Manila * Cavite * Laguna * Cebu * Cagayan De Oro * Davao
Since 1977
AT.3209
Internal Controls Considerations
References:
a. PSA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement
b. PSA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management
LECTURE NOTES
The Entity’s Internal Control
Internal control is the process designed, implemented and
maintained by those charged with governance (TCWG),
management and other personnel to address risks that are
present between the entity and the accomplishment of its
objectives. Its purpose is to address identified business risks
that threaten the achievement of the entity’s objectives
about:
• the reliability of the entity’s financial reporting (auditor’s
primary concern);
• the effectiveness and efficiency of its operations
(including safeguarding of assets); and
• its compliance with applicable laws and regulations.
Internal control structure varies with an entity’s size and
complexity. Smaller entities may use less structured means
and simpler processes and procedures.
An understanding of internal control assists the auditor in
identifying types of potential misstatements and factors that
affect the risk of material misstatement (ROMM), and in
designing the nature, timing, and extent of further audit
procedures (test of controls and substantive procedures).
Components of Internal Control
The following are the five components of an effective
internal control (CRIME):
1. Control Environment
2. Risk assessment process
3. Information system and communication
4. Control activities
5. Monitoring
Control Environment
Control environment is the governance and management
functions and the attitudes, awareness, and actions of
TCWG and management concerning the entity’s internal
control and its importance in the entity. It is the foundation
of internal control as it sets the tone of an organization that
influences the control consciousness of its people.
The seven elements of the control environment are
(CHAMPOI):
1. Communication and enforcement of Integrity and
ethical values
2. Commitment to Competence
3. Human resource policies and practices
4. Assignment of authority and responsibility
5. Management's philosophy and operating style
6. Participation of those charged with governance
7. Organizational structure
Page 1 of 12 www.teamprtc.com.ph
SOLIMAN/UY/RICAFRENTE
MAY 2022
The auditor shall obtain an understanding of the control
environment. As part of obtaining this understanding, the
auditor shall evaluate whether:
1. Management, with the oversight of TCWG, has created
and maintained a culture of honesty and ethical
behavior; and
2. The strengths in the control environment elements
collectively provide an appropriate foundation for the
other components of internal control, and whether
those other components are not undermined by control
environment weaknesses.
Relevant audit evidence may be obtained through a
combination of inquiries and other risk assessment
procedures such as corroborating inquiries through
observation or inspection of documents. For example,
through inquiries of management and employees, the
auditor may obtain an understanding of how management
communicates to employees its views on business practices
and ethical behavior and considering whether management
has a written code of conduct and whether it acts in a
manner that supports the code.
Risk Assessment Process
The entity’s risk assessment process refers to the entity’s
process for identifying business risks relevant to financial
reporting objectives and deciding about actions to address
those risks, and the results thereof. If that process is
appropriate to the circumstances, including the nature, size
and complexity of the entity, it assists the auditor in
identifying ROMM. Whether the entity’s risk assessment
process is appropriate is a matter of judgment.
The auditor shall obtain an understanding of whether the
entity has a process for (IDEA):
1. Identifying business risks relevant to financial reporting
objectives;
2. Estimating the significance of the risks;
3. Assessing the likelihood of their occurrence; and
4. Deciding about actions to address those risks.
Information System and Communication
Information and communication relates to the identification,
capture, and exchange of information that enables
individuals to carry out their responsibilities. It includes
information system and communication relevant to financial
reporting system which consists of the procedures and
records established to initiate, record, process and report
entity transactions (as well as events and conditions) and
to maintain accountability for the related assets, liabilities
and equity.
Information system and communication consists of
infrastructure (physical and hardware components),
software, people, procedures, and data.
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.
The auditor shall obtain an understanding of the information
system, including the related business processes, relevant
to financial reporting, including how the entity
communicates financial reporting roles and responsibilities
and significant matters relating to financial reporting,
including:
1. Communications between management and TCWG; and
2. External communications, such as those with regulatory
authorities.
Control Activities
Control activities are policies and procedures of the entity
that help ensure that management directives are carried
out.
Examples of control activities include policies and
procedures on (PIPS):
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
The auditor shall obtain an understanding of control
activities relevant to the audit.
Control activities that are relevant to the audit are:
• Those that are required to be treated as such, being
control activities that relate to significant risks and
those that relate to risks for which substantive
procedures alone do not provide sufficient appropriate
audit evidence; or
• Those that are considered to be relevant in the
judgment of the auditor, being those necessary in order
to assess the ROMM at the assertion level and design
further audit procedures responsive to assessed risks
Risks arising from, and control activities, in information
technology (IT)
In understanding the entity’s control activities, the auditor
shall obtain an understanding of how the entity has
responded to risks arising from IT. This topic will be
discussed separately in “Auditing in a computerized
information system (CIS) environment.”
Monitoring
Monitoring is a process that assesses the effectiveness of
internal control performance over time. It includes
assessing the design and operation of controls on a timely
basis and taking necessary corrective actions modified for
changes in conditions.
The types of monitoring activities are:
• ongoing monitoring activities - often built into the
normal recurring activities (e.g., sales and purchases)
of an entity and include regular management and
supervisory activities.
• separate evaluations - often performed by internal
auditors or company employees and provide feedback
on the effectiveness of other internal control processes.
• a combination of the two above.
Internal auditing is often considered a highly effective
monitoring control. Monitoring activities may also be
Page 2 of 12 www.teamprtc.com.ph
performed by external parties (e.g., customers implicitly
corroborate billing data by paying invoices).
The auditor shall obtain an understanding of the major
activities that the entity uses to monitor internal control
over financial reporting, including those related to those
control activities relevant to the audit, and how the entity
initiates corrective actions to its controls.
Inter-relationship of Components of Internal Control
Internal control consists of five interrelated components
designed to work together as a process in order to address
entity’s business risks and help it accomplish the it’s
objectives.
Inherent Limitations of Internal Control
Internal control can only provide reasonable assurance that
the entity’s objectives are met because of the following
inherent limitations:
• Cost-benefit considerations
• Human errors or mistakes
• Management override or circumvention
• Collusion among employees or outside parties
Understanding Entity’s Internal Controls Through
Transaction Cycles
Transaction cycles refer to certain business processes, or
segments into which related transactions can be
conveniently grouped and for which specific accounting
procedures and control activities are established by an
entity's management.
Typical transaction cycles for a trading or manufacturing
companies are:
• Revenue and receipt cycle
• Purchasing and disbursement cycle
• Payroll and personnel cycle
• Production or conversion (Inventory and warehousing)
cycle
• Investing and financing cycle
Collectively these cycles have no beginning or end except at
the origin and final disposition of an entity.
Relevant Controls: Nature and Extent of the Auditor’s
Understanding
The auditor shall obtain an understanding of internal control
relevant to the audit, not all controls that relate to financial
reporting are relevant to the audit. It is a matter of the
auditor’s professional judgment whether a control, is
relevant to the audit.
When obtaining an understanding of controls that are
relevant to the audit, the auditor shall evaluate
the design of those controls and determine whether they
have been implemented, by performing procedures in
addition to inquiry of the entity’s personnel.
Evaluating the design of a control involves considering
whether the control, individually or in combination with
other controls, is capable of effectively preventing, or
detecting and correcting, material misstatements.
Implementation of a control means that the control exists
and that the entity is using it. There is little point in
assessing the implementation of a control that is not
effective, and so the design of a control is considered first.
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.

