Auditing Theory

VIII. CONSIDERATION OF INTERNAL CONTROL and PERFORMANCE OF TEST OF CONTROLS

Coverage: PSA 250: Consideration of Laws and Regulations in an Audit of Financial Statements
PSA 265: Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management
PSA 315: Identifying and Assessing the Risks of Material Misstatement through Understanding the
Entity
and Its Environment
PSA 330: The Auditor's Responses to Assessed Risks
PSA 520: Analytical Procedures
PSA 402: Audit Considerations Relating to an Entity Using a Service Organization

Direction: Read and answer the following questions.

___1. Which of the following refers to the proper definition of audit risk?
a. The risk that the auditor expresses an inappropriate audit opinion when the financial statements are
materially misstated.
b. The risk that the auditor expresses an inappropriate audit opinion when the financial statements are
fairly stated.
c. Either A or B.
d. Neither A nor B.

___2. In accordance with PSA, audit risk is a function of the

a. Risks of material misstatements consisting of combined assessed level of inherent and control risk
b. Detection risk
c. Both A and B
d. Neither A nor B

___3. What are the components of audit risk?

a. Inherent risk
b. Control risk
c. Detection risk
d. All of the above

___4. It refers to the susceptibility of an account balance or class of transactions to a material misstatement
assuming there were no related controls. This type of risk may only be assessed by the auditor but cannot be
controlled. It is a function of the nature of the account.
a. Inherent risk
b. Control risk
c. Detection risk
d. Audit risk

___5. The following are factors which affect inherent risk, except
a. The complexity underlying transactions and other events and complexity of calculations related to
account
b. Susceptibility of the account to theft or misappropriation.
c. Aggressive management attitude toward financial reporting and inadequate profitability of the entity
related to its industry.
d. The computation of an account involves accounting estimate and judgment
e. Internal control over billing, shipping and recording of sales and purchases is weak and inadequate.

___6. It refers to the risk that a material misstatement that could occur in an account balance or class of
transactions will not be prevented or detected and corrected on a timely basis by the accounting and internal
control systems. This type of risk is a function of the client’s internal control and may only be assessed by the
auditor but cannot be controlled.
a. Inherent risk
b. Control risk
c. Detection risk
d. Audit risk

___7. It refers to the process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
a. Internal control
b. System of quality control
c. Professional safeguards
d. Guidance

Auditing Theory
Page 1 of 14
___8. The following statements concerning the concept of internal control are correct, except
a. Internal control is accomplished by people at every level of organization, including the management,
those charged with governance and entity’s staff personnel.
b. Internal control can only provide reasonable assurance that the entity’s objectives will be achieved as
there are inherent limitations that may affect the internal control’s effectiveness.
c. In the audit of financial statements, the auditor is only concerned with those policies and procedures
within the accounting and internal control systems that are relevant to the financial statement assertions
as the financial reporting objective.
d. It is the responsibility of the external auditors to establish and maintain an entity’s accounting and
internal control systems.

___9. What is the objective of a financial statement auditor in understanding and considering the company’s
internal control?
a. To design audit procedures that are appropriate in the circumstances.
b. For the purpose of expressing an opinion on the effectiveness of internal control.
c. To eliminate the risk of issuing inappropriate opinion when in fact the financial statements are materially
misstated.
d. To properly plan the audit in order to eliminate substantive test.

___10. In the consideration of the client’s internal control during risk assessment procedures, the auditor
should obtain sufficient understanding of the components of the entity’s internal control relevant to the audit.
Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate
to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a
control, individually or in combination with others, is relevant to the audit. Such understanding of internal
control involves the following, except
a. Evaluating the design of the control by considering whether the control, individually or in combination
with other controls, is capable of effectively preventing, or detecting and correcting, material
misstatements.
b. Determining whether or not the internal control really exists.
c. Obtaining information or knowledge about the operating effectiveness and efficiency of the internal
control.
d. Determining whether or not the internal control has been actually applied and implemented.

___11. Although internal control policies and procedures vary significantly from one entity to another, there are
five essential components of internal control that must be established to provide reasonable assurance that the
entity’s objectives will be achieved. These five interrelated components of the entity’s internal control are the
following, (CRIME) except
a. Control activities
b. Entity’s Risk assessment process
c. The Information system, including the related business processes, relevant to financial reporting, and
communication
d. Monitoring of Controls
e. Control Environment
f. Human resources

___12. This element of internal control is the most important because it involves the setting of culture of
honesty and ethical behavior by management and those charged with governance.
a. Control environment
b. Entity’s Risk assessment process
c. Monitoring of Controls
d. Control activities
e. The information system, including the related business processes, relevant to financial reporting, and
communication

