UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY

AUDITING AUD 1.3/RDB

1.3 Understanding the Entity and its Environment including its Internal Control and Assessing the Risks of Material
Misstatement
1.3.1 Industry, regulatory and other external factors, including the applicable financial reporting framework
1.3.1.1 Nature of the entity
1.3.1.2 Objectives and strategies and related business risks
1.3.1.3 Measurement and review of the entity’s financial performance
1.3.2 Internal Control
1.3.2.1 Basic concepts and elements of internal control
1.3.2.2 Consideration of accounting and internal control systems
1.3.2.2.1 Understanding and documentation
1.3.2.2.2 Assessment of control risks
1.3.2.2.2.1 Test of controls
1.3.2.2.2.2 Documentation
1.3.3 Assessing the risks of material misstatement
1.3.3.1 Fraud and errors
1.3.3.2 Risk assessment procedures
1.3.3.3 Discussion among the engagement team
1.3.3.4 Significant risks that require special audit consideration
1.3.3.5 Risks for which substantive procedures alone do not provide sufficient appropriate audit
evidence
1.3.3.6 Revision of risk assessment
1.3.4 Communicating with those charged with governance and management

PSA 315
IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL
MISSTATEMENT

FOCUS NOTES:

• Objective:
✓ to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and
assertion levels of the financial statements;
✓ thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

• Definitions
 Assertions – Representations, explicit or otherwise, with respect to the recognition, measurement, presentation and
disclosure of information in the financial statements which are inherent in management representing that the financial
statements are prepared in accordance with the applicable financial reporting framework. Assertions are used by the auditor
to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the
risks of material misstatement.
 Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely
affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives
and strategies.
 Controls – Policies or procedures that an entity establishes to achieve the control objectives of management or those
charged with governance. In this context: (i) Policies are statements of what should, or should not, be done within the entity
to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and
decisions. (ii) Procedures are actions to implement policies.
 System of internal control – The system designed, implemented and maintained by those charged with governance,
management and other personnel, to provide reasonable assurance about the achievement of an entity’s objectives with
regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws
and regulations. For the purposes of the PSAs, the system of internal control consists of five inter-related components:
(i) Control environment;
(ii) The entity’s risk assessment process;
(iii) The entity’s process to monitor the system of internal control;
(iv) The information system and communication; and
(v) Control activities.

1
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
 Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its environment,
including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error,
at the financial statement and assertion levels.
 Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special
audit consideration.

• Requirements:
 The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate
basis for: (a) The identification and assessment of risks of material misstatement, whether due to fraud or error, at the
financial statement and assertion levels; and (b) The design of further audit procedures in accordance with PSA 330.
 The risk assessment procedures shall include the following:
a. Inquiries of management, of appropriate individuals within the internal audit function (if the function exists), and of others
within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material
misstatement due to fraud or error.
b. Analytical procedures.
c. Observation and inspection.
 The auditor shall consider whether information obtained from the auditor’s client acceptance or continuance process is
relevant to identifying risks of material misstatement.
 If the engagement partner has performed other engagements for the entity, the engagement partner shall consider whether
information obtained is relevant to identifying risks of material misstatement.
 Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit
procedures performed in previous audits, the auditor shall determine whether changes have occurred since the previous
audit that may affect its relevance to the current audit.
 The engagement partner and other key engagement team members shall discuss the susceptibility of the entity’s financial
statements to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts
and circumstances. The engagement partner shall determine which matters are to be communicated to engagement team
members not involved in the discussion.

• Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting
Framework and the Entity’s System of Internal Control
Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework
 The auditor shall perform risk assessment procedures to obtain an understanding of:
(a) The following aspects of the entity and its environment:
i. The entity’s organizational structure, ownership and governance, and its business model, including the extent to
which the business model integrates the use of IT;
ii. Industry, regulatory and other external factors; and
iii. The measures used, internally and externally, to assess the entity’s financial performance;
(b) The applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes
thereto; and
(c) How inherent risk factors affect susceptibility of assertions to misstatement and the degree to which they do so, in the
preparation of the financial statements in accordance with the applicable financial reporting framework, based on the
understanding obtained in (a) and (b).
 The auditor shall evaluate whether the entity’s accounting policies are appropriate and consistent with the
applicable financial reporting framework.
Understanding the Components of the Entity’s System of Internal Control
 The auditor shall obtain an understanding of the control environment relevant to the preparation of the financial
statements, through performing risk assessment procedures, by:

(a) Understanding the set of controls, processes and and

structures that address:
i. How management’s oversight responsibilities
are carried out, such as the entity’s culture and
management’s commitment to integrity and
ethical values;
ii. When those charged with governance are
separate from management, the independence
of, and oversight over the entity’s system of
internal control by, those charged with
governance;
iii. The entity’s assignment of authority and
responsibility;
2
(b) Evaluating whether:
i. Management, with the oversight of those
charged with governance, has created
and maintained a culture of honesty and
ethical behavior;
ii. The control environment provides an
appropriate foundation for the other
components of the entity’s system of
internal control considering the
nature and complexity of the entity;
and
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING
iv. How the entity attracts, develops, and retains
competent individuals; and
v. How the entity holds individuals accountable for
their responsibilities in the pursuit of the
objectives of the system of internal control;
AUD 1.3/RDB
iii. Control deficiencies identified in the
control environment undermine the
other components of the entity’s
system of internal control.

 The auditor shall obtain an understanding of the entity’s risk assessment process relevant to the preparation of the
financial statements, through performing risk assessment procedures, by:

(a) Understanding the entity’s process for: and

(b) Evaluating whether the entity’s risk
i. Identifying business risks relevant to financial assessment process is appropriate to the
reporting objectives; entity’s circumstances considering the
ii. Assessing the significance of those risks, nature and complexity of the entity.
including the likelihood of their occurrence; and
iii. Addressing those risks;

 The auditor shall obtain an understanding of the entity’s process for monitoring the system of internal control relevant to
the preparation of the financial statements, through performing risk assessment procedures, by:

(a) Understanding those aspects of the entity’s and

process that address: (c) Evaluating whether the entity’s process for
i. Ongoing and separate evaluations for monitoring the system of internal control is
monitoring the effectiveness of controls, and the appropriate to the entity’s circumstances
identification and remediation of control considering the nature and complexity of
deficiencies identified; and the entity.
ii. The entity’s internal audit function, if any,
including its nature, responsibilities and
activities;
(b) Understanding the sources of the information
used in the entity’s process to monitor the system
of internal control, and the basis upon which
management considers the information to be
sufficiently reliable for the purpose;

 The auditor shall obtain an understanding of the entity’s information system and communication relevant to the preparation
of the financial statements, through performing risk assessment procedures, by:

(a) Understanding the entity’s information processing and

activities, including its data and information, the (d) Evaluating whether the entity’s information
resources to be used in such activities and the system and communication appropriately
policies that define, for significant classes of support the preparation of the entity’s
transactions, account balances and disclosures: financial statements in accordance with the
applicable financial reporting framework.
i. How information flows through the entity’s
information system, including how:
a. Transactions are initiated, and how
information about them is recorded,
processed, corrected as necessary,
incorporated in the general ledger and
reported in the financial statements; and
b. Information about events and conditions,
other than transactions, is captured,
processed and disclosed in the financial
statements;
ii. The accounting records, specific accounts in the
financial statements and other supporting
records relating to the flows of information in the
information system;
iii. The financial reporting process used to prepare
the entity’s financial statements, including
disclosures; and
3
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
iv. The entity’s resources, including the IT
environment, relevant to (a)(i) to (a)(iii) above;

(b) Understanding how the entity communicates

significant matters that support the preparation of
the financial statements and related reporting
responsibilities in the information system and
other components of the system of internal
control:
(i) Between people within the entity, including
how financial reporting roles and
responsibilities are communicated;
(ii) Between management and those charged
with governance; and
(iii) With external parties, such as those with
regulatory authorities;

