure to renegotiate unfavorable long-term
purchase commitments.
B. Recurring operating losses that may indicate going concern
problems.
C. Evidence of a lack of objectivity by those responsible for
accounting decisions.
D. Management's current plans to reduce its ownership equity in
the entity.
C. Evidence of a lack of objectivity by those responsible for
accounting decisions.

12. In assessing the objectivity of a client's internal auditors, the

CPA would be most likely to consider internal auditor:
A. Education levels.
B. Experience.
C. Organizational status within the company.
D. Training and supervisory skills.
C. Organizational status within the company.
13. In a financial statement audit performed following AICPA
Professional Standards, how frequently must an auditor test
operating effectiveness of controls that appear to function as they
have in past years and on which the auditor wishes to rely upon in
the current year?
A. Monthly.
B. Each audit.
C. At least every second audit.
D. At least every third audit.
D. At least every third audit.

14. After obtaining an understanding of internal control and

arriving at a preliminary assessed level of control risk, an auditor
decided to perform tests of controls. The auditor most likely
decided that:
A. Additional evidence to support a reduction in the assessed
level of control risk is not available.
B. An increase in the assessed level of control risk is justified for
certain financial statement assertions.
C. It would be efficient to perform tests of controls that would
result in a reduction in planned substantive procedures.
D. There were many internal control deficiencies that would allow
misstatements to enter the accounting system.
C. It would be efficient to perform tests of controls that would
result in a reduction in planned substantive procedures.

15. Which of the following is least likely to be evidence of

operating effectiveness of controls?
A. Cancelled supporting documents.
B. Confirmations of accounts receivable.
C. Records documenting usage of computer programs.
D. Signatures on authorization forms.
B. Confirmations of accounts receivable.
16. Which of the following is not ordinarily a procedure for
documenting an auditor's understanding of internal control for
planning purposes?
A. Checklist.
B. Flowchart.
C. Questionnaire.
D. Confirmation.
D. Confirmation.

17. Tests of controls do not ordinarily address:

A. By whom a control was applied.
B. How a control was applied.
C. The consistency with which a control was applied.
D. The cost effectiveness of the way a control was applied.
D. The cost effectiveness of the way a control was applied.

18. Which is most likely when the assessed level of control risk
increases?
A. Change from performing substantive procedures at year-end to
an interim date.
B. Perform substantive procedures directed inside the entity
rather than tests directed toward parties outside the entity.
C. Use the maximum number of dual purpose tests.
D. Use larger sample sizes for substantive procedures.
D. Use larger sample sizes for substantive procedures.

19. Which of the following must the auditor communicate to the

audit committee?
A. Significant deficiencies and material weaknesses.
B. Only significant deficiencies.
C. Only material weaknesses.
D. Neither significant deficiencies nor material weaknesses.
A. Significant deficiencies and material weaknesses.

20. A client's internal control appears strong, but the CPA has
elected not to perform any tests of controls. The planned
assessed level of control risk is at what level?
A. Zero.
B. Low.
C. Moderate.
D. Maximum.
D. Maximum.

21. Which of the following would be least likely to be regarded as

a test of a control?
A. Tests of the additions to property by physical inspection.
B. Comparisons of the signatures on cancelled checks to the
authorized check signer list.
C. Tests of signatures on purchase orders.
D. Recalculation of payroll deductions.
A. Tests of the additions to property by physical inspection.

22. Which of the following is not considered one of the five major
components of internal control?
A. Risk assessment.
B. Segregation of duties.
C. Control activities.
D. Monitoring.
B. Segregation of duties.

23. Which of the following statements is correct concerning the

understanding of internal control needed by auditors?
A. The auditors must understand the information system, not the
accounting system.
B. The auditors must understand monitoring and all preliminary
accounting controls.
C. The auditors must have a sufficient understanding to assess
the risks of material misstatement.
D. The auditors must understand the control environment, risk
assessment, and all control activities.
C. The auditors must have a sufficient understanding to assess
the risks of material misstatement.

24. The effectiveness of controls is not generally tested by:

A. Inspection of documents and reports.
B. Performance of analytical procedures.
C. Observation of the application of accounting policies and
procedures.
D. Inquiries of appropriate client personnel.
B. Performance of analytical procedures.

25. On financial statement audits, it is required that the auditors

obtain an understanding of internal control, including:
A. Its operating effectiveness.
B. Whether it has been implemented (placed in operation).
C. Performing tests of controls for all material controls.
D. Its ability to provide reasonable assurance.
B. Whether it has been implemented (placed in operation).

26. A significant deficiency:

A. Differs from a material weakness in that it involves internal
control over operations rather than internal control over financial
reporting.
B. Involves an amount of discovered misstatements greater than
the amount used as the planning measure of materiality.
C. Is identical to a material weakness except that it need not be
communicated to those responsible for oversight of the
company's financial reporting.
D. Is less severe than a material weakness.
D. Is less severe than a material weakness.

27. This organization developed a set of criteria that provide

management with a basis to evaluate controls not only over
financial reporting, but also over the effectiveness and efficiency
of operations and compliance with laws and regulations:
A. Foreign Corrupt Practices Corporation.
B. Committee of Sponsoring Organizations.
C. Cohen Commission.
D. Financial Accounting Standards Board.
B. Committee of Sponsoring Organizations.

28. Which of the following is most likely to be considered a risk

assessment procedure relating to internal control?
A. Confirm accounts receivable.
B. Perform a test of a control relating to payroll.
C. Take test counts of the year-end inventory.
D. Trace a transaction through the information system relevant to
financial reporting.
D. Trace a transaction through the information system relevant to
financial reporting.

29. Which statement is correct concerning the definition of internal

control developed by the Committee of Sponsoring Organizations
(COSO)?
A. Its applicability is largely limited to internal auditing
applications.
B. It is recognized in the Statements on Auditing Standards.
C. It emphasizes the effectiveness and efficiency of operations
over the reliability of financial reporting.
D. It suggests that it is important to view internal control as an end
product as contrasted to a process or means to obtain an end.
B. It is recognized in the Statements on Auditing Standards.

30. The definition of internal control developed by the Committee

of Sponsoring Organizations (COSO) includes controls related to
the reliability of financial reporting, the effectiveness and
efficiency of operations, and:
A. Compliance with applicable laws and regulations.
B. Effectiveness of prevention of fraudulent occurrences.
C. Safeguarding of entity equity.
D. Incorporation of ethical business practice standards.
A. Compliance with applicable laws and regulations.

31. Which statement is correct concerning the relevance of

various types of controls to a financial statement audit?
A. An auditor may ordinarily ignore the consideration of controls
when a substantive audit approach is used.
B. Controls over the reliability of financial reporting are ordinarily
most directly relevant to an audit, but other controls may also be
relevant.
C. Controls over safeguarding assets and liabilities are of primary
importance, while controls over the reliability of financial reporting
may also be relevant.
D. All controls are ordinarily relevant to an audit.
B. Controls over the reliability of financial reporting are ordinarily
most directly relevant to an audit, but other controls may also be
relevant.

32. Which of the following is not a component of the control

environment?
A. Integrity and ethical values.
B. Risk assessment.
C. Commitment to competence.
D. Organizational structure.
B. Risk assessment.

33. Which of the following is not ordinarily considered a factor

indicative of increased financial reporting risk when an auditor is
considering a client's risk assessment policies?
A. Salaried sales personnel.
B. Implementation of a new information system.
C. Rapid growth of the organization.
D. Corporate restructuring.
A. Salaried sales personnel.

34. The Sarbanes-Oxley Act of 2002 requires that the audit

committee:
A. Annually reassess control risk using information from the CPA
firm.
B. Be directly responsible for the appointment, compensation and
oversight of the work of the CPA firm.
C. Require that the company's CPA firm rotate the partner in
charge of the audit.
D. Review the level of management compensation.
B. Be directly responsible for the appointment, compensation and
oversight of the work of the CPA firm.

35. When tests of controls reveal that controls are operating as

anticipated, it is most likely that the assessed level of control risk
will:
A. Be less than the preliminary assessed level of control risk.
B. Equal the preliminary assessed level of control risk.
C. Equal the actual control risk.
D. Be less than the actual control risk.
B. Equal the preliminary assessed level of control risk.

36. Under which circumstance is it likely that the extent of

substantive procedures will be expanded beyond that anticipated
in the audit plan?
A. The auditors have determined that controls have been
implemented (placed in operation) but, in accordance with the
audit plan, have performed no tests of controls.
B. Certain controls do not leave a trail of documentary evidence.
C. Deviation rates were greater than zero and approached
anticipated levels.
D. The operating effectiveness of certain controls was found to be
less than expected, although no material misstatements were
identified.
D. The operating effectiveness of certain controls was found to be
less than expected, although no material misstatements were
identified.