___13. It refers to the element of internal control which involves the process set by the client’s management for
(a) Identifying business risks relevant to financial reporting objectives; (b) Estimating the significance of the
risks; (c) Assessing the likelihood of their occurrence; and (d) Deciding about actions to address those risks.
a. Control environment
b. Entity’s Risk assessment process
c. Monitoring of Controls
d. Control activities
e. The information system, including the related business processes, relevant to financial reporting, and
communication

Auditing Theory
Page 2 of 14
___14. In understanding the internal control component of the information system, including the related
business processes, relevant to financial reporting, and communication, the auditor shall obtain understanding
of the following, except
a. Controls surrounding journal entries, including non-standard journal entries used to record non-
recurring, unusual transactions or adjustments.
b. How the information system captures events and conditions, other than transactions, that are significant
to the financial statements.
c. The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements.
d. Sources of the information used in the entity’s monitoring activities, and the basis upon which
management considers the information to be sufficiently reliable for the purpose.

___15. Which of the following statements concerning understanding the internal control component of control
activities is correct?
a. In understanding the entity’s control activities, the auditor shall obtain an understanding of how the
entity has responded to risks arising from information technology.
b. An audit of financial statements requires an understanding of all the control activities related to each
significant class of transactions, account balance, and disclosure in the financial statements or to every
assertion relevant to them.
c. Both A and B.
d. Neither A nor B.

___16. Which of the following statements concerning the responsibility of the auditor for the consideration of
the company’s internal control pertains to the internal control element of control environment?
a. The auditor shall understand the strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control, and whether those other
components are not undermined by control environment weaknesses.
b. The auditor shall obtain an understanding of why the company’s risk assessment process fails to
identify risk of material misstatement, and evaluate whether the process is appropriate to its
circumstances or if there is a material weakness in the entity’s risk assessment process.
c. The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the classes of transactions in the entity’s operations
that are significant to the financial statements and the financial reporting process used to prepare the
entity’s financial statements, including significant accounting estimates and disclosures.
d. The auditor shall obtain an understanding of control activities relevant to the audit, being those the
auditor judges it necessary to understand in order to assess the risks of material misstatement at the
assertion level and design further audit procedures responsive to assessed risks.
e. The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting, including those related to those control activities relevant to the audit,
and how the entity initiates corrective actions to its controls.

___17. Internal control can only provide reasonable assurance that the entity’s objectives will be achieved as
there are inherent limitations that may affect the internal control’s effectiveness. The following are the inherent
limitations of an internal control, except
a. The potential human errors due to carelessness, distraction, mistakes of judgments and the
misunderstanding of instructions.
b. The possibility of circumvention of internal controls through collusion among employees or through
management override of internal control.
c. The possibility that procedures may become inadequate due to changes in conditions, and compliance
with procedures may deteriorate.
d. Management’s usual requirement that cost of an internal control should exceed the expected benefits
to be derived.

___18. What is the objective of the financial statement auditor under PSA 265: Communicating Deficiencies in
Internal Control to Those Charged with Governance and Management?
a. The objective of the auditor is to communicate appropriately to those charged with governance and
management deficiencies in internal control that the auditor has identified during the audit and that, in
the auditor’s professional judgment, are of sufficient importance to merit their respective attentions.
b. The objective of the auditor is to provide a reasonable assurance on the effectiveness of the company’s
internal control.
c. The objective of the auditor is to audit the company’s internal control.
d. The objective of the auditor is to inform the auditor of any problem in the internal control.

Auditing Theory
Page 3 of 14
___19. When does deficiency in internal control exist?
a. When a control is designed, implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the financial statements on a timely basis.
b. When a control necessary to prevent, or detect and correct, misstatements in the financial statements
on a timely basis is missing.
c. Either A or B.
d. Neither A nor B.

___20. It refers to a deficiency or combination of deficiencies in internal control that, in the auditor’s
professional judgment, is of sufficient importance to merit the attention of those charged with governance.
a. Significant deficiency in internal control
b. Material deficiency in internal control
c. Important deficiency in internal control
d. Relevant deficiency in internal control

___21. The following statements concerning the responsibility of a financial statement audit regarding
deficiencies in client’s internal control are correct, except
a. The auditor shall determine whether, on the basis of the audit work performed, the auditor has identified
one or more deficiencies in internal control.
b. If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on
the basis of the audit work performed, whether, individually or in combination, they constitute significant
deficiencies.
c. The auditor shall communicate in writing significant deficiencies in internal control identified during the
audit to those charged with governance on a timely basis.
d. The auditor shall also communicate to management at an appropriate level of responsibility on a timely
basis In writing other deficiencies in internal control identified during the audit that have not been
communicated to management by other parties and that, in the auditor’s professional judgment, are of
sufficient importance to merit management’s attention.
e. The auditor shall also communicate to management at an appropriate level of responsibility on a timely
basis In writing, significant deficiencies in internal control that the auditor has communicated or intends
to communicate to those charged with governance even it would be inappropriate to communicate it
directly to management because they are involved.