An improperly designed control may represent a material initiated, authorized, recorded, processed and reported:
weakness (to be discussed at the end part of the lecture and
notes) in the entity’s internal control. • Verify the identified “what can go wrongs” (WCGWs)
that have the potential to materially affect relevant
Procedures to Obtain Understanding of Internal financial statement assertions related to significant
Controls accounts and disclosures within each significant class of
transactions.
Risk assessment procedures to obtain audit evidence about
the design and implementation (D&I) of relevant controls Method Advantage Disadvantages
may include:
§ Easy to complete
• Inquiring of entity personnel § Comprehensive list
• Observing the application of specific controls. § May be
of questions make
• Inspecting documents and reports. answered
it unlikely that
without
• Tracing transactions through the information system important portions
adequate
relevant to financial reporting. (Walkthrough of internal control
thought being
procedure) ICQ will be overlooked
given to
§ Weaknesses
questions
Inquiry alone, however, is not sufficient for such purposes. become obvious
§ Questions may
Evaluating the design of a control involves considering (generally those
not “fit” client
whether the control is capable of effectively preventing, or questions
adequately
detecting and correcting, material misstatements. answered with a
Implementation of a control means that the control exists “no”)
and that the entity is using it. There is little point in § May become
assessing the implementation of a control that is not very long and
effective, and so the design of a control is considered first. time-
An improperly designed control may represent a material § Tailor-made for
consuming
weakness in the entity’s internal control. engagement
§ Weaknesses in
§ Requires a
structure not
Obtaining an understanding of an entity’s controls is not detailed analysis
Narratives always
sufficient to test their operating effectiveness (which is and thus forces
(Memo.) obvious
determined through test of controls), unless there is some auditor to
§ Auditor may
automation that provides for the consistent operation of the understand
overlook
controls. functioning of
important
structure
portions of
Documentation internal
control
The auditor shall document the key elements of each of the § Graphic
internal control components, including the sources of representation of
information from which the understanding was obtained. § Preparation is
structure
time-
§ Usually makes it
The auditor may document its understanding through any consuming
unlikely that
or combination of the following techniques: § Weaknesses in
important portions
structure not
Flowchart of internal control
1. Internal Control Questionnaires (ICQ) – An ICQ asks a always
will be over-looked
series of questions about the controls in each audit area obvious
§ Good for electronic
as a means of identifying internal control deficiencies. § (especially to
systems
Most questionnaires require a “yes” or a “no” response, inexperienced
§ No long wording
with “no” responses indicating potential internal control auditor)
(as in case of
deficiencies. memoranda)
2. Narratives/Memoranda – A narrative is a written
description of a client’s internal controls. Deficiencies in Internal Control
3. Flowcharts – An internal control flowchart is a diagram
of the client’s documents and their sequential flow in The auditor shall determine whether, on the basis of the
the organization. audit work performed, the auditor has identified one or
more deficiencies in internal control.
Performing a Transaction Walkthrough Test
Deficiency in internal control exists when:
Walkthrough test involves tracing a few transactions
through the financial reporting system. This test is normally 1. A control is designed, implemented or operated in such
done after the auditor has initially documented its a way that it is unable to prevent, or detect and correct,
understanding of the transaction cycles and significant misstatements in the financial statements on a timely
business processes. It should be done every year. basis; or
The auditor shall perform walkthroughs to achieve the 2. A control necessary to prevent, or detect and correct,
following objectives: misstatements in the financial statements on a timely
basis is missing.
• Confirm understanding, as identified in during process
documentation, of the flow of significant classes of A deficiency in design exists when (a) a control necessary
transactions within significant processes or sources and to meet the control objective is missing or (b) an existing
preparation of information resulting in significant control is not properly designed so that, even if the control
disclosures, including how these transactions are operates as designed, the control objective would not be