 The auditor shall obtain an understanding of the control activities component, through performing risk assessment
procedures, by:

(a) Identifying controls that address risks of material and

misstatement at the assertion level in the control
activities component as follows:
(i) Controls that address a risk that is
determined to be a significant risk;
(ii) Controls over journal entries, including non-
standard journal entries used to record non-
recurring, unusual transactions or
adjustments;
(iii) Controls for which the auditor plans to test
operating effectiveness in determining the
nature, timing and extent of substantive
testing, which shall include controls that
address risks for which substantive
procedures alone do not provide sufficient
appropriate audit evidence; and
(iv) Other controls that the auditor considers
appropriate based on his professional
judgment;
(d) For each control identified in (a) or (c)(ii):
(i) Evaluating whether the control is
designed effectively to address the risk
of material misstatement at the
assertion level, or effectively designed
to support the operation of other
controls; and
(ii) Determining whether the control has
been implemented by performing
procedures in addition to inquiry of the
entity’s personnel.

(b) Based on controls identified in (a), identifying the

IT applications and the other aspects of the
entity’s IT environment that are subject to risks
arising from the use of IT;

(c) For such IT applications and other aspects of the

IT environment identified in (b), identifying:

(i) The related risks arising from the use of IT;

and
(ii) The entity’s general IT controls that address
such risks;

Control Deficiencies Within the Entity’s System of Internal Control

 Based on the auditor’s evaluation of each of the components of the entity’s system of internal control, the auditor shall
determine whether one or more control deficiencies have been identified.

• Identifying and Assessing the Risks of Material Misstatement

Identifying Risks of Material Misstatement
 The auditor shall identify the risks of material misstatement and determine whether they exist at:
(a) The financial statement level; or
(b) The assertion level for classes of transactions, account balances and disclosures.
 The auditor shall determine the relevant assertions and the related significant classes of transactions, account balances
and disclosures.
4
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
Assessing Risks of Material Misstatement at the Financial Statement Level
 For identified risks of material misstatement at the financial statement level, the auditor shall assess the risks and:
(a) Determine whether such risks affect the assessment of risks at the assertion level; and
(b) Evaluate the nature and extent of their pervasive effect on the financial statements.
Assessing Risks of Material Misstatement at the Assertion Level
Assessing Inherent Risk:
 For identified risks of material misstatement at the assertion level, the auditor shall assess inherent risk by assessing the
likelihood and magnitude of misstatement. In doing so, the auditor shall take into account how, and the degree to which:
(a) Inherent risk factors affect the susceptibility of relevant assertions to misstatement; and
(b) The risks of material misstatement at the financial statement level affect the assessment of inherent risk for risks of
material misstatement at the assertion level.
 The auditor shall determine whether any of the assessed risks of material misstatement are significant risks.
 The auditor shall determine whether substantive procedures alone cannot provide sufficient appropriate audit evidence for
any of the risks of material misstatement at the assertion level.
Assessing Control Risk
 If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does
not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the
assessment of the risk of material misstatement is the same as the assessment of inherent risk.
Evaluating the Audit Evidence Obtained from the Risk Assessment Procedures
 The auditor shall evaluate whether the audit evidence obtained from the risk assessment procedures provides an
appropriate basis for the identification and assessment of the risks of material misstatement. If not, the auditor shall
perform additional risk assessment procedures until audit evidence has been obtained to provide such a basis. In
identifying and assessing the risks of material misstatement, the auditor shall take into account all audit evidence obtained
from the risk assessment procedures, whether corroborative or contradictory to assertions made by management.
Classes of Transactions, Account Balances and Disclosures that Are Not Significant, but Which Are Material
 For material classes of transactions, account balances or disclosures that have not been determined to be significant
classes of transactions, account balances or disclosures, the auditor shall evaluate whether the auditor’s determination
remains appropriate.
Revision of Risk Assessment
 If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based
the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or
assessment.