___22. What shall be included by the financial statement auditor in the written communication of significant
deficiencies in internal control?
a. A description of the deficiencies and an explanation of their potential effects.
b. Sufficient information to enable those charged with governance and management to understand the
context of the communication.
c. Both A and B.
d. Neither A nor B.

___23. The written communications of significant deficiency shall particularly explain

a. The purpose of the audit was for the auditor to express an opinion on the financial statements.
b. The audit included consideration of internal control relevant to the preparation of the financial
statements in order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of internal control.
c. The matters being reported are limited to those deficiencies that the auditor has identified during the
audit and that the auditor has concluded are of sufficient importance to merit being reported to those
charged with governance.
d. All of the above.

___24. It refers to the risk that an auditor’s substantive procedure will not detect a material misstatement. It is
subject to the control of a financial statement auditor through the design of substantive tests.
a. Inherent risk
b. Control risk
c. Detection risk
d. Audit risk

___25. Under PSA 320: The Auditor's Responses to Assessed Risks, what is the objective of an auditor?
a. The objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed risks
of material misstatement, through designing and implementing appropriate responses to those risks.
b. The objective of the auditor is to eliminate audit risk through properly designing and implementing
appropriate responses to those risks.
c. The objective of the auditor is to design test of control to eliminate the performance of substantive tests.

Auditing Theory
Page 4 of 14
 d. The objective of the auditor is to provide absolute assurance that the substantive test will detect all
material misstatements.

___26. It refers to an audit procedure designed to detect material misstatements at the assertion level and
comprises of (i) Tests of details (of classes of transactions, account balances, and disclosures), and (ii)
Substantive analytical procedures. This procedure is mandatory in every audit and cannot be eliminated but
may only be reduced based on the assessed level of risk.
a. Substantive tests or procedures
b. Tests of controls
c. Risk assessment procedures
d. Overall review

___27. It refers to an audit procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level. This procedure is
optional in audit and may be performed only based on the professional judgment of auditor.
a. Substantive tests or procedures
b. Tests of controls
c. Risk assessment procedures
d. Overall review

___28. Which of the following statements concerning the auditor’s response to the assessed risk of material
misstatements is correct?
a. The auditor shall design and implement overall responses to address the assessed risks of material
misstatement at the financial statement level.
b. The auditor shall design and perform further audit procedures whose nature, timing, and extent are
based on and are responsive to the assessed risks of material misstatement at the assertion level.
c. Both A and B.
d. Neither A nor B.

___29. If based on the results of risk assessment procedures, the auditor determines (1) that the account is
inherently risky because it involves complex computation and estimate and (2) that the design of related and
relevant control applicable to the account is poor and also not being implemented, the auditor’s responses to
the assessed risk shall include the following, except
a. The auditor shall set the inherent risk and control risk at high level while the detection risk shall be set
at a low level.
b. The auditor shall design more effective substantive test such as test of details.
c. The auditor shall set the timing of substantive test of details at year-end.
d. The auditor shall select larger sample size for its substantive procedures.
e. The auditor shall perform test of control to determine the effectiveness of internal control.

___30. If based on the results of risk assessment procedures, the auditor determines (1) that the account is not
inherently risky because it involves simple computation and (2) that the design of related and relevant control
applicable to the account is outstanding and also existing and being implemented, the auditor’s responses to
the assessed risk shall include the following, except
a. The auditor shall set the inherent risk and control risk at low level while the detection risk shall be set at
a high level.
b. The auditor shall design less effective substantive test such as analytical procedures.
c. The auditor shall set the timing of substantive test at interim.
d. The auditor shall select smaller sample size for its substantive procedures.
e. The auditor shall perform test of control to determine the effectiveness of internal control for the
purpose of supporting the assessed level of control risk.
f. The auditor may decide to eliminate substantive test if the test of control is really effective.

___31. The following are the instances when an auditor can optionally perform tests of control, except
a. When the controls are likely to detect or prevent material misstatements on the financial statements.
b. When the auditor is planning to rely upon the effectiveness of the controls.
c. When the auditor’s knowledge of the entity’s internal control indicates that internal controls related to a
particular assertions are not effective based on its poor design or due to non-operation.
d. When the auditor’s preliminary assessment of control risk from its understanding of internal control is at
less than high level.

Auditing Theory
Page 5 of 14
___32. The following are mandatory procedures to be performed by an auditor in a financial statement audit in
accordance with PSAs, except
a. The auditor should obtain audit evidence through tests of control to support any assessment of control
risk at high level.
b. After obtaining sufficient knowledge about the design of internal control and its implementation and
operation, the auditor is required to document his understanding of accounting and internal control
systems in any form depending on the size and complexity and nature of the entity’s internal control.
c. After obtaining and documenting the auditor’s understanding of the accounting and internal control
systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for
each material account balance or class transactions.
d. If the control risk is assessed at less than high level, the auditor should document his conclusion that
control risk is less than high and the basis for that assessment.

