Chapter 14 - Internal Controls

Question 1

Why are internal controls relevant to an audit?

Answer 1

They are relevant throughout all audit stages, especially planning and execution, to ensure financial reporting reliability, operational efficiency, and compliance.

Question 2

Must auditors understand internal controls if relying solely on substantive procedures?

Answer 2

Yes, auditors must understand controls even if using only a substantive approach.

Question 3

Who is responsible for designing and maintaining internal controls?

Answer 3

Management, with oversight from governance.

Question 4

What are the five components?

Answer 4

Control environment, risk assessment process, information system & communication, control activities, monitoring process.

Question 5

What is the purpose of the control environment?

Answer 5

Sets the tone at the top; includes values, ethics, integrity, and accountability.

Question 6

What is the risk assessment process?

Answer 6

Identifies and manages risks that could affect financial reporting.

Question 7

What are control activities?

Answer 7

Policies and procedures to prevent or detect errors/fraud.

Question 8

What is the monitoring process?

Answer 8

Ongoing or periodic evaluations of internal controls to ensure effectiveness.

Question 9

What does information system and communication involve?

Answer 9

How financial data is recorded, processed, communicated, and corrected.

Question 10

What is COSO?

Answer 10

Most widely used internal control framework (1992); includes control environment, risk assessment, control activities, info & communication, monitoring.

Question 11

What is CoCo?

Answer 11

Developed by CPA Canada’s predecessor (1995) to improve governance and decision-making.

Question 12

What is COBIT?

Answer 12

Developed by ISACA (1996) for IT governance; focuses on IT controls and alignment with business objectives.

Question 13

What are the key objectives of internal controls?

Answer 13

Effectiveness and efficiency of operations, reliability of financial reporting, compliance with laws and regulations.

Question 14

What is the difference between direct and indirect controls?

Answer 14

Direct controls address risks at the assertion level; indirect controls support other controls and usually operate at the entity level.

Question 15

Which components are usually considered indirect controls?

Answer 15

Control environment, risk assessment process, monitoring controls.

Question 16

Why are indirect controls important?

Answer 16

They help reduce overall audit risk but are not precise enough alone to detect misstatements.

Question 17

Which components are generally considered direct controls?

Answer 17

Information system & communication, control activities.

Question 18

What does the control environment reflect?

Answer 18

Tone at the top, culture, integrity, ethics, governance, assignment of authority, and accountability.

Question 19

Why is it critical?

Answer 19

Weaknesses here can undermine other internal control components.

Question 20

Types of direct controls in IT?

Answer 20

Manual controls, automated controls, IT-dependent manual controls.

Question 21

Categories of ITGCs?

Answer 21

Access to programs/data, program changes/development, computer operations, business continuity.

Question 22

How do control objectives relate to assertions?

Answer 22

Ensure completeness, existence, cutoff, accuracy, classification of transactions.

Question 23

How do auditors gain understanding of internal controls?

Answer 23

Through inquiries, manuals, prior-year files, internal audit reports, walkthroughs.

Question 24

How should understanding be documented?

Answer 24

Using flowcharts, narratives, checklists, or a combination, showing key controls and processes.

Question 25

When are walkthroughs required?

Answer 25

If testing control effectiveness or when substantive procedures alone are insufficient.

Question 26

How do small entities impact internal control assessment?

Answer 26

Limited staff may reduce segregation of duties; owner-manager oversight can compensate but may override controls.

Question 27

What risk does IT complexity introduce?

Answer 27

Manual errors in non-automated systems; new systems may have unfamiliarity or bugs; high-risk transactions like cash sales need attention.

Question 28

What is collusion and why is it a risk?

Answer 28

Two or more individuals circumventing controls for personal gain; reduces effectiveness of segregation of duties.

Question 29

How can controls become obsolete?

Answer 29

Changes in business objectives, personnel, or outdated systems increase misstatement risk.

Question 30

What does P in PAIRS stand for?

Answer 30

Physical or logical controls – securing assets and controlling access to systems. Example: Warehouse access restricted by employee keycards.

Question 31

What does A in PAIRS stand for?

Answer 31

Authorization and approvals – ensuring transactions are valid and approved by the right personnel. Example: HR manager signs off on all new hires.

Question 32

What does I in PAIRS stand for?

Answer 32

Independent verifications – comparing documents or data and following up on inconsistencies. Example: Comparing an invoice signature to the policy to confirm spending authority.

Question 33

What does R in PAIRS stand for?

Answer 33

Reconciliations – comparing data sources to detect and investigate discrepancies. Example: Monthly bank reconciliations reviewed by a supervisor.

Question 34

What does S in PAIRS stand for?

Answer 34

Segregation of duties – separating responsibilities for authorization, recording, and custody of assets to reduce fraud/errors. Example: Person receiving cheques does not make bank deposits.

Question 35

Controls

Answer 35

Controls can be classified as either preventive or detective

Question 36

Preventive controls

Answer 36

Preventive controls stop errors or fraud before they occur

Question 37

Detective controls

Answer 37

Detective controls identify and correct issues after they occur