• Documentation
 The auditor shall include in the audit documentation:
(a) The discussion among the engagement team and the significant decisions reached;
(b) Key elements of the auditor’s understanding (Entity and its Environment, the Applicable Financial Reporting
Framework, and the System of Internal Control); the sources of information from which the auditor’s understanding
was obtained; and the risk assessment procedures performed;
(c) The evaluation of the design of identified controls, and determination whether such controls have been implemented;
and
(d) The identified and assessed risks of material misstatement at the financial statement level and at the assertion level,
including significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit
evidence, and the rationale for the significant judgments made.

✓ Risks that Require Special Audit Consideration. As part of the risk assessment, the auditor shall
determine whether any of the risks identified are, in the auditor’s judgment, a significant risk. In exercising
this judgment, the auditor shall exclude the effects of identified controls related to the risk. In exercising
judgment as to which risks are significant risks, the auditor shall consider at least the following:
a. Whether the risk is a risk of fraud;
b. Whether the risk is related to recent significant economic, accounting or other developments and,
therefore, requires specific attention;
c. The complexity of transactions;
d. Whether the risk involves significant transactions with related parties;
e. The degree of subjectivity in the measurement of financial information related to the risk, especially
those measurements involving a wide range of measurement uncertainty; and
f. Whether the risk involves significant transactions that are outside the normal course of business for the
entity, or that otherwise appear to be unusual.

✓ If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the
entity’s controls, including control activities, relevant to that risk.

5
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
✓ Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit
Evidence. In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the
inaccurate or incomplete recording of routine and significant classes of transactions or account balances, the
characteristics of which often permit highly automated processing with little or no manual intervention. In such
cases, the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an
understanding of them.

 Documentation: auditor shall include in the audit documentation:

a. The discussion among the engagement team where required by paragraph 10 of PSA 315, and the
significant decisions reached;
b. Key elements of the understanding obtained regarding each of the aspects of the entity and its environment
and of each of the internal control components; the sources of information from which the understanding
was obtained; and the risk assessment procedures performed;
c. The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level; and
d. The risks identified, and related controls about which the auditor has obtained an understanding.

CONSIDERATION OF CLIENT’S INTERNAL CONTROL SYSTEM

PART 1 – OBTAINING UNDERSTANDING OF IC

 Nature and Extent of the Understanding of Relevant Controls (Evaluating the design of control and whether
control is implemented)
✓ Evaluating the design of a control involves considering whether the control, individually or in combination with
other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.
✓ Implementation of a control means that the control exists and that the entity is using it.
✓ There is little point in assessing the implementation of a control that is not effective, and so the design of a
control is considered first. An improperly designed control may represent a significant deficiency in internal
control.
 Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls
may include:
✓ Inquiring of entity personnel.
✓ Observing the application of specific controls.
✓ Inspecting documents and reports.
✓ Tracing transactions through the information system relevant to financial reporting.

Note: Inquiry alone is not sufficient for such purposes. Obtaining an understanding of an entity’s controls is not
sufficient to test their operating effectiveness, unless there is some automation that provides for the consistent
operation of the controls.

PART 2 – TESTS OF CONTROLS

________________________________________________________________________________________________
PLANNING

Audit Process Model:

PHASE I: Client Acceptance
PHASE II: Planning the Audit
PHASE III: Testing and Evidence
PHASE IV: Evaluation and Reporting

PHASE II: PLANNING THE AUDIT

Objective Determine the amount and type of evidence and review required to give the auditor reasonable
assurance that there is no material misstatement of the financial statements (that is to reduce audit risk
to an acceptably low level).
Procedures 1. Perform audit procedures to understand the entity and its environment, including internal control.
2. Assess the risks of material misstatements of the financial statements.
3. Determine materiality.
6
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
4. Prepare the planning memorandum an audit and audit program containing the auditor’s response to
identified risks

PHASE III: TESTING and EVIDENCE GATHERING

Perform further audit procedures 1. Test of controls
2. Substantive testing
a. Analytical procedures
b. Test of details

INTERNAL CONTROL

FOCUS NOTES:

Auditors Consider Internal Control in Performing Audit:

• The auditor should obtain an understanding of internal control relevant to the audit.
• The auditor uses the understanding of internal control:
➢ to identify types of potential misstatements,
➢ consider factors that affect the risks of material misstatement, and
➢ design the nature, timing, and extent of further audit procedures.