QUIZZER

___1. Which of the following statements concerning audit risk is incorrect?

a. As the desired level of audit risk decreases, the auditor should design more effective substantive
procedures.
b. Audit risk is the combination of inherent risk, control risk and detection risk.
c. The auditor can totally eliminate audit risk through proper audit planning and designing effective audit
procedures.
d. The auditor should perform audit procedures in order to limit his or her exposure to an acceptable low
level of audit risk.

___2. Upon touring the client’s facility, the auditor determines that the internal control over the shipping and
billing department is weak. Which of the following is incorrect?
a. a. The auditor shall perform the substantive test at year-end.
b. b. The auditor shall use more effective substantive audit procedures.
c. c. The auditor shall set detection risk at a very low level.
d. d. The auditor shall use a very small sample size.

___3. Which of the following statements is incorrect?

a. As the combined assessed level of both inherent and control risks increases, the acceptable level of
detection risk decreases.
b. As the acceptable level of detection risk decreases, the assurance directly provided from substantive
tests increases.
c. As the assessed level of inherent risk decreases, the auditor should design more effective substantive
procedures.
d. As the assessed level of control risk increases, the auditor should perform the audit procedures at year-
end.

___4. Upon risk assessment the auditor determines that the level of combined inherent and control risks is at
low level, which of the following is proper?
a. The acceptable level of detection risk should be decreased by the auditor.
b. The auditor could use less effective substantive procedures such as analytical procedures.
c. The auditor should perform the substantive procedures at year-end.
d. The auditor should set a larger sample size for its audit procedures.

___5. Which of the following statements is accurate?

a. Of the three audit risk components, only the inherent risk is subject to the control by the auditor through
substantive test.
b. Detection risk is a function of client’s management and its environment.
c. Control risk is a function of the susceptibility of an account balance of class of transactions to be
materially misstated.
d. There is an inverse relationship between materiality and the level of risk of material misstatement.

___6. Which of the following statements is correct?

a. Detection risk is a function of the efficiency of an auditing procedure.
b. Cash is more susceptible to theft than an inventory of coal because it has a greater inherent risk.
c. The risk that material misstatements will not be prevented or detected on a timely basis by internal
control can be reduced to zero by effective controls.
d. The existing levels of inherent risk, control risk and detection risk can be changed at the discretion of
the auditor.

Auditing Theory
Page 6 of 14
___7. Which of the following statements concerning audit risk and its components is incorrect?
a. Regardless of the assessed levels of inherent and control risks, the auditor should always perform
some substantive procedures for material account balances and classes of transactions.
b. The higher the assessment of inherent and control risks, the more evidence the auditor should obtain
from the performance of substantive procedures.
c. The assessed level of inherent risk need not be considered in determining the nature, timing, and
extent of substantive procedures required to reduce audit risk to an acceptably low level.
d. After obtaining an understanding of the accounting and internal control systems, the auditor should
make a preliminary assessment of control risk, at the assertion level, for each material account balance
or class of transactions.

___8. Which of the following statements is false?

a. a. There is an inverse relationship between detection risk and the combined level of inherent and
control risks.
b. b. When inherent and control risks are high, the acceptable level of detection risk needs to be low to
reduce audit risk to an acceptably low level.
c. c. When inherent and control risks are low, an auditor can accept a higher detection risk and still reduce
audit risk to an acceptably low level.
d. d. The assessed level of inherent and control risks can be sufficiently low to eliminate the need for the
auditor to perform any substantive procedures.

___9. The auditor uses the understanding of internal control for the following purposes, except
a. To identify the types of potential misstatements that can occur.
b. To fully rely on tests of control for the purpose of eliminating substantive tests.
c. To consider factors that affect the risk of material misstatements.
d. To design the nature, timing, and extent of audit procedures to be performed

___10. An initial understanding of the design of the entity’s internal control systems is ordinarily obtained
through the following, except
a. Making inquiries or interviews with the appropriate individuals.
b. Inspecting documents, flowcharts, structure and records.
c. Observing of entity’s activities and operations.
d. Tracing proper authorization of transactions from the applicable source documents.

___11. Control activities are the policies and procedures that held ensure the management directives are
carried out. Specific control procedures that are relevant to financial statement audit would include the
following, except
a. Performance reviews
b. Monitoring
c. Information processing
d. Physical controls
e. Segregation of duties

___12. The following are tests of control procedures of auditor, except

a. The auditor observes the payroll payoff procedures or the performance of internal control procedures
that leave no evidence of performance.
b. The auditor reperforms the procedure by tracing the sales prices to the authorized price list in effect at
the date of the transaction.
c. The auditor compares the actual revenues and expenses with the corresponding figures of the previous
year and investigates significant differences.
d. The auditor inquires with client’s management and personnel regarding the observance of segregation
or duties.