Page 3 of 12 www.teamprtc.com.ph AT.3209

EXCEL PROFESSIONAL SERVICES, INC.

met. A deficiency in operation exists when a properly assessment of the behavior, attitudes, competence, and
designed control does not operate as designed, or when the actions of management.
person performing the control does not possess the
necessary authority or competence to perform the control The owner-manager may perform functions that address
effectively. several of the components of internal control. The presence
of a highly involved owner-manager is often an internal
If the auditor has identified one or more deficiencies in control strength and a control weakness. The control
internal control, the auditor shall determine, on the basis of strength is that the person (assuming his/her competence)
the audit work performed, whether, individually or in will be knowledgeable about all aspects of operations, and
combination, they constitute significant deficiencies. it is highly unlikely that material misstatements will be
missed. The control weakness is the opportunity provided
Significant deficiency in internal control refers to a for that person to override the internal control for his/her
deficiency or combination of deficiencies in internal control own benefit.
that, in the auditor’s professional judgment, is of sufficient
importance to merit the attention of those charged with Communication
governance. Significant deficiency is less severe than a Severity to Mgt. &
material weakness. Deficiency TCWG?
Not allow, in the normal
The auditor shall evaluate whether, on the basis of the audit course of functions, to
work performed, the auditor has identified a material Control Only if it merits
prevent or detect and
weakness in the design, implementation or maintenance of deficiency their attention.
correct misstatements
internal control. on a timely basis.
Significant Less severe than a
Material weakness in internal control is deficiency, or a Yes
deficiency material weakness.
combination of deficiencies, in internal control over financial A reasonable possibility
reporting, such that there is a reasonable possibility that a that a material
material misstatement of the company’s annual or interim Material misstatement will not
financial statements will not be prevented or detected on a Yes
Weakness be prevented, or
timely basis. In other words, if a deficiency in an internal detected and corrected
control is thought to be of material weakness, this means on a timely basis.
that it could lead to a material misstatement in a company's
financial statements.

The types of material weaknesses in internal control that

the auditor may identify when obtaining an understanding
of the entity and its internal controls may include:

• ROMM that the auditor identifies and which the entity

has not controlled, or for which the relevant control is
inadequate.
• A weakness in the entity’s risk assessment process that
the auditor identifies as material, or the absence of a
risk assessment process in those cases where it would
be appropriate for one to have been established.

The auditor shall communicate significant deficiencies and

material weaknesses in internal control in writing (e.g.,
management letter, the “by-product” of audit) identified
during the audit on a timely basis to management at an
appropriate level of responsibility and with those charged
with governance.

Internal Control in Smaller Entities

Smaller entities may use less structured means and simpler

processes and procedures.

In smaller entities, there are often few employees because

of constraint in resources, which may limit the extent to
which:
• Segregation of duties is practicable; and
• An appropriate paper trail of documentation is available.

Internal control in such entities often derives from the

control environment (management’s commitment to ethical
values, competence, attitude toward control, and its day-
to-day actions) as opposed to specific controls over
transactions. Evaluating the control environment is quite
different from traditional control activities, as it involves an

Page 4 of 12 www.teamprtc.com.ph AT.3209

EXCEL PROFESSIONAL SERVICES, INC.

Summary of Internal Control Components and The Auditor’s Required Understanding to Plan the Audit
Summary of Components Required Understanding to Plan Audit
Obtain knowledge about design and whether
controls have been implemented; the
Objective is to prepare financial statements understanding should be adequate to allow the
Overall Internal Control for external purposes that are fairly auditor to
for Financial Reporting presented in conformity with GAAP (or 1) Identify types of potential misstatements
another comprehensive basis) 2) Consider factors affecting risk of material
misstatements
3) Design effective substantive tests
Factors
• Integrity and ethical values
• Commitment to competence
• Human resource policies and practices Obtain sufficient knowledge to understand
• Assignment of authority and management and board of directors
Control Environment responsibility 1) Attitudes
• Management’s philosophy and operating 2) Awareness
style 3) Actions
• Participation by those charged with
governance
• Organizational structure
The identification, analysis, and Obtain understanding of how management
management of risks relevant to the 1) Identifies risks
Risk Assessment
preparation of financial statements following 2) Estimates the significance of the risks
GAAP 3) Assesses the likelihood of occurrence
Policies and procedures that pertain to
Obtain additional understanding as necessary to
• Performance reviews
plan the audit. Ordinarily, an understanding of
Control Activities • Information processing
control activities related to each account or to
• Physical controls
every assertion is not necessary.
• Segregation of duties
Methods to record, process, summarize, and
Obtain understanding of
report transactions, which include
1) Major transaction classes
• Identify and record all valid transactions
2) How transactions are initiated
• Describe on a timely basis
3) Available accounting records and support
Information and • Measure the value properly
4) Manner of processing of transactions
Communication • Record in the proper time period
5) Financial reporting process used to prepare
• Properly present and disclose
financial statements
• Communicate responsibilities to
6) Means the entity uses to communicate
employees
financial reporting roles and responsibilities
Methods to consider whether controls are Obtain sufficient understanding of major types
Monitoring
operating as intended of monitoring activities