Concepts of Internal Control:

• Internal control is the process designed and effected by those charged with governance, management, and other
personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to:
➢ reliability of financial reporting,
➢ effectiveness and efficiency of operations and
➢ compliance with applicable laws and regulations.
• The definition embodies 4 concepts:
✓ Internal controls is a process, not a single event
✓ Internal control is accomplished by people at every level in an organization
✓ Internal control is not an end in itself, but rather a means to achieve organizational goals
✓ Internal controls provide reasonable, not absolute, assurance
• Internal control consists of the following components:
a. The control environment.
b. The entity’s risk assessment process.
c. The information system, including the related business processes, relevant to financial reporting, and
communication.
d. Control activities.
e. Monitoring of controls.
• Control environment - Management’s and the board of director’s attitude, awareness, and actions toward internal
control concerning
➢ Integrity and ethical values
➢ Commitment and competence
➢ Board of directors or audit committee (participation of people charged with governance)
➢ Management’s philosophy and operating style
➢ Organizations structure
➢ Assignment of authority and responsibility
➢ Human resource policies and practices
• Entity’s Risk assessment Process
➢ Every entity faces risks, both external (such as technological developments) and internal (such as employee
pilferage)
➢ Management’s task is to identify the risks that bear on their operations, financial reporting, and compliance
objectives and to take the action necessary to manage them
• The information system, including the related business processes, relevant to financial reporting, and
communication.
➢ An information system consists of infrastructure (physical and hardware components), software, people,
procedures, and data.
7
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
➢ The information system relevant to financial reporting objectives, which includes the financial reporting system,
consists of the procedures and records established to initiate, record, process, and report entity transactions (as
well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity.
➢ Accordingly, an information system encompasses methods and records that:
✓ Identify and record all valid transactions.
✓ Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions
for financial reporting.
✓ Measure the value of transactions in a manner that permits recording their proper monetary value in the
financial statements.
✓ Determine the time period in which transactions occurred to permit recording of transactions in the proper
accounting period.
✓ Present properly the transactions and related disclosures in the financial statements.
➢ Communication involves providing an understanding of individual roles and responsibilities pertaining to internal
control over financial reporting.
➢ Communication takes such forms as policy manuals, accounting and financial reporting manuals, and
memoranda. Communication also can be made electronically, orally, and through the actions of management.
• Control activities
- the policies and procedures that help ensure that management directives are carried out, for example, that
necessary actions are taken to address risks that threaten the achievement of the entity’s objectives.
- Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that
pertain to the following:
✓ Performance reviews.
✓ Information processing.
✓ Physical controls.
✓ Segregation of duties.
• Monitoring of controls
- a process to assess the quality of internal control performance over time.
- it involves assessing the design and operation of controls on a timely basis and taking necessary corrective
actions.
- Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and
accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them.
- Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a
combination of the two.

ASSESSMENT OF CONTROL RISK

• The reason for the auditor's assessment of control risk

A. PSA 315 requires auditor to obtain understanding of internal control.

B. PSA 315 requires auditor to assessed the risk of material misstatement (both at the overall FS level and
at assertion level)
C. Inherent risk and control risk are components of the risk of material misstatement at the assertion level.
D. Control risk is a component of overall audit risk needed to calculate detection risk

• The auditor's approach to assessing control risk

✓ Identify risks throughout the process of obtaining an understanding of the entity and its environment, including
relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and
disclosures in the financial statements;
✓ Relate the identified risks to what can go wrong at the assertion level;
✓ Consider whether the risks are of a magnitude that could result in a material misstatement of the financial
statements; and
✓ Consider the likelihood that the risks could result in a material misstatement of the financial statements.