___13. The following are the responsibilities of the external audit as regards to internal control weakness of
client, except
a. The auditor is required to report to the appropriate level of management material weaknesses in the
design or operation of the accounting and internal control systems, which may have come to the
auditor’s attention.
b. The communication of internal control weaknesses can be in writing or orally but should be done at the
earliest opportunity so that appropriate corrective actions may be taken as soon as possible.
c. Internal control weaknesses together with other matters of concern should be documented in a formal
management letter.

Auditing Theory
Page 7 of 14
 d. The auditor is required to search and/or identify internal control weaknesses.

___14. The following are the purposes of the results of tests of control, except
a. Based on the results of the tests of control, the auditor can eliminate substantive tests if it can be
shown that the internal controls are effective and operating as designed.
b. The results of the tests of control are used for assessing the level of control risk which determines the
acceptable level of detection risk.
c. The results of the tests of controls affect the nature, timing and extent of substantive tests to be
performed by the auditor.
d. The results of the tests of controls provide information about the effectiveness of controls through
obtaining evidence about how controls were applied at relevant times during the period under audit, the
consistency with which they were applied, and by whom or by what means they were applied.

___15. This component of internal control involves assessing the design and operation of controls on a timely
basis and taking necessary corrective actions. It is a process of assessing the quality of internal control
performance over time to ensure that controls continue to operate effectively.
a. Monitoring
b. Control activities
c. Control environment
d. Risk assessment

___16. When the auditor’s knowledge of the entity’s internal control indicates that internal controls related to a
particular assertion are not effective or not implemented, which is proper?
a. The auditor may set or assess the control risk at a low level and detection risk at a high level.
b. The auditor may perform less effective audit procedures at interim date using smaller sample size.
c. The auditor shall perform test of control of that specific procedure to confirm it is not really effective.
d. The auditor will rely primarily on substantive tests.

___17. After obtaining sufficient knowledge about the design of the system, the auditor should determine
whether these controls have been implemented through a task which involves tracing one or more transactions
through the entire accounting systems, from their initial recording at source to their financial destination as a
component of an account balance in the financial statements. This procedure is called as
a. Test of control
b. Analytical procedures
c. Test of details
d. Walk-through test

___18. Which of the following statements concerning assessment of control risk is incorrect?
a. If the auditor believes that the controls appear to be reliable, the auditor should determine whether it is
efficient to obtain evidence to justify an assessment of control risk at a lower level.
b. If the auditor concludes that it is more efficient to rely on an entity’s internal control systems, the auditor
would plan to assess control risk at less than high level and he should identify specific controls that are
likely to prevent or detect and correct material misstatement relevant to financial statement assertion
and perform tests of control to determine their effectiveness.
c. If the control risk is assessed at a high level, the auditor should document his conclusion that control
risk is at a high level.
d. If the control risk is assessed at less than high level, the auditor should document his conclusion that
control risk is less than high and the basis for that assessment without performing test of controls.

___19. The following statements concerning the components of internal control are correct, except
a. Management should adopt policies and procedures that are designed to identify and analyze the risks
affecting the entity’s business and to take appropriate action to manage these risks and for audit
purposes, the audit is concerned only with those risks that are relevant to the preparation of reliable
financial statements.
b. Effective internal control must provide time information and communication and the information system
relevant to financial reporting objectives, which includes the financial reporting system, consists of the
procedures and records established to initiate, record, process, and report entity transactions and to
maintain accountability for the related assets, liabilities and equity.
c. Monitoring of controls is accomplished through (1) on-going monitoring activities which are build into
the normal recurring activities of an entity and include regular management and supervisory activities
such as preparation of monthly bank reconciliation; and (2) separate evaluations which are monitoring
activities that are performed on a non-routine basis, such as functions performed by internal auditors.

Auditing Theory
Page 8 of 14
 d. Control activities provides absolute assurance that management directives are carried out through the
implementation of specific control procedures such as performance reviews, information processing,
physical controls and segregation of duties.

___20. Which of the following internal control policies and procedures would be the most concern of the
external auditor?
a. Those affecting efficiency of management’s decision-making process.
b. Those ensuring that appropriate prices are charged for its products.
c. Those pertaining to methods of assigning production tasks to employees.
d. Those concerning entity’s ability to process and summarize financial data.