37. The provisions of the Foreign Corrupt Practices Act apply to:
A. All U.S. corporations.
B. All U.S. corporations that engage in foreign operations.
C. All corporations that must file under the Securities Exchange
Act of 1934.
D. All U.S. partnerships and corporations.
C. All corporations that must file under the Securities Exchange
Act of 1934.

38. If the auditors do notperform tests of controls for certain

assertions:
A. They have performed a substandard audit.
B. They are not required to communicate significant deficiencies
relating to those accounts to management and the board of
directors.
C. They must issue a qualified opinion.
D. They must assess control risk at the maximum level for those
assertions.
D. They must assess control risk at the maximum level for those
assertions.

39. During financial statement audits, the auditors' consideration

of their clients' internal control is integral to both assess the risk of
material misstatement and to:
A. Assess inherent risk.
B. Design further audit procedures.
C. Assess compliance with the Foreign Corrupt Practices Act.
D. Provide a reasonable basis for an opinion on compliance with
applicable laws.
B. Design further audit procedures.

40. Which of the following comes closest to outlining the auditors'

responsibility for considering internal control in all financial
statement audits?
A. An understanding of the control environment, information and
communication, risk assessment and monitoring is necessary; an
understanding of control activities is only necessary for areas in
which the auditor is performing tests of controls.
B. The auditor must obtain an understanding of each of the five
internal control components sufficient to assess the risks of
material misstatement for the audit.
C. When tests of controls have been performed, control risk must
be assessed at a level less than the maximum.
D. An understanding of the control environment is necessary, but
no understanding of the other components is necessary unless
control risk is to be assessed at a level less than the maximum.
B. The auditor must obtain an understanding of each of the five
internal control components sufficient to assess the risks of
material misstatement for the audit.
C. When tests of controls

41. Which of the following is not a primary procedure auditors use

to obtain sufficient knowledge about the design of the relevant
controls and to determine whether they have been implemented
(placed in operation)?
A. Previous experience with the entity.
B. Inquiries of appropriate management personnel.
C. Performance of substantive procedures.
D. Inspection of document and records.
C. Performance of substantive procedures.

42. A control deficiency that is less severe than a material

weakness, but important enough to merit attention by those
responsible for oversight of the company's financial reporting is
referred to as a(n):
A. Control deficiency.
B. Inherent limitation.
C. Reportable deficiency.
D. Significant deficiency.
D. Significant deficiency.

43. For effective internal control, which of the following functions

should not be assigned to the company's accounting department?
A. Reconciling accounting records with existing assets.
B. Recording financial transactions.
C. Signing payroll checks.
D. Preparing financial reports.
C. Signing payroll checks.
44. Which of the following is not a responsibility that should be
assigned to a company's internal audit department?
A. Evaluating internal control.
B. Approving disbursements.
C. Reporting on the effectiveness of operating segments.
D. Investigating potential merger candidates.
B. Approving disbursements.

45. Which of the following is true about the auditors' consideration

of internal control in a financial statement audit?
A. The auditors must assess control risk at a level lower than the
maximum.
B. The auditors must prepare a flowchart description of internal
control for their working papers.
C. The auditors must obtain an understanding of the steps in
processing major types of transactions.
D. The auditors must perform tests of controls.
C. The auditors must obtain an understanding of the steps in
processing major types of transactions.

46. Which of the following is an advantage of describing internal

control through the use of a standardized questionnaire?
A. Questionnaires highlight weaknesses in the system.
B. Questionnaires are more flexible than other methods of
describing internal control.
C. Questionnaires usually identify situations in which internal
control weaknesses are compensated for by other strengths in the
system.
D. Questionnaires provide a clearer and more specific portrayal of
a client's system than other methods of describing internal
control.
A. Questionnaires highlight weaknesses in the system.
47. Which of the following is least likely to be considered a risk
assessment procedure relating to internal control?
A. Counting marketable securities at year-end.
B. Inquiries of client personnel.
C. Inspecting documents and reports.
D. Observing the application of specific controls.
A. Counting marketable securities at year-end.

48. Which of the following is least likely to be considered a risk

assessment procedure?
A. Analytical procedures.
B. Inspection of documents.
C. Observation of the counting of inventory.
D. Observation of the performance of certain accounting
procedures.
C. Observation of the counting of inventory.

49. Which of the following is not a factor that is considered a part

of the client's overall control environment?
A. The organizational structure.
B. The information system.
C. Management philosophy and operating style.
D. Board of directors.
B. The information system.

50. Which of the following would be least likely to be considered a

benefit of effective internal control?
A. Eliminating all employee fraud.
B. Restricting access to assets.
C. Detecting ineffectiveness.
D. Ensuring authorization of transactions.
A. Eliminating all employee fraud.
51. After documenting the client's prescribed internal control, the
auditors will often perform a walk-through of each transaction
cycle. An objective of a walk-through is to:
A. Verify that the controls have been implemented (placed in
operation).
B. Replace tests of controls.
C. Evaluate the major strengths and weaknesses in the client's
internal control.
D. Identify weaknesses to be communicated to management in
the management letter.
A. Verify that the controls have been implemented (placed in
operation).

52. The major components of internal control include all of the

following, except:
A. Risk assessment.
B. The control environment.
C. Internal auditing.
D. Control activities.
C. Internal auditing.

53. Which of the following is correct with respect to control

deficiencies discovered during an audit?
A. Auditors must communicate and recommend corrections
relating to all material weaknesses in internal control to
management.
B. All material weaknesses in internal control should be reported
to the audit committee.
C. All such matters must be communicated to the audit committee
and regulatory agencies.
D. All control deficiencies are also significant deficiencies.
B. All material weaknesses in internal control should be reported
to the audit committee.
54. After considering the client's internal control the auditors have
concluded that it is well designed and is functioning as
anticipated. Under these circumstances the auditors would most
likely:
A. Cease to perform further substantive procedures.
B. Reduce substantive procedures in areas where the internal
control was found to be effective.
C. Increase the extent of anticipated analytical procedures.
D. Perform all tests of controls to the extent outlined in the
preplanned audit program.
B. Reduce substantive procedures in areas where the internal
control was found to be effective

55. The use of fidelity bonds protects a company from

embezzlement loses and also:
A. Minimizes the possibility of employing persons with dubious
records in positions of trust.
B. Reduces the company's need to obtain expensive business
interruption insurance.
C. Allows the company to substitute the fidelity bonds for various
parts of internal control.
D. Protects employees who made unintentional errors from
possible monetary damages resulting from such errors.
A. Minimizes the possibility of employing persons with dubious
records in positions of trust.

56. The independent auditors might consider the procedures

performed by the internal auditors because:
A. They are employees whose work must be reviewed during
substantive testing.
B. They are employees whose work might affect the independent
auditors' work.
C. Their work impacts upon the cost/benefit tradeoff in evaluating
inherent limitations.
D. Their degree of independence may be inferred by the nature of
their work.
B. They are employees whose work might affect the independent
auditors' work.

57. In the consideration of internal control, the operating

effectiveness of controls is tested by:
A. Flowcharts verification.
B. Tests of controls.
C. Substantive procedures.
D. Decision tables.
B. Tests of controls.

58. The auditors who become aware of an internal control

significant deficiency are required to communicate this to the:
A. Client's legal counsel.
B. Compensation committee.
C. Audit committee.
D. Internal auditors.
C. Audit committee.

59. A material weakness involves an amount that could result in a

misstatement that is
A. Smaller than inconsequential.
B. Larger than inconsequential.
C. Tolerable.
D. Material.
D. Material.
60. At least what level of probability of a material misstatement is
required for a control deficiency to be considered a material
weakness?
A. More than remote.
B. Probable.
C. Reasonable possibility.
D. Sufficient.
C. Reasonable possibility.

61. A situation in which the design or operation of a control does

not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect material
misstatements on a timely basis is referred to as a:
A. Control deficiency.
B. Material weakness.
C. Reportable condition.
D. Significant deficiency.
A. Control deficiency.

62. To provide for the greatest degree of independence in

performing internal auditing functions, an internal auditor most
likely should report to the:
A. Financial vice-president.
B. Corporate controller.
C. Audit committee.
D. Corporate stockholders.
C. Audit committee.

63. Well-designed internal control that is functioning effectively is

most likely to detect an fraud arising from:
A. The fraudulent action of several employees.
B. The fraudulent action of an individual employee.
C. Informal deviations from the official organization chart.
D. Management fraud.
B. The fraudulent action of an individual employee.