• Document understanding
✓ Internal control memorandum
- Advantage-rigor of analysis
- Disadvantage-difficult for reviewer to follow
✓ Internal control questionnaire and/or checklist
8
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
- Advantage-easy to complete and covers all points
- Disadvantage-tendency toward cursory review given ease of completion.
✓ Internal control flowchart
- Advantage-easy to review given graphic representation; strengths and weaknesses highlighted
- Disadvantage-lacks detail
✓ Combination of the above forms of documentation is preferred by most auditors

COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE

• The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and
assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control
in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an
opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during
this risk assessment process but also at any other stage of the audit. PSA 265 requires the auditor to communicate
appropriately to those charged with governance and management deficiencies in internal control that the auditor has
identified during the audit and that, in the auditor’s professional judgment, are of sufficient importance to merit their
respective attentions (significant deficiency in internal control).

QUIZZER:
1. Which of the following is NOT a required understanding by the auditor in an audit of financial statements?
a. Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework.
b. Nature of the entity, its operations, ownership and governance structures, the types of investments that the entity
is making and plans to make, including investments in special-purpose entities and the way that the entity is
structured and how it is financed.
c. Entity’s selection and application of accounting policies, including reasons for changes thereto.
d. Objectives and strategies and the related business risks that may result in a material misstatement of the financial
statements.
e. Measurement and review of the entity’s financial performance.
f. All controls pertaining to financial reporting.

2. Which of the following is the reason why auditors obtain understanding of the nature of the entity’s operations,
ownership and governance structures, the types of investments that the entity is making and plans to make, including
investments in special-purpose entities and the way that the entity is structured and how it is financed?

a. To provide a basis for designing and performing further audit procedures.

b. To enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected
in the financial statements.
c. To determine the performance materiality to be used in developing audit plan.
d. To determine the control activities that should be implemented by the entity.

3. What is the correct order of the following audit activities?

a. Obtain understanding of the entity and its environment including its internal control.
b. Perform procedures regarding the continuance of the client relationship and the specific audit
engagement.
c. Design and perform further audit procedures.
d. Identify and assess the risks of material misstatement of the financial statement
a. ABCD
b. BADC
c. DCBA
d. CBAD

4. The procedures used by the auditor to obtain understanding of the entity and its environment including its internal
control are called:

a. tests of controls
b. substantive procedures
c. analytical procedures
d. risks assessment procedures

9
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB

5. All of the following procedures are risk assessment procedures except one. Which is it?

a. inquiries
b. observation and inspection
c. analytical procedures
d. test of details of transaction

6. Understanding of the client’s internal control is used by the auditor to:

a. Identify the types of potential misstatement that could occur.

b. Consider factors that affect the risk of material misstatement.
c. Design the nature, timing and extent of audit procedures.
d. All of the above.

7. It sets the tone of an organization influencing the control consciousness of its people. It is the foundation for
effective internal control.

a. control activities
b. control environment
c. accounting system
d. internal control

8. It refers to the overall attitude, awareness and actions of directors and management regarding the internal control
and its importance in the entity.

a. control activities
b. control environment
c. accounting system
d. internal control

9. The entity’s process for identifying business risks relevant to financial reporting objectives and deciding about
actions to address those risks and the results thereof.

a. risk assessment process

b. control environment
c. control activities
d. monitoring of controls

10. Consists of the procedures and records established to initiate, record, process and report entity transactions and to
maintain accountability for the related assets, liabilities and equity. It encompasses the accounting system. This
element of internal control is:

a. risk assessment process

b. control environment
c. information system
d. monitoring of controls

11. Policies and procedures that help ensure that management directives are carried out.

a. risk assessment process

b. control environment
c. control activities
d. monitoring of controls

12. The process to assess the effectiveness of internal control performance over time. It involves assessing the design
and operation of controls on a timely basis and taking necessary corrective actions modified for changes in
conditions.

10
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
a. risk assessment process
b. control environment
c. information system
d. monitoring of controls

13. After obtaining an understanding of the client’s accounting and internal control systems, the auditor makes a
preliminary assessment of control risk. If the auditor wants to reduce the preliminary assessment of control risk to
less than high, the auditor should:

a. perform tests of controls

b. substantiate the account balances
c. make attribute sampling
d. observe the segregation of duties

14. For an audit in accordance with PSA, which of the following is a required documentation?

a. Understanding of the client’s accounting and internal control system.

b. The assessment of control risk.
c. The basis for concluding that the control risk is less than high.
d. All of the above.