___21. Which of the following statements concerning internal control is correct?

a. The cost-benefit consideration is a primary criterion that should be considered in designing internal
control.
b. Properly maintained internal control reasonably ensures that collusion among employees cannot occur.
c. The establishment and maintenance of internal control are important responsibility of the internal
auditor.
d. Exceptionally strong internal control is enough for the auditor to eliminate substantive tests on a
significant account balance.

___22. When obtaining an understanding of an entity’s control environment, an auditor should concentrate on
the substance of management’s policies and procedures rather than their form because
a. The auditor may believe that the policies and procedures are inappropriate for that particular entity.
b. The board of directors may not be aware of management’s attitude toward the control environment.
c. Management may establish appropriate policies and procedures but not act on them.
d. The policies and procedures may be so ineffective that the auditor may assess control risk at a high
level.

___23. After obtaining an understanding of the internal control structure and assessing control risk, an auditor
decided to perform tests of controls. The auditor most likely decided that
a. It would be efficient to perform tests of controls that would result in a reduction in planned substantive
tests.
b. Additional evidence to support further reduction in control risk is not available.
c. An increase in the assessed level of control risk is justified for certain financial statement assertions.
d. There were many internal control weaknesses that could allow errors to enter the accounting system.

___24. The following are effective internal control procedures, except

a. An individual recording a transaction should not compare the accounting record of the asset with the
asset itself.
b. There must be separation of the functional responsibilities of custodianship, record keeping, operations
and authorization.
c. Access to computer facilities and records is limited to authorized personnel.
d. The internal auditor should be answerable and be reporting to the company president.

___25. Management philosophy and operating style most likely would have a significant influence on an
entity’s control environment when
a. The internal auditor reports directly to management.
b. Management is dominated by one individual.
c. Accurate management job descriptions delineate specific duties.
d. The audit committee actively oversees the financial reporting process.

___26. Which of the following procedures most likely would provide an auditor with evidence about whether an
entity’s internal control activities are suitably designed to prevent or detect material misstatements?
a. Reperforming the activities for a sample of transactions.
b. Performing analytical procedures using data aggregated at a high level.
c. Vouching a sample of transactions directly related to the activities.
d. Observing the entity’s personnel applying the activities.

___27. Which statement is correct concerning the relevance of various types of controls to a financial audit?
a. An auditor may ordinarily ignore a consideration of controls when a substantive audit approach is taken.
b. Controls over the reliability of financial reporting are ordinarily most directly relevant to an audit, but
other controls may also be relevant.

Auditing Theory
Page 9 of 14
 c. Controls over safeguarding of assets and liabilities are of primary importance, while controls over
reliability of financial reporting may also be relevant.
d. All controls are ordinarily relevant to an audit.

__28. In obtaining an understanding of an entity’s internal control relevant to audit planning, an auditor is
required to obtain knowledge about the
a. Design of the controls pertaining to internal control components.
b. Effectiveness of controls that have been implemented.
c. Consistency with which controls are currently being applied.
d. Controls related to each principal transactions class and account balance.
___29. An auditor should obtain sufficient knowledge of an entity’s information system to understand the
a. Safeguards used to limit access to computer facilities.
b. Process used to prepare significant accounting estimates.
c. Controls used to assure proper authorization of transactions.
d. Controls used to detect concealment of fraud.

___30. During the consideration of internal control in a financial statement audit, the auditor is not obligated to
a. Search for significant deficiencies in the operation of the internal control.
b. Understand the internal control and the information system.
c. Determine whether the control activities relevant to audit planning have been implemented.
d. Perform procedures to understand the design of internal control.

___31. A primary objective of procedures performed to obtain an understanding of internal control is to provide
an audit with
a. Knowledge necessary to assess the risks of material misstatements.
b. Evidence to use in assessing inherent risk.
c. A basis for modifying tests of controls.
d. An evaluation of the consistency of application of management’s policies.

___32. Which of the following statements regarding auditor documentation of the client’s internal control is
correct?
a. Documentation must include flowcharts.
b. Documentation must include procedural write-ups.
c. No documentation is necessary although it is desirable.
d. No one particular form of documentation is necessary, and the extent of documentation may vary.

___33. After assessing control risk, an auditor desires to seek a further reduction in the assessed level of
control risk. At this time, the auditor would consider whether
a. It would be efficient to obtain an understanding of the entity’s information system.
b. The entity’s controls have been implemented.
c. The entity’s controls pertain to any financial statement assertion.
d. Additional audit evidence sufficient to support further reduction is likely to be available.

___34. Assessing control risk at a low level most likely would involve
a. Performing more extensive substantive tests with larger sample sizes than originally planned.
b. Reducing inherent risk for most of the assertions relevant to significant account balances.
c. Changing the time of substantive tests by omitting interim-date testing and performing the tests at year-
end.
d. Identifying specific controls relevant to specific assertions.