64. The program flowcharting symbol representing a decision is a:

A. Triangle.
B. Circle.
C. Rectangle.
D. Diamond.
D. Diamond.

65. Controls are not designed to provide assurance that:

A. Transactions are executed in accordance with management's
authorization.
B. Fraud will be eliminated.
C. Access to assets is permitted only in accordance with
management's authorization.
D. The recorded accountability for assets is compared with the
existing assets at reasonable intervals.
B. Fraud will be eliminated.

66. The scope of substantive procedures as compared to the

scope of tests of controls generally vary:
A. In a parallel manner.
B. Inversely.
C. Directly.
D. Equally.
B. Inversely.

67. Which of the following is least likely to be a factor that might

indicate to an auditor that an identified risk of misstatement
requires special audit consideration?
A. Complex calculations are involved.
B. The rate of technological change is moderate in the industry.
C. The potential for fraud seems high.
D. Various subjective methods of application of a key accounting
policy exist.
B. The rate of technological change is moderate in the industry.

68. Which of the following audit tests would be regarded as a test

of a control?
A. Tests of the specific items making up the balance in a given
general ledger account.
B. Tests confirming receivables.
C. Tests of the signatures on canceled checks to board of
director's authorizations.
D. Tests of the additions to property, plant, and equipment by
physical inspection.
C. Tests of the signatures on canceled checks to board of
director's authorizations.

69. If the independent auditors decide that the work performed by

the internal auditors may have a bearing on their own procedures,
they should consider the internal auditors':
A. Competence and objectivity.
B. Efficiency and experience.
C. Independence and review skills.
D. Training and supervisory skills.
A. Competence and objectivity.

70. In the consideration of internal control, the auditor is basically

concerned that it provides reasonable assurance that:
A. Management can not override the system.
B. Operational efficiency has been achieved in accordance with
management plans.
C. Misstatements have been prevented or detected.
D. Controls have not been circumvented by collusion.
C. Misstatements have been prevented or detected.

71. Which of the following is least likely to be considered an

appropriate response relating to risks the auditors identify at the
financial statement level?
A. Assign more experienced staff.
B. Incorporate additional elements of unpredictability in the
selection of audit procedures.
C. Increase the scope of auditor procedures.
D. Emphasize the need to remain neutral, rather than to exercise
professional skepticism.
D. Emphasize the need to remain neutral, rather than to exercise
professional skepticism.

72. In assessing the competence of a client's internal auditor, an

independent auditor most likely would consider the
A. Internal auditor's compliance with professional internal auditing
standards.
B. Client's policies that limit the internal auditor's access to
management salary data.
C. Evidence supporting a further reduction in the assessed level
of control risk.
D. Results of ratio analysis that may identify unusual transactions
and events.
A. Internal auditor's compliance with professional internal auditing
standards.

73. Which of the following factors would most likely be considered

an inherent limitation to an entity's internal control?
A. The complexity of the information processing system.
B. Human judgment in the decision making process.
C. The ineffectiveness of the board of directors.
D. The lack of management incentives to improve the control
environment.
B. Human judgment in the decision making process.

74. Proper segregation of duties reduces the opportunities to

allow any employee to be in a position to both
A. Journalize cash receipts and disbursements and prepare the
financial statements.
B. Monitor internal controls and evaluate whether the controls are
operating as intended.
C. Adopt new accounting pronouncements and authorize the
recording of transactions.
D. Record and conceal fraudulent transactions in the normal
course of assigned tasks.
D. Record and conceal fraudulent transactions in the normal
course of assigned tasks.

75. Which of the following is intended to detect deviations from

prescribed controls?
A. Substantive procedures specified by a standardized audit
program.
B. Tests of controls designed specifically for the client.
C. Analytical procedures as set forth in an industry audit guide.
D. Computerized analytical procedures tailored for the
configuration of the computer equipment in use.
B. Tests of controls designed specifically for the client.

76. An auditor's purpose for performing tests of controls is to

provide reasonable assurance that:
A. Controls are operating effectively.
B. The risk that the auditor may unknowingly fail to modify the
opinion on the financial statements is minimized.
C. Transactions are executed in accordance with management's
authorization and access to assets is limited by a segregation of
functions.
D. Transactions are recorded as necessary to permit the
preparation of the financial statements in conformity with
generally accepted accounting principles.
A. Controls are operating effectively.

77. Of the following statements about internal control, which one

is not valid?
A. No one person should be responsible for the custodial
responsibility and the recording responsibility for an asset.
B. Transactions must be properly authorized before such
transactions are processed.
C. Because of the cost/benefit relationship, a client may apply
control procedures on a test basis.
D. Control activities reasonably insure that collusion among
employees can not occur.
D. Control activities reasonably insure that collusion among
employees can not occur.

78. Tests of controls are most likely to be performed when:

A. Controls seem weak and must be properly documented.
B. Inadequate substantive procedures exist to restrict audit risk to
an acceptable level.
C. The auditor wishes to assess control risk at the maximum.
D. The client's control environment appears weak.
B. Inadequate substantive procedures exist to restrict audit risk to
an acceptable level.

79. Which of the following would be least likely to be included in

an auditor's tests of controls?
A. Inspection.
B. Observation.
C. Inquiry.
D. Analytical procedures.
D. Analytical procedures.

80. The internal control provisions of the Sarbanes-Oxley Act of

2002 apply to which companies in the United States:
A. All companies.
B. SEC registrants.
C. Only those companies included in the Fortune 500.
D. All nonpublic companies.
B. SEC registrants.

81. An integrated audit performed under Section 404b of the

Sarbanes-Oxley Act addresses financial statements and:
A. Compliance with laws.
B. Internal control over asset safeguarding.
C. Internal control over financial reporting.
D. Suitable criteria.
C. Internal control over financial reporting.

82. A report on internal control performed in accordance with

PCAOB Standard No. 2 includes an opinion on internal control
for:
A. The entire year.
B. The prior quarter.
C. The "as of date."
D. The end of each quarter.
C. The "as of date."
A primary purpose of internal controls is to
A. Form a basis for evaluating employees.
B. Monitor production quality.
C. Avoid clerical errors.
D. Meet objectives of maintaining reliable documents and records
and accurate financial reporting.
D

Internal controls are not designed to provide reasonable

assurance that
A. Transactions are executed in accordance with management's
authorization.
B. Embezzlement will be eliminated.
C. Access to assets is permitted only in accordance with
management's authorization.
D. Amounts recorded for assets is compared with the actual
existing assets at reasonable intervals.
B

The basic concept of internal control that recognizes the cost of

internal control should not exceed the benefits expected to be
derived is known as
A. Reasonable assurance.
B. Management responsibility.
C. Limited liability.
D. Management by exception.
A
An auditor would most likely be concerned with internal control
policies and procedures that provide reasonable assurance about
the
A. Efficiency of management's decision-making process.
B. Appropriate prices that the entity should charge for its
products.
C. Methods of assigning production tasks to employees.
D. Entity's ability to accurately process and summarize financial
data.
D

Management's attitude toward aggressive financial reporting and

its emphasis on meeting projected profit goals most likely would
significantly influence an entity's control environment when
A. External policies established by parties outside the entity affect
its accounting practices.
B. Management is dominated by one individual.
C. Internal auditors have direct access to the board of directors
and the entity's management.
D. The audit committee is active in overseeing the entity's
financial reporting policies.
B

Management philosophy and operating style most likely would

have a significant influence on an entity's control environment
when
A. The internal auditor reports directly to management.
B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific
duties.
D. The audit committee actively oversees the financial reporting
process.
B
Proper monitoring within an internal control framework includes all
of the following except:
A. An external auditor.
B. An effective audit committee.
C. An internal audit department.
D. The internal revenue service.
D

An entity's control activities include all of the following except:

A. Performance reviews.
B. Information processing.
C. External auditor's tests of controls.
D. Segregation of duties.
C

Potential benefits of an entity's controls in an IT environment

include all of the following except:
A. Reduction in the risk that controls will be circumvented.
B. More accurate accounting estimates.
C. Consistent application of predefined business rules.
D. More timely information.
B

An entity's IT infrastructure refers to

A. Hardware components.
B. Programmers.
C. Software.
D. Data provided by the system.
A

Auditors are most likely to gather audit evidence solely using

substantive procedures
A. If transactions are recurring.
B. For non-recurring, unusual transactions.
C. If control risk is very low.
D. If the entity has a well-designed automated system.
B

Proper segregation of functional responsibilities in an effective

system of internal control calls for separation of the functions of
A. Authorization, execution, and payment.
B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.
B

Factors that the auditor should consider as increasing the

effectiveness of the audit committee include all of the following
except whether:
A. It is independent of management
B. It is comprised almost exclusively of members of management,
ensuring detailed knowledge of the company's operations.
C. It asks management difficult questions.
D. It interacts regularly with internal auditors.
B