15. Tests of controls are performed to obtain evidence about the:

a. Effectiveness of the design and operation of the internal controls throughout the period.
b. Nature, timing and extent of audit procedures.
c. Appropriateness of the materiality level.
d. All of the above.

16. Evidence of the effectiveness of the design and operation of internal control is used by the auditor to:

a. Make preliminary assessment of control risk.

b. Support any assessment of control risk at less than high.
c. Determine the nature, timing and extent of substantive test.
d. Set the aggregate materiality level.

17. Identify the correct order of the following activities.

a. Perform tests of controls.
b. Obtain understanding of the internal control.
c. Make preliminary assessment of control risk.
a. abc
b. cba
c. bca
d. cab

18. Which of the following techniques could an auditor use to obtain evidence of the effectiveness of the design and
operation of internal control?

a. inquiry
b. observation
c. inspection
d. reperformance
e. all of the choices.

19. Which of the following is the correct order for performing the auditing procedures A through C below?

A = Tests of controls.
B = Preparation of a flowchart depicting the client's internal control structure.
C = Substantive tests.
a. ABC.
11
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
b. BAC.
c. ACB.
d. BCA.

20. A secondary purpose of the auditor's consideration of internal control is to provide

a. A basis for constructive suggestions about improvements in internal control structure.
b. A basis for assessing control risk.
c. An assurance that the records and documents have been maintained in accordance with existing company
policies and procedures.
d. A basis for the determination of the resultant extent of the tests to which auditing procedures are to be restricted.

21. The primary purpose of the auditor's consideration of internal control is to provide a basis for
a. Determining whether procedures and records that are concerned with the safeguarding of assets are reliable.
b. Constructive suggestions to clients concerning deficiencies in internal control.
c. Determining the nature, timing, and extent of audit tests to be applied.
d. The expression of an opinion.

22. In obtaining an understanding of an entity’s internal controls that are relevant to audit planning, an auditor is required
to obtain knowledge about the:
a. Design of relevant internal controls pertaining to financial reporting in each of the five internal control components.
b. Effectiveness of the internal controls that have been place in operation.
c. Consistency with which the internal controls are currently being applied.
d. Controls related to each principal transaction class and account balances.

23. The audit program usually cannot be finalized until the:

a. Consideration of the entity’s internal control has been completed.

b. Engagement letter has been signed by the auditor and the client.
c. Audit findings have been communicated to the audit committee of the board of directors.
d. Search for unrecorded liabilities has been performed and documented.

24. Which of the following elements is not a part of an entity's internal controls?
a. Control risk.
b. The accounting system.
c. Control activities.
d. The control environment.

25. Which of the following is not true concerning control activities?

a. Control procedures are another term for control activities.
b. Transaction authorization is a control activity.
c. Control activities generally fall into the two categories of preventive controls and detective controls.
d. Information and communication is an important component of control activities.

26. Auditors trace a transaction through the system

a. Via an audit trail.
b. When making inquiries of the internal auditor.
c. By making inquiries of the audit committee.
d. Near the close of the engagement.

27. Limiting access to assets and records might be accomplished by

a. Audit trails documenting who had authorization to access assets and records.
b. A control environment, which discourages access to assets and records.
c. Access codes for those parties with authorization to access assets and records.
d. Risk assessment of the parties with authorization to access assets and records.

28. When obtaining understanding of an entity’s control environment, an auditor should concentrate on the substance of
management’s policies and procedures rather than their form because:
a. The auditor may believe that the policies and procedures are inappropriate for that particular entity.
b. The board of directors may not be aware of management’s attitude toward the control environment.
12
UL INTEGRATED REVIEW & REFRESHER COURSE IN ACCOUNTANCY
AUDITING AUD 1.3/RDB
c. Management may establish appropriate policies and procedures but not act on them.
d. The policies and procedures may be so weak that no reliance is contemplated by the auditor.