___35 .An auditor assesses control risk because it

a. Is relevant to the auditor’s understanding of the control environment.
b. Provides assurance that the auditor’s materiality levels are appropriate.
c. Indicates to the auditor where inherent risk may be the greatest.
d. Affects the level of detection risk that the auditor may accept.

___36. When an auditor increases the assessed level of control risk because certain control activities were
determined to be ineffective, the auditor would most likely increase the
a. Extent of tests of controls.
b. Level of detection risk.
a. Extent of tests of details.
a. Level of inherent risk.

___37. An auditor uses the knowledge provided by the understanding of internal control and the assessed level
of the risk of material misstatement primarily to
a. Determine whether procedures and records concerning the safeguarding of assets are reliable.

Auditing Theory
Page 10 of 14
 b. Ascertain whether the opportunities to allow any person to both perpetrate and conceal fraud are
minimized.
c. Modify the initial assessments of inherent risk and preliminary judgments about materiality levels.
d. Determine the nature, timing and extent of substantive tests for financial statement assertions.

___38. An auditor may compensate for a weakness of internal control by increasing the
a. Level of detection risk.
b. Extent of tests of controls.
c. Preliminary judgment about audit risk.
d. Extent of analytical procedures.

___39. Which of the following statements is correct concerning an auditor’s assessment of control risk?
a. Assessing control risk may be performed concurrently during an audit with obtaining an understanding
of the entity’s internal control.
b. Evidence about the operation of internal control in prior audits may not be considered during the current
year’s assessment of control risk.
c. The basis for an auditor’s conclusions about the assessed level of control risk need not be documented
unless control risk is assessed at the maximum level.
d. The lower the assessed level of control risk, the less assurance the evidence must provide that the
control procedures are operating effectively.

___40. Before assessing control risk at a high level lower than the maximum, the auditor obtains reasonable
assurance that controls are in use and operating effectively. The assurance is most likely obtained in part by
a. Preparing flowcharts
b. Performing substantive tests
c. Analyzing trends and ratios
d. Inspection of documents

___41. An auditor generally tests the segregation of duties related to inventory by

a. Personal inquiry and observation
b. Test counts and cutoff procedures
c. Analytical procedures and invoice recomputation
d. Document inspection and reconciliation

___42. The objective of test of details of transactions performed as tests of controls is to

a. Monitor the design and use of entity documents such as prenumbered shipping forms.
b. Determine whether the controls have been implemented.
c. Detect material misstatements in the account balances of the financial statements
d. Evaluate whether controls operated effectively.

___43. Which of the following types of evidence would an auditor most likely examine to determine whether
controls are operating as designed?
a. Confirmation of receivables verifying account balances.
b. Letters of representations corroborating inventory pricing.
c. Attorney’s responses to the auditor’s inquiries.
a. Client records documenting the use of computer programs.

___44. Which of the following is not a step in an auditor’s assessment of control risk?
a. Evaluate the effectiveness of internal control with tests of controls.
b. Obtain an understanding of the entity’s information system and control environment.
c. Perform tests of details of transactions to detect material misstatements in the financial statements.
d. Consider whether controls can have a pervasive effect on financial statement assertions.

___45. Which of the following is least likely to be evidence the auditor examines to determine whether controls
are operating effectively?
a. Records documenting usage of computer programs.
b. Canceled supporting documents.
c. Confirmation of accounts receivables.
d. Signatures on authorization forms.

___46. Which of the following procedures concerning accounts receivable would an auditor most likely
perform to obtain evidence in support of an assessed level of control risk below maximum?
a. Observing an entity’s employee prepare the schedule of past due accounts receivable.
b. Sending confirmation requests to an entity’s principal customers to verify the existence of accounts
receivable.
c. Inspecting an entity’s analysis of accounts receivable for unusual balances.

Auditing Theory
Page 11 of 14
 d. Comparing an entity’s uncollectible accounts expense to actual uncollectible accounts receivable.

___47. An auditor may decide to assess control risk at a high level for some or all assertions because the
auditor believes
a. The entity’s internal control system is not effective.
b. More emphasis on tests of controls than substantive tests is warranted.
c. Sufficient appropriate audit evidence to support the assertion is likely to be available.
d. The entity’s internal control components are interrelated.

___48. An auditor assesses control risk in terms of

a. Types of potential fraud
b. Financial statement assertions
c. Specific control activities
d. Control environment elements

___49. The following statements relate to the use of audit evidence when testifying the operating effectiveness
of relevant controls. Which is incorrect?
a. An auditor who obtains sufficient appropriate audit evidence about the operating effectiveness of
controls during the interim period should no longer obtain additional evidence of operating effectiveness
for the remaining period.
b. An auditor may plan to use audit evidence about the operating effectiveness of controls obtained in
prior audits.
c. If an auditor plans to rely on controls that have changed since they were last tested, the auditor should
test the operating effectiveness of such controls in the current audit.
d. Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose, for
example, when testing controls over an entity’s physical count of inventories at year-end.