The documentation of an auditor's understanding of internal

controls
A. Is optional.
B. Must be exclusively in either narrative, questionnaire, or
flowchart form.
C. Must include flowcharts.
D. Can include any combination of narratives, questionnaire, or
flowcharts.
D
A well-prepared flowchart should make it easier for the auditor to
A. Prepare audit procedure manuals.
B. Prepare detailed job descriptions.
C. Perform walkthroughs.
D. Assess the degree of accuracy of financial data.
C

A flowchart is most frequently used by an auditor in connection

with the
A. Preparation of generalized computer audit programs.
B. Review of the client's internal controls.
C. Use of statistical sampling in performing an audit.
D. Performance of analytical procedures of account balances.
B

An advantage of using systems flowcharts to document

information about internal control instead of using internal control
questionnaires is that systems flowcharts
A. Identify whether segregation of duties prevent collusion.
B. Provide a visual depiction of clients' activities.
C. Indicate whether controls are operating effectively.
D. Reduce the need to observe clients' employees performing
routine tasks.
B

Which of the following audit tests would be regarded as a test of

controls?
A. Tests of the specific items making up the balance in a given
general ledger account.
B. Tests comparing inventory pricing to vendors' invoices.
C. Tests of the signatures on canceled checks to the board of
directors' authorizations.
D. Tests of the additions to property, plant, and equipment by
physical inspections.
C

The independent auditor selects several transactions in each

functional area and traces them through the entire system, paying
special attention to evidence about whether or not the control
activities are in operation. This is an example of a(n)
A. Analytical procedure.
B. Test of controls.
C. Substantive procedure.
D. Functional test.
B

To obtain evidential matter about control risk, an auditor selects

tests from a variety of techniques including
A. Inquiry.
B. Analytical procedures.
C. Calculation.
D. Confirmation.
A

Which of the following procedures most likely would provide an

auditor with evidence about whether an entity's internal control is
suitably designed to prevent or detect material misstatements?
A. Scanning the journals produced by the internal control system.
B. Performing analytical procedures using data aggregated at a
high level.
C. Vouching a sample of transactions directly related to the
controls.
D. Observing the entity's personnel applying the controls.
D
Reports on service organizations typically
A. Provide reasonable assurance that their financial statements
are free of material misstatements.
B. Ensure that the client will not have any misstatements in areas
related to the service organization's activities.
C. Ensure that the client is billed correctly.
D. Assess whether the service organization's controls are suitably
designed to achieve internal control objectives.
D

Where computer processing is used in significant accounting

applications, internal control activities may be defined by
classifying control activities into two types: general and
A. Administrative.
B. Specific.
C. Application.
D. Authorization.
C

Which of the following input controls is a numeric value computed

to provide assurance that the original value has not been altered
in construction or transmission?
A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.
D

General controls include all of the following except:

A. Organizational controls.
B. Data validation controls.
C. Access security controls.
D. Application system acquisition controls.
B

A limit test is a
A. Test to ensure that a numerical value does not exceed some
predetermined value.
B. Check to ensure that the value in a field falls within an
allowable range of values.
C. Check to ensure that the data in a field have the proper
arithmetic sign.
D. Check on a field to ensure that it contains either all numeric or
alphabetic characters.
A

A field test is a
A. Test to ensure that a numerical value in a field does not
exceed some predetermined value.
B. Check to ensure that the value in a field falls within an
allowable range of values.
C. Check to ensure that the data in a field have the proper
arithmetic sign.
D. Check on a field to ensure that it contains either all numeric or
alphabetic characters.
D

An auditor's primary consideration regarding an entity's internal

controls is whether the policies and procedures
A. Affect the financial statement assertions.
B. Prevent management override.
C. Relate to the control environment.
D. Reflect management's philosophy and operating style.
A
In evaluating internal control, the auditor is basically concerned
that the system provides reasonable assurance that
A. Operational efficiency has been achieved in accordance with
management plans.
B. Errors and fraud have been prevented or detected.
C. Controls have not been circumvented by collusion.
D. Management can not override the system.
B

Of the following statements about an internal control system,

which one is correct?
A. The maintenance of the system of internal control is an
important responsibility of the internal auditor.
B. Administrative controls relate directly to the safeguarding of
assets.
C. Because of the cost/benefit relationship, tests of controls may
be applied on a test basis in some circumstances.
D. Well designed internal control activities always prevent
collusion among employees.
C

The concept of reasonable assurance in the context of an entity's

internal controls recognizes that
A. Auditors may fail to detect material misstatements.
B. Proper internal controls guarantee that material misstatements
will not occur.
C. Proper internal controls preclude fraud.
D. The costs of some controls may be too high to implement in
relation to potential benefits.
D

An effective control environment

A. Allows management to identify all relevant risks.
B. Creates a commitment to competence.
C. Guarantees that all controls are followed as prescribed.
D. Requires an internal audit department.
B

The control environment component of internal controls includes

all of the following except:
A. Management's operating style.
B. Access to computer programs.
C. Organizational structure.
D. Human resource policies and practices.
B

Information and communication includes all of the following

except:
A. Identifying and recording all valid transactions.
B. Determining the time period in which transactions occurred.
C. Communicating price changes to customers.
D. Properly presenting transactions and related disclosures in the
financial statements.
C

An organizational structure is important for all of the following

reasons except:
A. Ensuring proper monitoring.
B. Defining areas of authority.
C. Creating clear lines of reporting.
D. Ensuring a proper commitment to controls.
D

The risk assessment component of internal controls refers to

A. The auditor's assessment of control risk.
B. The auditor's assessment of client risk.
C. The entity's identification and analysis of risks relevant to
achievement of its objectives.
D. The entity's monitoring of the potential for material
misstatements.
C

As opposed to a manual control, an automated control

A. Can never be circumvented.
B. Should function consistently in the absence of program
changes.
C. Need not be tested by the auditor.
D. Must be tested using the same techniques as a manual
control.
B

An IT specialist is least likely to be necessary when

A. Data are shared extensively among systems.
B. The entity participates heavily in electronic commerce.
C. The system has not changed from the prior year.
D. Significant audit evidence is in electronic form.
C

In planning an audit of a new client, an auditor most likely would

consider the methods used to process accounting information
because such methods
A. Influence the design of internal controls.
B. Affect the auditor's planning materiality levels.
C. Assist in evaluating the planned audit assertions.
D. Determine the auditor's acceptable level of audit risk.
A

A substantive strategy differs from a reliance strategy in that a

substantive strategy includes
A. Increased implementation of detailed tests of transactions and
balances.
B. Extra tests of controls.
C. Increased emphasis on verbal representations from
management.
D. Setting control risk at a minimum level.
A

Which of the following statements concerning control risk is

correct?
A. Assessing control risk and obtaining an understanding of an
entity's internal controls may be performed concurrently.
B. When control risk is at the maximum level, an auditor is
required to document the basis for that assessment.
C. Control risk may be assessed sufficiently low to eliminate
substantive procedure for significant transaction classes.
D. When assessing control risk, an auditor should not consider
evidence obtained in prior audits about the operation of control
activities.
A

Assessing control risk at below the maximum most likely would

involve
A. Changing the timing of substantive procedures by omitting
interim testing and performing the tests at year-end.
B. Identifying specific internal controls relevant to specific
assertions.
C. Performing more extensive substantive procedures with larger
sample sizes than originally planned.
D. Reducing inherent risk for most of the assertions relevant to
significant account balances.
B
In the audit of financial statements, an auditor's primary
consideration regarding an internal control policy or procedure is
whether the policy or procedure
A. Reflects management's philosophy and operating style.
B. Affects management's financial statement assertions.
C. Provides adequate safeguards over access to assets.
D. Enhances management's decision-making processes.
B

Which of the following most likely would not be considered an

inherent limitation of the potential effectiveness of an entity's
internal controls?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
A

It is important for the CPA to consider the competence of the audit

client's employees because their competence bears directly and
importantly upon the
A. Cost/benefit relationship of the system of internal control.
B. Achievement of the objectives of the system of internal control.
C. Comparison of recorded accountability with assets.
D. Timing of the tests to be performed.
B

As part of gaining an initial understanding of internal control, an

auditor is required to do all of the following except:
A. Consider factors that affect the risk of material misstatement.
B. Ascertain whether internal control policies and procedures
have been placed in operation.
C. Identify the types of potential misstatements that can occur.
D. Obtain knowledge about the operating effectiveness of the
internal control.
D