DISCUSSION QUESTIONS
Introduction—Importance of Understanding the
Entity's Internal Control
1. According to PSA 315, an auditor uses the
understanding of internal control to:
a. Identify types of potential misstatements
b. Consider factors that affect the risks of material
misstatement
c. Design the nature, timing and extent of further
audit procedures
d. All of the above
2. Reasons to evaluate internal control would not include
a. Basis for planning the audit.
b. Determining the nature, timing, and extent of
substantive procedures.
c. Basis for type of opinion to be rendered.
d. Formulating constructive suggestions for
improvements.
RAP to Obtain Understanding of Internal Control
3. The auditor’s understanding of the accounting and
internal control systems significant to the audit is
ordinarily obtained through previous experience with
the entity. In addition, the auditor may perform the
following procedures, except
a. Inquiries of appropriate management, supervisory
and other personnel at various organizational levels
within the entity, together with reference to
documentation, job descriptions and flow charts,
although inquiry although is not sufficient.
b. Inspection of documents and records produced by
the accounting and internal control system.
c. Observation of the entity’s activities and operations,
including observation of the organization of
computer operations, management personnel and
the nature of transaction processing.
d. Reperformance of internal control procedures.

Page 5 of 12 www.teamprtc.com.ph AT.3209

EXCEL PROFESSIONAL SERVICES, INC.
4. Risk assessment procedures performed to obtain
evidence about the design and implementation of
relevant controls include
a. External confirmation.
b. Recalculation.
c. Analytical procedures.
d. Tracing transactions or walkthrough.
5. In obtaining an understanding of a manufacturing
entity’s internal control concerning inventory balances,
an auditor most likely would
a. Review the entity’s descriptions of inventory policies
and procedures.
b. Perform test counts of inventory during the entity’s
physical count.
c. Analyze inventory turnover statistics to identify
slow-moving and obsolete items.
d. Analyze monthly production reports to identify
variances and unusual transactions.
6. Which of the following is not useful for obtaining an
understanding of internal controls?
a. Make inquiries of the client’s personnel.
b. Examine documents and records.
c. Read industry trade magazines.
d. Observe client activities and operations.
Nature of Internal Control
7. The process designed and effected by those charged
with governance, management, and other personnel to
provide reasonable assurance about the achievement of
the entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and
regulations.
a. Internal Control c. Administrative control
b. Accounting control d. Control environment
8. The financial statements are not likely to correctly
reflect GAAP if the:
a. controls affecting the reliability of financial reporting
are inadequate.
b. company’s controls do not promote efficiency.
c. company’s controls do not promote effectiveness.
d. company’s control do not promote compliance with
applicable rules and regulations.
9. Among the three objectives of internal control, which is
of most importance to the auditor in an audit of financial
statements?
a. Reliability of financial reporting.
b. Effectiveness and efficiency of operations.
c. Compliance with applicable laws and regulations.
d. All of the above.
10. What is the relationship between an entity’s objectives
and the controls it implements to provide reasonable
assurance about their achievement?
a. Direct. c. None
b. Inverse d. Both A and B
11. An entity’s internal control encompasses its
a. People. c. Processes.
b. Units and function. d. All of the above.
12. The primary responsibility for designing, implementing
and maintaining internal control rests with
a. Internal auditors c. The external auditor
b. The CFO d. The management/TCWG
Page 6 of 12 www.teamprtc.com.ph
Inherent Limitations of Internal Control
13. When considering internal control, an auditor must be
aware of the concept of reasonable assurance, which
recognizes that
a. Employment of competent personnel provides
assurance that the objectives of internal control will
be achieved.
b. Establishment and maintenance of internal control
is an important responsibility of the management
and not of the auditor.
c. Cost of internal control procedures should not
exceed the benefits expected to be derived from the
control.
d. Segregation of incompatible functions is necessary
to ascertain that the control procedures are
effective.
14. Which of the following is not one of the inherent
limitations of internal control?
a. Faulty human judgment.
b. Collusion.
c. Management override.
d. Lack of proper segregation of incompatible duties.
15. Which of the following is most likely to be a direct
consequence of the fact that internal controls have
inherent limitations that normally cannot be completely
eliminated?
a. Inherent risk must be greater than zero.
b. Risk of material misstatement must be greater than
zero.
c. Audit risk must be greater than zero.
d. Detection risk must be greater than zero.
The Five Components of Internal Control and The
Auditor's Required Understanding
16. Control environment component of internal control
a. Consists of the policies and procedures that help
ensure that management directives are carried out.
b. Includes the governance and management
functions and the attitudes, awareness, and actions
of those charged with governance and management
concerning the entity’s internal control and its
importance in the entity.
c. Is the entity’s process for identifying business risks
relevant to financial reporting objectives and
deciding about actions to address those risks, and
the results thereof.
d. Consists of the procedures and records established
to initiate, authorize, record, process, and report
entity transactions, events and conditions and to
maintain accountability for the related assets,
liabilities, and equity.
17. Monitoring
a. Is the entity’s identification and analysis of relevant
risks as a basis for their management.
b. Support the identification, capture, and exchange of
information in a form and time frame that enable
people to carry out their responsibilities.
c. Is a process that assesses the quality of internal
control performance over time.
d. Sets the tone of an organization, influencing the
control consciousness of its people.
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.