29. The auditor is studying internal control policies and procedures within the sales, shipping, and billing subset of the
revenue cycle. Which of the following conditions suggests a need for additional testing of controls?
a. Internal control is found to be weak with regard to shipping and billing.
b. Internal control over sales, billing, and shipping appears strong, but 80% of the sales revenue is attributable to
three major customers.
c. Internal control over billing and shipping is thought to be strong and the auditor considers additional testing of
selected controls will result in a major reduction in substantive testing.
d. Internal control over the recording of sales is found to be weak and the sales are evenly divided among a large
number of customers.

30. The auditor’s understanding of internal control is documented in order to substantiate:

a. Conformity of the accounting records with GAAP.
b. Representation as to adherence to requirements of management.
c. Representation as to compliance with PSA.
d. The fairness of the financial statement presentation.

31. When considering internal control, an auditor must be aware of the concept of reasonable assurance which
recognizes that:
a. The employment of competent personnel provides assurance that the objectives of the internal control will be
achieved.
b. The establishment and maintenance of a system of internal control is an important responsibility of the
management and not of the auditor.
c. The cost of internal control should not exceed the benefits expected to be derived from internal control.
d. The segregation of incompatible functions is necessary to obtain assurance that the internal control is effective.

32. Flowcharting as a means of internal control evaluation provides the following advantage over the use of
questionnaires and descriptive narratives:
a. Ease of preparation. c. Simplicity.
b. Comprehensive coverage of controls. d. Ease in following information flow.

33. Which of the following statements is correct concerning the understanding of internal control needed by auditors?
a. The auditors must understand the information system, not the accounting system
b. The auditors must understand monitoring and all preliminary accounting controls
c. The auditors must have a sufficient understanding to assess the risks of material misstatement
d. The auditors must understand the control environment, risk assessment, and all control activities

34. The effectiveness of controls is not generally tested by:

a. Inspection of documents and reports
b. Performance of analytical procedures
c. Observation of the application of accounting policies and procedures
d. Inquiries of appropriate client personnel

35. On financial statement audits, it is required that the auditors obtain an understanding of internal control, including:
a. Its operating effectiveness
b. Whether it has been implemented (placed in operation)
c. Performing tests of controls for all material controls
d. Its ability to provide reasonable assurance

36. Which of the following is most likely to be considered a risk assessment procedure relating to internal control?
a. Confirm accounts receivable
b. Perform a test of a control relating to payroll
c. Take test counts of the year-end inventory
d. Trace a transaction through the information system relevant to financial reporting

37. Which statement is correct concerning the relevance of various types of controls to a financial statement audit?
a. An auditor may ordinarily ignore the consideration of controls when a substantive audit approach is used
13
AUD 1.3 Understanding the Entity and Its Environment, including Internal Control
b. Controls over the reliability of financial reporting are ordinarily most directly relevant to an audit, but other controls
may also be relevant
c. Controls over safeguarding assets and liabilities are of primary importance, while controls over the reliability of
financial reporting may also be relevant
d. All controls are ordinarily relevant to an audit

38. Which of the following is an advantage of describing internal control through the use of a standardized
questionnaire?
a. Questionnaires highlight weaknesses in the system
b. Questionnaires are more flexible than other methods of describing internal control
c. Questionnaires usually identify situations in which internal control weaknesses are compensated for by other
strengths in the system
d. Questionnaires provide a clearer and more specific portrayal of a client's system than other methods of describing
internal control

39. Which of the following is not a factor that is considered a part of the client's overall control environment?
a. The organizational structure
b. The information system
c. Management philosophy and operating style
d. Board of directors

40. After documenting the client's prescribed internal control, the auditors will often perform a walk-through of each
transaction cycle. An objective of a walk-through is to:
a. Verify that the controls have been implemented (placed in operation)
b. Replace tests of controls
c. Evaluate the major strengths and weaknesses in the client's internal control
d. Identify weaknesses to be communicated to management in the management letter

14