Effective internal control in a small company that has an

insufficient number of employees to permit proper division of
responsibilities can best be enhanced by
A. Employment of temporary personnel to aid in the separation of
duties.
B. Direct participation by the owner of the business in the record-
keeping activities of the business.
C. Engaging a CPA to perform monthly bookkeeping.
D. Delegation of full, clear-cut responsibility to each employee for
the functions assigned to each.
B

The independent auditor should acquire an understanding of the

internal audit function as it relates to the assessment of control
risk because
A. Internal auditors' audit programs, audit documents, and reports
can eliminate the need for the independent auditor's staff.
B. The procedures performed by the internal audit staff may
eliminate the independent auditor's need for an extensive study
and evaluation of internal control.
C. The work performed by internal auditors may be a factor in
determining the nature, timing, and extent of the independent
auditor's procedures.
D. The understanding of the internal audit function is an important
substantive procedure to be performed by the independent
auditor.
C
In obtaining an understanding of an entity's internal control in a
financial statement audit of a non-public company, an auditor is
not obligated to
A. Determine whether the control activities have been placed in
operation.
B. Perform procedures to understand the design of the internal
control policies.
C. Document the understanding of the entity's internal control
components.
D. Search for significant deficiencies in the operation of the
internal control.
D

After completing the preliminary phase of the review of internal

control, the auditor decides not to rely on the system to restrict
substantive procedures. Documentation may be limited to the
auditor's
A. Understanding of the internal control.
B. Reasons for deciding not to extend the review.
C. Basis for concluding that errors and fraud will be prevented.
D. Completed internal control questionnaire.
A

In an audit of financial statements of a private company in

accordance with generally accepted auditing standards, an
auditor is required to
A. Identify specific internal control activities relevant to
management's financial statement assertions.
B. Perform tests of controls to evaluate the effectiveness of the
entity's accounting system.
C. Determine whether procedures are suitably designed to
prevent or detect material misstatements.
D. Document the auditor's understanding of the entity's internal
control.
D

For a complex IT system, auditors are least likely to use which of

the following when documenting their understanding of internal
controls?
A. Narratives.
B. Internal control questionnaires.
C. Flowcharts.
D. Organization charts.
A

Assessing control risk below maximum involves all of the

following except:
A. Identifying specific controls to rely on.
B. Concluding that controls are ineffective.
C. Performing tests of controls.
D. Analyzing the achieved level of control risk after performing
tests of controls.
B

When an auditor increases the planned assessed level of control

risk because certain control activities were determined to be
ineffective, the auditor would most likely increase the
A. Extent of tests of details.
B. Level of inherent risk.
C. Extent of tests of controls.
D. Level of detection risk.
A

Which of the following procedures most likely would be included

as part of an auditor's tests of controls?
A. Inspection.
B. Reconciliation.
C. Confirmation.
D. Analytical procedures.
A

An auditor is least likely to test the internal controls that provide

for
A. Approval of the purchase and sale of marketable securities.
B. Classification of revenue and expense transactions by product
line.
C. Segregation of the functions of recording disbursements and
reconciling the bank account.
D. Comparison of receiving reports and vendors' invoices with
purchase orders.
B

For certain controls, such as segregation of duties, documentary

evidence may not exist. An auditor would most likely test the
procedures by
A. Reperformance and corroboration.
B. Observation and inquiry.
C. Inspection and vouching.
D. Confirmation and recomputation.
B

Walkthroughs usually involve all of the following audit procedures

except:
A. Reperformance.
B. Inquiry.
C. Observation.
D. Inspection.
A
Before applying substantive procedures to the details of accounts
at an interim date (a date prior to the balance sheet date), an
auditor should
A. Assess control risk at the maximum for the assertions
embodied in the accounts selected for interim testing.
B. Determine that the accounts selected for interim testing are not
material to the financial statements taken as a whole.
C. Consider the availability of information at a later date that will
be necessary for the auditor's procedures (e.g., electronic data).
D. Obtain written representations from management that all
financial records and related data will be made available.
C

A high detection risk strategy includes all of the following except:

A. Interim testing.
B. Reduced testing of transactions.
C. Heavy reliance on analytical procedures as substantive
procedures.
D. Audit work only completed at year-end.
D

The auditor should consider all of the following when deciding

whether substantive procedures will be performed at an interim
date except:
A. The level of control risk.
B. Scheduling conflicts in the audit firm that make interim testing
more convenient.
C. Whether business conditions will change after the interim date.
D. The ability to examine the remaining period.
B

If auditors conduct substantive procedures as of 10/31 for an

entity with a 12/31 year-end
A. Additional tests are seldom conducted for the remaining period.
B. Additional control tests are required in the remaining period.
C. The client's controls likely are ineffective.
D. Additional tests likely will be performed in the remaining period.
D

Based on a study and evaluation completed at an interim date,

the auditor concludes that no significant internal control
weaknesses exist. The records and procedures would most likely
be tested again at year-end if
A. Compliance tests were not performed by the internal auditor
during the remaining period.
B. The internal control system provides a basis for reliance in
reducing the extent of substantive procedures.
C. The auditor used nonstatistical sampling during interim
compliance testing.
D. Inquiries and observations lead the auditor to believe that
conditions within the internal control system have changed.
D

Which of the following statements is correct concerning an

auditor's communication of internal control related matters
(significant deficiencies) noted in an audit?
A. The auditor may issue a written report to the audit committee
representing that no significant deficiencies were noted during the
audit.
B. Significant deficiencies should be recommunicated each year,
even if the audit committee has acknowledged its understanding
of such deficiencies.
C. Significant deficiencies that are material weaknesses should
be reported separately from other significant deficiencies.
D. The auditor may choose to communicate significant internal
control-related matters either during the course of the audit or
after the audit is concluded.
D

The auditor's communication of material weaknesses in internal

control for a nonpublic company is
A. Required to enable the auditor to state that the examination
has been made in accordance with generally accepted auditing
standards.
B. The principle reason for studying and evaluating the system of
internal controls.
C. Incidental to the auditor's objective of forming an opinion as to
the fair presentation of the financial statements.
D. Required to be documented in a formal written report to the
board of directors or the board's audit committee.
B

Significant deficiencies are matters that come to an auditor's

attention that should be communicated to an entity's audit
committee because they represent
A. Disclosures of information that significantly contradict the
auditor's going concern assumption.
B. Material fraud or illegal acts perpetrated by high-level
management.
C. Significant design flaws in internal controls or poor
implementation of internal controls.
D. Manipulation or falsification of accounting records or
documents from which financial statements are prepared.
C

All of the following are significant deficiencies except:

A. Absence of appropriate reviews of transactions.
B. Evidence of willful wrongdoing by lower-level employees.
C. Inadequate provisions for safeguarding assets.
D. Inventory is highly subject to obsolescence.
D

The normal sequence of documents and operations on a well-

prepared systems flowchart is
A. Top to bottom and left to right.
B. Bottom to top and left to right.
C. Top to bottom and right to left.
D. Bottom to top and right to left.
A

When preparing a record of a client's internal control, the

independent auditor sometimes uses a systems flowchart, which
can best be described as a
A. Pictorial presentation of the flow of instructions in a client's
internal computer system.
B. Diagram which clearly indicates an organization's internal
reporting structure.
C. Graphic illustration of the flow of operations which is used to
replace the auditor's internal control questionnaire.
D. Symbolic representation of a system or series of sequential
processes.
D

Which of the following is not a characteristic of a batch processed

computer system?
A. The collection of like transactions which are sorted and
processed sequentially against a master file.
B. Keypunching of transactions, followed by machine processing.
C. The production of numerous printouts.
D. The posting of a transaction, as it occurs, to several files,
without intermediate printouts.
D
Which of the following is a general control that would most likely
assist an entity whose systems analyst left the entity in the middle
of a major project?
A. Grandfather-father-son record retention.
B. Input and output validation routines.
C. Systems documentation.
D. Check digit verification.
C

A customer intended to order 100 units of product Z96014, but

incorrectly ordered nonexistent product Z96015. Which of the
following controls most likely would detect this error?
A. Check digit verification.
B. Record count.
C. Hash total.
D. Redundant data check.
A

Assume that an auditor estimates that 10,000 checks were issued

during the accounting period. If an IT application control which
performs a limit check for each check request is to be subjected
to the auditor's test data approach, the sample should include
A. Approximately 1,000 test items.
B. A number of test items determined by the auditor to be
sufficient under the circumstances.
C. A number of test items determined by the auditor's reference to
the appropriate sampling tables.
D. One transaction.
D

After obtaining an understanding of internal controls and

assessing control risk of an entity, an auditor decided not to
perform tests of controls for purposes of the audit. The auditor
most likely decided that
A. The available evidential matter obtained through tests of
controls would not support an increased level of control risk.
B. A reduction in the assessed level of control risk is justified for
certain financial statement assertions.
C. It would be inefficient to perform tests of controls that would
result in a reduction in planned substantive procedures.
D. The assessed level of inherent risk exceeded the assessed
level of control risk.
C