Control Environment New business models,

products, or activities. Yes Yes Yes Yes
18. Which of the following is incorrect regarding control Corporate restructurings. Yes Yes Yes Yes
environment component of internal control? Expanded foreign operations. Yes Yes Yes Yes
a. The foundation for the other components of internal New accounting
control to function as control environment provides pronouncements. Yes Yes Yes Yes
discipline and structure.
b. To understand the control environment, the auditor 23. In obtaining an understanding of an entity’s risk
considers programs and controls addressing fraud assessment process component of internal control, an
risk implemented by management and those auditor should evaluate whether the entity has a
charged with governance. process for
c. The absence of programs and controls addressing a. b. c. d.
fraud risk of control environment may not represent Identifying business risks. Yes Yes Yes Yes
a material weakness. Estimating the significance of
d. The evaluation of the design of the control the risks. Yes Yes Yes No
environment includes considering the seven
Assessing likelihood of
elements of control environment.
occurrence. Yes Yes No Yes
Deciding actions to address
19. Which of the following factors are included in an entity’s
those risks. Yes No No Yes
control environment?
a. b. c. d.
Control Activities
Integrity and ethical values Yes No Yes Yes
Commitment to competence Yes Yes No Yes
24. Control activities are policies and procedures helping to
Participation of those
ensure that actions are taken to address risks to
charged with governance Yes Yes No Yes
achievement of entity’s objectives. Control activities
Management’s philosophy
may be
and operating style Yes Yes No Yes
a. Manual.
Organizational structure No Yes Yes Yes
b. Automated.
Assignment of authority and No Yes Yes Yes
c. Manual and automated.
responsibility
d. All of the above.
Human resources policies
and procedures Yes No Yes Yes
25. Control activities component of internal control include
a. b. c. d.
20. Which of the following relates to human resource
policies and practices factor of control environment? Performance reviews Yes Yes Yes No
a. Effective communication of standards and values Information processing Yes No No Yes
and removal of incentives and temptations for Physical controls Yes Yes No No
dishonest or unethical acts. Segregation of duties Yes Yes Yes Yes
b. Management’s approach to taking and managing Authorization Yes Yes Yes Yes
business risks.
c. Consideration of key areas of authority and 26. Which of the following control activities refers to
responsibility and appropriate lines of reporting. information processing control?
d. Recruitment, orientation, training, evaluation, a. Reviews of actual performance versus budgets and
counseling, promotion, compensation, and remedial prior performance.
action. b. Checking of accuracy, completeness, and
authorization of transactions, which include general
21. In obtaining an understanding of control environment controls and application controls.
component of internal control, an auditor should c. The safeguarding of assets, records, periodic
evaluate whether counts, and reconciliations that creates asset
a. Management, with oversight of TCWG, has created accountability.
and maintained a culture of honesty and ethical d. The separation of the functions to minimize the
behavior. opportunities for a person to be able to perpetrate
b. The strengths of control environment elements and conceal errors or fraud in the normal course of
provide a foundation for the other components of his/her duties.
internal control.
c. Both a and b. 27. Proper segregation of functional responsibilities calls for
d. Neither a nor b. separation of the functions of
a. Authorization, execution, and recording.
Risk Assessment b. Authorization, execution, and payment.
c. Custody, execution, and reporting.
22. Which of the following risks should be considered by the d. Authorization, payment, and recording.
entity’s risk assessment process?
a. b. c. d. 28. Which of the following statements is correct with respect
Changes in operating to separation of duties?
environment. Yes Yes Yes Yes a. Employees should not have temporary and
New personnel. Yes Yes Yes No permanent custody of assets.
New or revamped b. Employees who authorize transactions should not
information systems. Yes Yes Yes Yes have custody of related assets.
Rapid growth. Yes No No Yes c. It is permissible to allow an employee to open cash
receipts and record those receipts.
New technology. Yes Yes No No

Page 7 of 12 www.teamprtc.com.ph AT.3209

EXCEL PROFESSIONAL SERVICES, INC.

d. Employees who authorize transactions should have Monitoring

recording responsibility for these transactions.
35. A component of COSO’s internal control system
29. Physical controls to safeguard assets would include: concerns the process that provides feedback on the
a. hiring only trustworthy cashiers effectiveness of the other components of internal
b. segregation of duties control. This component is called:
c. locks on the warehouse doors a. Information & communication c. Monitoring
d. safety audits on the production-line b. Control activities d. Risk assessment