After the auditor has prepared a flowchart of the internal controls

surrounding sales and evaluated the design of the system, the
auditor would perform tests of controls on all control activities
A. Documented in the flowchart.
B. Considered to be weaknesses that might allow errors to enter
the accounting system.
C. That the auditor plans to rely on.
D. That would aid in preventing fraud.
C

As the acceptable level of detection risk increases, an auditor

may change the
A. Assessed level of control risk from below the maximum to the
maximum level.
B. Assurance provided by tests of controls by using a larger
sample size than planned.
C. Timing of substantive procedures from year-end to an interim
date.
D. Nature of substantive procedures from less effective to more
effective procedures.
C
In a properly designed internal control system, the same
employee may be permitted to
A. Receive and deposit checks and also approve write-offs of
customer accounts.
B. Approve vouchers for payment and also sign checks.
C. Reconcile the bank statements and also receive and deposit
cash.
D. Sign checks and also cancel supporting documents.
D

A procedure that would most likely be used by an auditor in

performing tests of control activities that involve segregation of
functions and that leave no transaction trail is
A. Inspection.
B. Observation.
C. Reperformance.
D. Reconciliation.
B

During consideration of internal control in a financial statement

audit of a nonpublic company, an auditor is not obligated to
A. Search for significant deficiencies in the operation of internal
control.
B. Understand the internal control environment and the
information system.
C. Determine whether the controls relevant to audit planning have
been placed in operation.
D. Perform procedures to understand the design of internal
control.
A
Audit evidence concerning proper segregation of duties ordinarily
is best obtained by
A. Preparation of a flowchart of duties performed by available
personnel.
B. Inquiring whether control activities operated consistently
throughout the period.
C. Reviewing job descriptions prepared by the Personnel
Department.
D. Direct personal observation of the employees who apply
control activities.
D

While substantive procedures may support the accuracy of

underlying records, these tests frequently provide no affirmative
evidence of segregation of duties because
A. Substantive procedures rarely guarantee the accuracy of the
records if only a sample of the transactions has been tested.
B. The records may be accurate even though they are maintained
by persons having incompatible functions.
C. Substantive procedures relate to the entire period under audit,
but compliance tests ordinarily are confined to the period during
which the auditor is on the client's premises.
D. Many computerized procedures leave no audit trail of who
performed them, so substantive procedures may necessarily be
limited to inquiries and observation of office personnel.
B

Before applying substantive procedures to the details of asset and

liability accounts at an interim date, the auditor should
A. Assess the difficulty in controlling audit risk for the remainder of
the period.
B. Investigate significant fluctuations that have occurred in the
asset and liability accounts since the previous balance sheet date.
C. Select only those accounts which can effectively be sampled
during year-end audit work.
D. Consider the compliance tests that must be applied at the
balance sheet date to extend the audit conclusions reached at the
interim date.
A

When communicating internal control-related matters noted in an

audit of a nonpublic company, an auditor's report issued on
significant deficiencies should indicate that
A. Errors or fraud may occur and not be detected because there
are inherent limitations in any internal control system.
B. The issuance of an unqualified opinion on the financial
statements may depend on corrective follow-up action.
C. The deficiencies noted were not detected within a timely period
by employees in the normal course of performing their assigned
functions.
D. The purpose of the audit was to report on the financial
statements and not to provide assurance on internal control.
D

The program flowcharting symbol representing a decision is a

A. Triangle.
B. Circle.
C. Rectangle.
D. Diamond.
D
M

1) Which of the following is not one of the three primary objectives

of effective internal control?
A) reliability of financial reporting
B) efficiency and effectiveness of operations
C) compliance with laws and regulations
D) assurance of elimination of business risk
D

2) The Public Company Accounting Oversight Board states that

reasonable assurance allows a:
A) small likelihood of ineffective internal controls.
B) remote likelihood that material misstatements will not be
prevented or detected by internal control.
C) likelihood that material misstatements will not be prevented or
detected by internal control.
D) high likelihood that material misstatements will not be
prevented or detected by internal control.
B

3) Which of the following is most correct regarding the

requirements under Section 404 of the Sarbanes Oxley Act?
A) The audits of internal control and the financial statements
provide reasonable assurance as to misstatements.
B) The audit of internal control provides absolute assurance of
misstatement.
C) The audit of financial statements provides absolute assurance
of misstatement.
D) The audits of internal control and the financial statements
provide absolute assurance as to misstatements.
A

4) Which of management's assertions with respect to

implementing internal controls is the auditor primarily concerned?
A) efficiency of operations
B) reliability of financial reporting
C) effectiveness of operations
D) compliance with applicable laws and regulations
B

5) To issue a report on internal control over financial reporting for

a public company, an auditor must:
A) evaluate management's assessment process.
B) independently assess the design and operating effectiveness
of internal control.
C) evaluate management's assessment process and
independently assess the design and operating effectiveness of
internal control.
D) test controls over significant account balances.
C

6) A company frequently sells products at a price below inventory

cost. Essential controls in the risk assessment process would
include:
A) adequate controls that address the risk of overstating
inventory.
B) adequate controls that address the risk of not including a
purchased item in inventory.
C) adequate controls that address the risk of understatement of
inventory.
D) adequate controls that address the risk of overstatement of
cost of goods sold.
A

7) Internal controls are not designed to provide reasonable

assurance that:
A) all frauds will be detected.
B) transactions are executed in accordance with management's
authorization.
C) access to assets is permitted only in accordance with
management's authorization.
D) company personnel comply with applicable rules and
regulations.
A

1) Which of the following is responsible for establishing a private

company's internal control?
A) Senior Management
B) Internal Auditors
C) Senior Management and auditors
D) Audit committee
A

2) Two key concepts that underlie management's design and

implementation of internal control are:
A) costs and materiality.
B) absolute assurance and costs.
C) inherent limitations and reasonable assurance.
D) collusion and materiality.
C
3) The PCAOB places responsibility for the reliability of internal
controls over the financial reporting process to:
A) the company's board of directors.
B) the audit committee of the board of directors.
C) the CEO and the CFO.
D) the CFO and the Independent Auditors.
C

4) Which of the following parties provides an assessment of the

effectiveness of internal control over financial reporting for public
companies?
A)
Management: Yes
Financial statement auditors: Yes

B)
Management: No
Financial statement auditors: No

C)
Management: Yes Financial statement auditors: No

D)
Management: No Financial statement auditors: Yes
A

5) An act of two or more employees to steal assets and cover

their theft by misstating the accounting records would be referred
to as:
A) collusion.
B) a material weakness.
C) a control deficiency.
D) a significant deficiency.
A
6) Sarbanes-Oxley requires management to issue an internal
control report that includes two specific items. Which of the
following is one of these two requirements?
A) A statement that management is responsible for establishing
and maintaining an adequate internal control structure and
procedures for financial reporting.
B) A statement that management and the board of directors are
jointly responsible for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.
C) A statement that management, the board of directors, and the
external auditors are jointly responsible for establishing and
maintaining an adequate internal control structure and procedures
for financial reporting.
D) A statement that the external auditors are solely responsible.
A

7) When management is evaluating the design of internal control,

management evaluates whether the control can do which of the
following?
A)
Detect material misstatements: Yes Correct material
misstatements: Yes

B)
Detect material misstatements: No Correct material
misstatements: No

C)
Detect material misstatements: Yes Correct material
misstatements: No

D)
Detect material misstatements: No Correct material
misstatements: Yes
C

8) When one material weakness is present at the end of the year,

management of a public company must conclude that internal
control over financial reporting is:
A) insufficient.
B) inadequate.
C) ineffective.
D) inefficient.
C

9) The auditor's primary purpose in auditing the client's system of

internal control over financial reporting is:
A) to prevent fraudulent financial statements from being issued to
the public.
B) to evaluate the effectiveness of the company's internal controls
over all relevant assertions in the financial statements.
C) to report to management that the internal controls are effective
in preventing misstatements from appearing on the financial
statements.
D) to efficiently conduct the Audit of Financial Statements.
B

10) Management must disclose material weaknesses in internal

control in its audit report:
A) whenever the weakness is deemed significant to a single class
of transactions.
B) whenever the weakness is significant to overall financial
reporting objectives.
C) if the weakness exists at the end of the year.
D) only if the auditor identifies the weakness as significant.
C

11) In performing the audit of internal control over financial

reporting the auditor emphasizes internal control over class of
transactions because:
A) the accuracy of accounting system outputs depends heavily on
the accuracy of inputs and processing.
B) the class of transaction is where most fraud schemes occur.
C) account balances are less important to the auditor then the
changes in the account balances.
D) classes of transactions tests are the most efficient manner to
compensate for inherent risk.
A

12) Internal controls can never be regarded as completely

effective. Even if company personnel could design an ideal
system, its effectiveness depends on the:
A) adequacy of the computer system.
B) proper implementation by management.
C) ability of the internal audit staff to maintain it.
D) competency and dependability of the people using it.
D

13) Even with the most effectively designed internal control, the
auditor must obtain audit evidence, beyond testing the controls,
for every:
A) transaction.
B) financial statement account.
C) material financial statement account.
D) financial statement account that will be relied upon by third
parties.
C
14) Of the following statements about internal controls, which one
is least likely to be correct?
A) No one person should be responsible for the custodial
responsibility and the recording responsibility for an asset.
B) Transactions must be properly authorized before such
transactions are processed.
C) Because of the cost-benefit relationship, a client may apply
controls on a test basis.
D) Control procedures reasonably ensure that collusion among
employees cannot occur.
D

15) The Sarbanes-Oxley Act requires:

A) all public companies to issue reports on internal controls.
B) all public companies to define adequate internal controls.
C) the auditor of public companies to design effective ICFR.
D) the auditor of public companies to provide recommendations to
correct material weaknesses.
A

16) The financial statements may not correctly reflect accounting

frameworks such as AAP or IFRS if the:
A) controls affecting the reliability of financial reporting are
inadequate.
B) company's controls do not promote efficiency.
C) company's controls do not promote effectiveness.
D) company's controls do not promote compliance with applicable
rules and regulations.
A

17) The primary emphasis by auditors is on controls over:

A) classes of transactions.
B) account balances.
C) both A and B, because they are equally important.
D) both A and B, because they vary from client to client.
A

18) An auditor should consider two key issues when obtaining an

understanding of a client's internal controls. These issues are:
A) the effectiveness and efficiency of the controls.
B) the frequency and effectiveness of the controls.
C) the design and implementation of the controls.
D) the implementation and efficiency of the controls.
C

1) Which of the following activities would be least likely to

strengthen a company's internal control?
A) separating accounting from other financial operations
B) maintaining insurance for fire and theft
C) fixing responsibility for the performance of employee duties
D) carefully selecting and training employees
B

2) Which of the following components of the control environment

define the existing lines of responsibility and authority?
A) Organizational Structure
B) Management philosophy and operating style
C) Human resource policies and practices
D) Management integrity and ethical values
A

3) Which of the following factors may increase risks to an

organization?
A)
Geographic dispersion of company operations: Yes Presence of
new information technologies: Yes
B)
Geographic dispersion of company operations: No Presence of
new information technologies: No

C)
Geographic dispersion of company operations: Yes Presence of
new information technologies: No

D)
Geographic dispersion of company operations: No Presence of
new information technologies: Yes
A

4) Which of the following statements is most correct with respect

to separation of duties?
A) Employees should not have temporary and permanent custody
of assets.
B) Employees who authorize transactions should not have
custody of related assets.
C) It is permissible to allow an employee to open cash receipts
and record those receipts.
D) Employees who authorize transactions should have recording
responsibility for these transactions.
B

5) Authorizations can be either general or specific. Which of the

following is not an example of a general authorization?
A) Automatic reorder points for raw materials inventory.
B) A sales manager's authorization for a sales return.
C) Credit limits for various classes of customers.
D) A sales price list for merchandise.
B
6) Which of the following is correct with respect to the design and
use of business documents?
A) Not all documents used for internal purposes need to be
prenumbered.
B) Documents should be designed for single purposes only to
avoid confusion in their use.
C) Documents should be designed to be understandable only by
those who use them.
D) Documents designed for external use must be prenumbered.
D

7) Which of the following best describes the purpose of control

activities?
A) the actions, policies and procedures that reflect the overall
attitudes of management
B) the identification and analysis of risks relevant to the
preparation of financial statements
C) the policies and procedures that help ensure that necessary
actions are taken to address risks to the achievement of the
entity's objectives
D) activities that deal with the ongoing assessment of the quality
of internal control by management
C

8) Which of the following deal with ongoing or periodic

assessment of the quality of internal control by management?
A) Quality monitoring activities
B) Monitoring activities
C) Oversight activities
D) Management activities
B
9) Which of the following best describes an entity's accounting
information and communication system?
A)
Monitor
transactions: Yes Record and process transactions: Yes Initiate
transactions: Yes

B)
Monitor
transactions: No Record and process transactions: No Initiate
transactions: No

C)
Monitor
transactions: Yes Record and process transactions: No Initiate
transactions: No

D)
Monitor
transactions: No Record and process transactions: Yes Initiate
transactions: Yes
D

procedures in which the segregation of functions and that leaves

no "audit" trail is:
A) inspection.
B) observation.
C) reperformance.
D) reconciliation.
B

11) Internal controls normally include procedures designed to

provide reasonable assurance that:
A) employees act with integrity when performing their assigned
tasks.
B) transactions are executed in accordance with management's
authorization.
C) decision processes leading to management's authorization of
transactions are sound.
D) collusive activities would be detected by segregation of
employee duties.
B

12) Which of the following is not one of the subcomponents of the

control environment?
A) management's philosophy and operating style
B) organizational structure
C) adequate separation of duties
D) commitment to competence
C

13) It is important for the CPA to consider the competence of the

clients' personnel because their competence bears directly and
importantly upon the:
A) cost/benefit relationship of the system of internal control.
B) achievement of the objectives of internal control.
C) comparison of recorded accountability with assets.
D) timing of the tests to be performed.
B

14) Proper segregation of functional responsibilities calls for

separation of:
A) authorization, execution, and payment.
B) authorization, recording, and custody.
C) custody, execution, and reporting.
D) authorization, payment, and recording.
B

15) Which of the following is correct regarding management's

documentation of internal controls?
A) inadequate documentation is not a control deficiency
B) documentation needs to focus on interim controls
C) documentation needs to have some focus on controls
designed to detect fraud
D) documentation should only focus on system design
C

16) Which of the following groups establishes and maintains the

company's internal controls?
A) Internal auditors
B) Board of Directors
C) Management
D) Audit committee
C

17) The independent auditor should acquire an understanding of

the internal audit function as it relates to the independent auditor's
study and evaluation of internal control because the:
A) audit programs, working papers, and reports of internal
auditors can often be used as a substitute for the work of the
independent auditor's staff.
B) procedures performed by the internal audit staff may eliminate
the independent auditor's need for an extensive study and
evaluation of internal control.
C) work performed by internal auditors may be a factor in
determining the nature, timing, and extent of the independent
auditor's procedures.
D) understanding of the internal audit function is an important
substantive test to be performed by the independent auditor.
C

18) To promote operational efficiency, the internal audit

department would ideally report to:
A) line management.
B) senior management.
C) Chief Accounting Officer.
D) audit committee.
D

19) Hanlon Corp. maintains a large internal audit staff that reports
directly to the chief financial officer. Audit reports prepared by the
internal auditors indicate that the system is functioning as it
should and that the accounting records are reliable. An
independent auditor will probably:
A) eliminate tests of controls.
B) increase the depth of the study and evaluation of
administrative controls.
C) avoid duplicating the work performed by the internal audit staff.
D) place limited reliance on the work performed by the internal
audit staff.
D

20) External financial statement auditors must obtain evidence

regarding what attributes of an internal audit (IA) department if the
external auditors intend to rely on IA's work?
A) Integrity
B) Objectivity
C) Competence
D) All of the above
D
21) To obtain an understanding of an entity's control environment,
an auditor should concentrate on the substance of management's
policies and procedures rather than their form because:
A) management may establish appropriate policies and
procedures but not act on them.
B) the board of directors may not be aware of management's
attitude toward the control environment.
C) the auditor may believe that the policies and procedures are
inappropriate for that particular entity.
D) the policies and procedures may be so weak that no reliance is
contemplated by the auditor.
A

1) When the auditor attempts to understand the operation of the

accounting system by tracing a few transactions through the
accounting system, the auditor is said to be:
A) tracing.
B) vouching.
C) performing a walk-through.
D) testing controls
C

2) The purpose of phase 3 in the "process for understanding

internal control and assessing control risk" is to:
A) design, perform and evaluate tests of controls.
B) obtain and document an understanding of internal control
design an operation.
C) assess control risk.
D) decide planned detection risk and substantive tests.
A

3) Narratives, flowcharts, and internal control questionnaires are

three common methods of:
A) testing the internal controls.
B) documenting the auditor's understanding of internal controls.
C) designing the audit manual and procedures.
D) documenting the auditor's understanding of a client's
organizational structure.
B