30. Controls that enhance the reliability of the financial 36. The monitoring process of internal control does not
statements may be classified as prevention controls and involve
detection controls. Which of the following is primarily a a. Ongoing activities and separate evaluations
detection control? b. Actions of internal auditors
a. Separation of duties between recording cash c. Communications from external parties.
receipts and depositing cash. d. None of the above
b. Bank accounts are reconciled monthly by persons
independent of cash recording and cash custody. 37. An entity's ongoing monitoring activities, which are built
c. The human resources department authorizes the into normal recurring actions, often include
hiring of only those persons for accounting positions a. Periodic audits by the audit committee.
that meet the written job requirements specified by b. Reviewing or supervising the purchasing function.
the corporate controller. c. The audit of the annual financial statements.
d. An accounting manual, accompanied by a detailed d. Control risk assessment in conjunction with
chart of accounts, carefully and clearly describes quarterly reviews.
each type of transaction affecting the entity.
Entity-Level and Transaction-Level Internal Controls
31. Internal controls may be preventive, detective, or
corrective. Which of the following is preventive? 38. Statement 1: Entity-level internal controls are pervasive
a. Requiring two persons to open mail. controls that relate to the overall operations of an
b. Reconciling the accounts receivable subsidiary file entity.
with the control account.
c. Using batch totals. Statement 2: Transaction-level internal controls are
d. Preparing bank reconciliations. specific controls that ensure transactions are
accurately and timely recorded, authorized, and
Information System and Communication processed.
a. True, true
32. An information system consists of __________ that b. True, false
interrelate to achieve a business goal. c. False, true
a. b. c. d. d. False, false
Physical and hardware
infrastructure. Yes Yes Yes No Evaluating Entity-Level Controls
Software. Yes No No Yes
Data. Yes Yes No No 39. An auditor typically follows a _____ approach in
Manual and automated obtaining an understanding of internal control.
procedures. Yes Yes Yes Yes a. Top-down.
People. Yes Yes Yes Yes b. Bottom-up.
c. Parallel.
33. An information system d. All of the above.
a. b. c. d.
The Entity's Transaction Cycles and Controls
Identifies and records all
valid transactions. Yes Yes Yes No
40. An entity’s transaction cycles typically include
Describes transactions
sufficiently for proper a. b. c. d.
classification. Yes No No Yes Revenue and receipt cycle Yes Yes Yes No
Measures transactions. Yes Yes No No Purchasing and disbursement
cycle Yes No No Yes
Determines the proper
reporting period for Personnel and payroll cycle Yes Yes No No
transactions. Yes Yes Yes Yes Inventory and production Yes Yes Yes Yes
Presents transactions and cycle
related disclosures Yes Yes Yes Yes Financing and investing cycle Yes Yes Yes Yes
properly.
41. Which of the following statements with respect to the
34. Communication component of internal control includes independent auditor's evaluation of internal control is
providing an understanding to employees about their correct?
roles and responsibilities. Communication, electronic, a. The auditor should decrease control testing when
oral or by management actions, may be through weaknesses in cash receipts are mitigated by strong
a. Policy manuals. controls in cash disbursement procedures.
b. Financial reporting manuals. b. The auditor should increase control testing when
c. Memoranda. weaknesses in billing procedures are mitigated by
d. All of the above. strong controls in collection procedures.

Page 8 of 12 www.teamprtc.com.ph AT.3209

EXCEL PROFESSIONAL SERVICES, INC.
c. The auditor generally should not evaluate the
overall effectiveness of internal control, but should
separately evaluate each of the transaction cycles.
d. The auditor should evaluate all internal control
weaknesses before determining the control
procedures that should prevent or detect errors or
irregularities.
42. Why does the auditor divide the financial statements
into smaller segments?
a. Using the cycle approach makes the audit more
manageable.
b. Most accounts have few relationships with others
and so it is more efficient to break the financial
statements into smaller pieces.
c. The cycle approach is used because auditing
standards require it.
d. All of the above are correct.
Internal Control in Smaller Entities
43. An important issue that arises in the context of a small
business is whether the enterprise is auditable. Which
of the following factors would be most likely to indicate
to a CPA that a small business enterprise was not
auditable?
a. The inherent risk of material misstatement is high.
b. The company relies solely on manual data
processing of basic transactions.
c. There are a limited number of employees and poor
segregation of duties.
d. Underlying source documents for transactions are
not retained.
44. Which of the following is most likely to be a
characteristic of an owner-managed small business?
a. A formal organization structure
b. A strong control environment
c. Management tendency to override internal controls
d. Effective segregation of duties
45. Which of the following risk assessments or values is
least likely to be characteristic of a small business audit?
a. Business risk is low.
b. Control risk is low.
c. Inherent risk is low
d. Detection risk is low.
46. In auditing smaller entities, an auditor usually finds it
more efficient to apply
a. Tests of controls strategy.
b. Substantive procedures strategy.
c. Combination of a and b.
d. Any of the above.
47. Under what circumstances is testing of controls required
when auditing a small business?
a. For those accounts where the auditor has
determined that there are significant inherent risks
of material misstatement
b. For those accounts for which substantive testing
alone does not provide sufficient assurance
c. For those accounts where the auditor has
determined the risk of fraud to be higher than
normal
d. For all accounts containing one or more transactions
that are individually material in amount
Page 9 of 12 www.teamprtc.com.ph
48. Which of the following best describes the level of
engagement risk when a CPA audits the financial
statements for a small business client?
a. Low
b. Moderate
c. High
d. Maximum
Scope of Internal Control Understanding—
Determining Relevant Controls
49. PSAs require the auditor to obtain understanding of the
entity’s internal control structure
a. For first time audit clients.
b. For every audit.
c. Whenever the auditor wishes or sees necessary.
d. Sufficient to find any frauds that may exist.
50. In all audits, the auditor should obtain an understanding
of _______ components of internal control sufficient to
assess the risk of material misstatement and to design
further audit procedures.
a. Depends on the management’s permission.
b. Majority.
c. At least four.
d. All the five.
51. With respect to the client's system of internal control,
the auditor is concerned that the existing policies and
procedures provide reasonable assurance that
a. Operational efficiency has been achieved in
accordance with management plans.
b. Errors and fraud have been prevented or detected.
c. Controls have not been circumvented by collusion.
d. Management cannot override the internal controls.
52. An internal control is relevant to an audit of financial
statements if it addresses risks of material
misstatement. In determining whether a control is
relevant, an auditor shall consider
a. Materiality and significance of risk.
b. Size and nature of entity.
c. How a specific control prevents, or detects and
corrects, material misstatement.
d. All of the above.
53. Which of the following statements is false with regard
to the auditor’s consideration of an entity’s internal
control?
a. An entity may have controls relating to objectives
that are not relevant to audit and need not be
considered.
b. Understanding internal control relevant to each
operating unit or business function may not be
necessary to perform an audit.
c. The auditor’s primary consideration of internal
control is whether the control affects financial
statement assertions.
d. Internal control is considered relevant to the audit
of financial statements when the control addresses
all business risks.
54. Which of the following statements is false with regard
to the auditor’s consideration of an entity’s internal
control?
a. Controls over financial reporting objectives are
usually relevant to audit of financial statements.
b. Controls over operations and compliance objectives
are totally not relevant to audit of financial
statements.
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.
c. Controls over operations and compliance objectives
may be relevant to audit of financial statements if
they relate to information or data involved in
performance of audit procedures such as those
controls related to nonfinancial data used in
analytical procedures and noncompliance with laws
and regulations.
d. Controls over safeguarding of assets such as limit
access to data and programs (e.g., passwords) that
process cash payments are relevant to audit of
financial statements.
55. Which of the following internal control is most likely
relevant to an audit of financial statements?
a. A TV manufacturer’s computerized production
scheduling system.
b. An airline’s automated controls that maintain flight
schedules.
c. A furniture manufacturer’s controls for incidental
sales of scrap materials that accounts for less than
1% of total sales.
d. A bank’s loan approval process.
56. When an auditor uses information produced by the
entity, which of the following controls is(are) relevant?
a. Controls over completeness.
b. Controls over accuracy.
c. Both a and b.
d. Neither a nor b.
57. Identifying relevant controls is least likely facilitated by
a. Previous experience.
b. The understanding of the entity and its
environment.
c. Information gather during the during.
d. Rate of responses to bank confirmation letters.
Extent of Understanding of the Entity's Relevant Controls—
Design and Implementation
58. The auditor must evaluate the design of relevant
controls and determine whether they have been
implemented. Evaluating the design of the entity’s
internal control would involve
a. Considering whether the control, individually or in
combination with other controls, is capable of
effectively preventing or detecting and correcting,
material misstatements.
b. Determining whether control exists and the entity is
using it.
c. Determining the how, by whom, and consistency of
application of internal control.
d. Determining whether the control is operating
effectively.
59. Obtaining an understanding of internal control through
risk assessment procedures involves evaluating the
a. b. c. d.
Design of internal control. Yes Yes Yes Yes
Implementation of internal Yes No No Yes
control.
Operating effectiveness of
internal control. Yes Yes No No
60. When is the case that obtaining an understanding of
internal control is sufficient to test the operating
effectiveness of control?
a. Controls are highly automated and the IT general
controls are effective.
b. Controls are non-complex in nature.
Page 10 of 12 www.teamprtc.com.ph
c. Controls are periodically evaluated by internal
auditors.
d. Controls are sophisticated and critical.
61. When obtaining an understanding of an entity’s internal