4) Audit evidence concerning proper segregation of duties

normally is best obtained by:
A) direct personal observation of the employee who applies
control procedures.
B) making inquiries of co-workers about the employee who
applies control procedures.
C) preparation of a flowchart of duties performed and available
personnel.
D) inspection of third-party documents containing the initials of
who applied control procedures.
A

5) Audit evidence regarding the separation of duties is normally

best obtained by:
A) preparing flowcharts of operational processes.
B) preparing narratives of operational processes.
C) observation of employees applying control activities.
D) inquiries of employees applying control activities.
C

1) The person responsible for reconciling sales invoices to

customer orders does not access to the company's master price
list in order to correctly compute sales. This is an example of a(n):
A) operating deficiency.
B) design deficiency.
C) training deficiency.
D) management deficiency.
B

2) You are performing the audit of internal control for Clifton

Company. Which of the following would represent a material
weakness in internal control?
A) The company's audit committee has experienced unusual
turnover of members.
B) The company's CFO was indicted for embezzling from the
company.
C) Bank reconciliations are done monthly.
D) The CEO was forced to resign due to an inappropriate
relationship with an outside vendor.
B

3) The employee in charge of authorizing credit to the company's

customers does not fully understand the concept of credit risk.
This lack of knowledge would constitute:
A) a deficiency in operation of internal controls.
B) a deficiency in design of internal controls.
C) a deficiency of management.
D) not constitute a deficiency.
A

4) Section 404 requires auditors to evaluate the effectiveness of

the audit committee's oversight of the company's:
A)
External financial
reporting: Yes Efficiency of
operations: No Internal control over financial reporting: Yes

B)
External financial
reporting: No Efficiency of
operations: No Internal control over financial reporting: Yes

C)
External financial
reporting: Yes Efficiency of
operations: Yes Internal control over financial reporting: No

D)
External financial
reporting: No Efficiency of
operations: Yes Internal control over financial reporting: NO
A

5) Once auditors determine that entity level controls are designed

and placed in the operation they:
A) make a preliminary assessment for each transaction-related
audit objective for each major type of transaction.
B) make a preliminary assessment of control risk.
C) obtain an understanding of the design and implementation of
internal control.
D) prepare audit documentation in order to opine on the
company's internal control system.
A

6) Which of the following is the correct definition of "control

deficiency"?
A) A control deficiency exists if the design or operation of controls
does not permit company personnel to prevent or detect
misstatements on a timely basis.
B) A control deficiency exists if one or more deficiencies exist that
adversely affect a company's ability to prepare external financial
statements reliably.
C) A control deficiency exists if the design or operation of controls
results in a more than remote likelihood that controls will not
prevent or detect misstatements.
D) A control deficiency exists if the design or operation of controls
results in a more than probable likelihood that controls will prevent
or detect misstatements.
A

7) Which of the following deficiency exists if a necessary control is

missing or not properly formulated?
A) control
B) significant
C) design
D) operating
C

8) To determine if significant internal control deficiencies are

material weaknesses, they must be evaluated on their:
A)
Likelihood: Yes Significance: Yes

B)
Likelihood: No Significance: No

C)
Likelihood: Yes Significance: No

D)
Likelihood: No Significance: Yes
A

9) Significant deficiencies need to be communicated to the

company's audit committee because:
A) they represent material weaknesses that allow fraud to be
perpetrated.
B) they represent significant design flaws in internal controls.
C) they represent falsification of accounting records.
D) they represent disclosure of information related to issuance of
a "going-concern" opinion.
B

10) Before making the final assessment of internal control at the

end of an integrated audit, the auditor must:
A)
Test controls: Yes Perform substantive tests of details: Yes

B)
Test controls : No Perform substantive tests of details: No

C)
Test controls : Yes Perform substantive tests of details: No

D)
Test controls : No Perform substantive tests of details: Yes
A

11) Significant deficiencies and material weaknesses in internal

control of a public company must be reported in writing to which
of the following?
A) the Public Company Accounting Oversight Board
B) members of management who are responsible for the related
area of the company
C) audit committee of the company's board of directors
D) the AICPA
C
12) Significant deficiencies are matters that come to an auditor's
attention and should be communicated to an entity's audit
committee because they represent:
A) material frauds perpetrated by high-level management.
B) internal control deficiencies that could adversely affect a
company's ability to initiate, record, process, or report external
financial statements reliably.
C) flagrant violations of the entity's documented conflict-of-interest
policies.
D) intentional attempts by client personnel to limit the scope of the
auditor's field work.
B

13) How must significant deficiencies and material weaknesses

be communicated to those charged with governance?
A) Either oral or written communication is acceptable.
B) Oral communication is required.
C) Written communication is required.
D) Written communication is required for material weaknesses,
but oral communication is allowed for significant deficiencies.
C

14) When considering internal control, an auditor should be aware

of the concept of reasonable assurance, which recognizes that
the:
A) segregation of incompatible functions is necessary to ascertain
that internal control is effective.
B) employment of competent personnel provides assurance that
the objectives of internal control will be achieved.
C) establishment and maintenance of internal control is an
important responsibility of the management and not of the auditor.
D) concept allows for only a remote likelihood that material
misstatements will not be prevented or detected on a timely basis.
D
15) When planning an audit, the auditor's assessed level of
control risk is:
A) determined by using actuarial tables.
B) calculated by using the audit risk model.
C) a judgment issue, based on auditor knowledge.
D) calculated by using the formulas provided in the AICPA's
auditing standards.
C

16) When a compensating control exists, the absence of a key

control:
A) is no longer a concern because there is no longer a significant
deficiency or material weakness.
B) is still a major concern to the auditor.
C) could cause a material loss, so it must be tested using
substantive procedures.
D) is magnified and must be removed from the sampling process
and examined in its entirety.
A

1) If the results of tests of controls support the design and

operations of controls as expected, the auditor uses ________
control risk as the preliminary assessment.
A) a lower
B) the same
C) a higher
D) either a lower or higher
B

2) An auditor is likely to use four types of procedures to support

the operating effectiveness of internal controls. Which of the
following would generally NOT be used?
A) make inquiries of appropriate client personnel
B) examine documents, records, and reports
C) reperform client procedures
D) inspect design documents
D

3) After considering a client's internal controls, an auditor has

concluded that it is well designed and is functioning as intended.
Under these circumstances the auditor would most likely:
A) perform tests of controls to the extent outlined in the audit
program.
B) determine the control procedures that should prevent or detect
errors and irregularities.
C) not increase the extent of predetermined substantive tests.
D) determine whether transactions are recorded to permit
preparation of financial statements in conformity with generally
accepted accounting principles.
C

1) In performing an audit of internal control over financial reporting

which of the following is the auditor required to do?
A) Test routine and nonroutine transactions equally.
B) Form an opinion on the effectiveness of internal for financial
reporting.
C) Rely on the work on internal auditors in order to promote audit
efficiency.
D) Use the audit conclusions before starting the audit of financial
statements.
B

1) A control available in a small company, which may be

necessitated because of lack of competent personnel, is:
A) a wider segregation of duties.
B) a voucher system.
C) fewer transactions to process.
D) the owner-manager's direct involvement in the control process.
D

2) When auditing a private company, the auditor should obtain an

understanding of internal control sufficient to:
A) provide reasonable protection against client fraud and
defalcations by client employees.
B) assess control risk.
C) provide a basis for suggestions to the client for improving the
accounting system.
D) provide a method for safeguarding assets, checking the
accuracy and reliability of accounting data, promoting operational
efficiency, and encouraging adherence to prescribed managerial
policies.
B

3) In the audit of a private company, the auditor will test internal

controls when control risk is initially assessed at:
A)
Low : Yes
Moderate: No
High: Yes

B)
Low : No
Moderate: No
High: Yes

C)
Low : Yes
Moderate: Yes
High: No
D)
Low : No
Moderate: Yes
High: No
C

4) The auditor's consideration of a private company's internal

control is:
A) required by GAAP.
B) required by GAAS.
C) required by the IRS.
D) recommended by the SEC.
B

5) Which of the following may represent the biggest challenge

smaller public companies face in implementing effective internal
control?
A) a lack of expertise
B) reduced importance
C) limited resources
D) limited available guidance
C

6) Which of the following is most correct for audits of non-public

companies?
A) an audit of internal control is required
B) an audit of internal control is not required
C) an audit of the design of internal controls is required
D) an audit of the operational effectiveness of internal controls is
required
B
5) Audit evidence regarding the separation of duties is normally
best obtained by:
A) preparing flowcharts of operational processes.
B) preparing narratives of operational processes.
C) observation of employees applying control activities.
D) inquiries of employees applying control activities.
C