controls, an auditor should concentrate on their
substance rather than their form because
a. The controls may be operating effectively but may
not be documented.
b. Management may establish appropriate controls but
not enforce compliance with them.
c. The controls may be so inappropriate that the
auditor assesses control risk at the maximum.
d. Management may implement controls whose costs
exceed their benefits.
Documentation of Understanding of Internal Control
62. Which of the following is not a medium that can
normally be used by an auditor to record information
concerning a client's internal control policies and
procedures?
a. Narrative memorandum. c. Flowchart.
b. Procedures manual. d. Questionnaire.
63. Which of the following is not a medium that can
normally be used by an auditor to record information
concerning a client's internal control policies and
procedures?
c. Decision table. c. Check list.
d. Policy manual. d. Questionnaire.
64. A decision table
a. Consists of a series of procedures to be performed.
b. Logic diagrams presented in matrix form.
c. A written description of the process and flow of
documents and of the control points.
d. Diagrams of the client’s system that track the flow
of documents and processing.
65. Questionnaires consist of a series of interrelated
questions about internal control policies and
procedures. The questions are typically phrased so that
a “Yes” indicates a control strength and a “No” indicates
a potential weakness. An advantage(s) of the
questionnaire is(are)
a. Provide a visual representation of the system and
flexible in construction.
b. Help identify control concerns and prevents the
auditor from overlooking important control
considerations.
c. Flexible to prepare, although difficult for a complex
system.
d. Identify the contingencies considered in the
description of a problem and the appropriate
actions to be taken in each case.
66. An auditor must document his/her understanding of
internal control using
a. A narrative memorandum.
b. A flowchart.
c. A questionnaire.
d. Any form.
Walkthrough Tests
67. A procedure that involves tracing a transaction from its
origination through the company's information systems
until it is reflected in the company's financial report is
referred to as a(n)
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.
a. Analytical analysis.
b. Substantive procedure.
c. Test of a control.
d. Walk-through
68. Which of the following statements is incorrect about
walk-through test?
a. A procedure required to be performed every year of
audit and to verify the identified “what can go
wrongs” that have the potential to materially affect
relevant financial statement assertions related to
significant accounts and disclosures within each
significant class of transactions.
b. This procedure may be treated as part of tests of
control.
c. This procedure is performed to evaluate the
effectiveness of the design of controls and
determine (confirm) whether the controls are
implemented (placed in operation) by the client.
d. The nature and extent of walk-through tests
performed by the auditor are such that they alone
would provide sufficient appropriate audit evidence
to support a control risk assessment which is less
than high.
69. Which of the following best represents a walk-through?
a. The controller reviews the bank reconciliation
prepared by the accountant and its resulting journal
entries.
b. The auditor walks the production line to find
inefficiencies in the inventory process and reports
them to management.
c. The controller takes a sample of write-offs to ensure
they have been adequately documented and
recorded.
d. The auditor traces three purchasing transactions
from the purchase order to the financial statement
for observation and understanding.
70. In considering internal control, what is the purpose of a
transaction walk through?
a. To assure that employees are performing assigned
functions accurately.
b. To confirm the auditor's understanding of the
internal control structure.
c. To select documents for detailed tests of controls.
d. To verify the results of the auditor's sampling plan.
71. Obtaining knowledge about whether the control is
implemented can best be obtained by
a. Inquiry of client’s personnel.
b. Performing tests of control.
c. Reading procedures manual.
d. Tracing transactions through the information
system relevant to financial reporting.
Deficiencies in Internal Control
72. Which of the following is not one of the levels of an
absence of internal controls?
a. Control deficiency.
b. Significant deficiency.
c. Material weakness.
d. Major deficiency.
73. Deficiency in internal control exists when:
a. A control is unable to prevent, or detect and correct,
F/S misstatements timely.
b. A necessary control is missing.
c. Either a or b.
Page 11 of 12 www.teamprtc.com.ph
d. Neither a nor b.
74. A(n) _______ deficiency exists if a necessary control is
missing or not properly formulated.
a. Control.
b. Significant.
c. Design.
d. Operating.
75. An operation deficiency exists when
a. a properly designed control does not operate as
designed.
b. the person performing the control does not possess
the necessary authority or competence.
c. Either a or b.
d. Neither a nor b.
76. If the auditor finds a material weakness in the controls
of the client, it represents a deficiency in the design or
operation of a control
a. that adversely affects the company’s ability to
initiate, record, process, or report external financial
data reliably in accordance with GAAP.
b. that negatively affects the company’s ability to
initiate, record, process, or report external financial
data reliably in accordance with GAAP.
c. that results in a remote possibility that a material
misstatement of the annual or interim financial
statements will not be prevented or detected.
d. that results in a reasonable possibility that a
material misstatement of the annual or interim
financial statements will not be prevented or
detected.
77. In general, a material weakness in internal control may
be defined as a condition in which material errors or
irregularities may occur and not be detected within a
timely period by
a. An independent auditor during tests of controls.
b. Employees in the normal course of performing their
assigned functions.
c. Management when reviewing interim financial
statements and reconciling account balances.
d. Outside consultants who issue a special-purpose
report on internal control structure.
78. The auditor is not obligated to search for deficiencies in
internal control, although the he/she must
communicate control deficiencies noted. Which of the
following control deficiencies the auditor must
communicate to management and those charged with
governance?
a. Control deficiency.
b. Significant deficiency.
c. Material weakness.
d. Both b and c.
79. During the audit the independent auditor identified the
existence of a weakness in the client's internal control
and communicated this finding in writing to the client's
senior management and those charged with
governance. The auditor should
a. Consider the weakness a scope limitation and
therefore disclaim an opinion.
b. Suspend all audit activities pending directions from
the client's audit committee.
c. Withdraw from the engagement.
d. Consider the effects of the condition on the audit.
AT.3209
EXCEL PROFESSIONAL SERVICES, INC.

80. When a compensating control exists, the absence of a

key control:
a. is still a major concern to the auditor.
b. could cause a material loss, so it must be tested
using substantive procedures.
c. is magnified and must be removed from the
sampling process and examined in its entirety.
d. is no longer a concern because there is no longer a
significant deficiency or material weakness.

End of AT.3209

Page 12 of 12 www.teamprtc.com.ph AT.3209