___50. After gaining an understanding of internal control and assessing the risks of material misstatement, an
auditor decided to perform tests of controls. The auditor most likely decided that
a. Additional evidence to support a further reduction in internal control is not available.
b. It is not possible or practicable to reduce the risks of material misstatement at the assertion level to an
acceptably low level with audit evidence obtained only from substantive test procedures.
c. There were many internal control weaknesses that could allow misstatements to enter the accounting
system.
d. An increase in the assessed level of control is justified for certain financial statement assertions.

___51. In obtaining an understanding of internal control relevant to the audit, the auditor may trace several
transactions throughout the system, including how the transactions interface with any service organizations
whose services are part of the entity’s information system. The primary objective of this procedure is to
a. Evaluate the design of internal control and determine whether it has been implemented.
b. Determine the effectiveness of internal control.
c. Detect fraud.
d. Replace substantive tests.

___52. In designing and performing tests of controls, the auditor shall: (a) Perform other audit procedures in
combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including
the following, except
a. How the controls were applied at relevant times during the period under audit.
b. The consistency with which they were applied.
c. By whom or by what means they were applied.
d. Design, implementation or existence of control

___53. Overall responses to address the assessed risks of material misstatement at the financial statement
level may include the following, except
a. Emphasizing to the audit team the need to maintain professional skepticism.
b. Assigning more experienced staff or those with special skills or using experts.
c. Providing more supervision.
d. Incorporating additional elements of unpredictability in the selection of further audit procedures to be
performed.
e. Making general changes to the nature, timing, or extent of audit procedures, for example: performing
substantive procedures at the period end instead of at an interim date; or modifying the nature of audit
procedures to obtain more persuasive audit evidence.
f. Eliminating the performance of substantive tests

Auditing Theory
Page 12 of 14
___54. An initial understanding of the design of the entity’s internal control systems is ordinarily obtained
through the following, except
a. Making inquiries or interviews with the appropriate individuals.
b. Inspecting documents, flowcharts, structure and records.
c. Observing of entity’s activities and operations.
d. Tracing proper authorization of transactions from the applicable source documents.

___55. Inherent risk and control risk are collectively known as

a. The risk of material misstatements
b. The dependent variables of risk
c. The dual risk team
d. The risk of information dissemination

___56. An executive committee of a company’s board of directors that is in charge of overseeing financial
reporting and disclosure
a. Audit committee
b. Governance
c. Control environment
d. Management

___57.The audit program usually cannot be finalized until the

a. Consideration of the entity’s internal control has been completed.
b. Engagement letter has been signed by the auditor and the client.
c. Reportable conditions have been communicated to the audit committee.
d. Search for unrecorded liabilities has been performed and documented.

___58. Which of the following matters is not included under “regulatory environment”?
a. General level of economic activity
b. Government policies currently affecting the conduct of the entity’s business.
c. Legislation and regulation that significantly affect the entity’s operations.
d. Accounting principles and industry specific practices

___59. After obtaining a sufficient understanding of internal control, the auditor

a. Determines the preliminary assessment of control risk
b. Assesses detection risk to determine the acceptable level of inherent risk
c. Determines the assessed level of detection risk and inherent risk
d. Assesses the need to apply GAAS.

___60. What are the different levels of risk assessment?

a. High and Less than High
b. Maximum and Minimum
c. Higher and Lower
d. High and Low

___61. Tests of controls are used to test whether controls are

a. Operating effectively
b. Placed in operation or implemented
c. Properly incorporated in the financial statements
d. Properly documented by the client

___62. The audit risk model is used primarily

a. For planning purposes in determining how much evidence to accumulate
b. While doing tests of controls
c. To determine the type of opinion to express
d. To evaluate the evidence which has been gathered

___63. Inherent risk is reduced when the likelihood of defalcations is low. This would be true for an account
such as
a. Property, plant and equipment
b. Held for trading securities
c. Cash
d. Inventory of jewelry

___64. The acceptable level of detection risk and the combined level of inherent risk and control risk are
a. Inversely related
b. Directly related

Auditing Theory
Page 13 of 14
 c. Proportionately related
d. Not related

___65. If the auditor anticipates reliance on the client’s internal control, the auditor would
a. Test controls and use the results of testing as a basis for determining the nature, extent and timing of
substantive tests
b. No longer perform tests of controls and proceed immediately to substantive tests
c. Perform tests of controls and increase the amount of substantive tests
d. Eliminate the need for performance of substantive tests

___66. If the auditor wants to perform more effective substantive tests, the auditor will perform
a. More tests of details and less analytical procedures
b. More analytical procedures and less test of details
c. Tests of details and analytical procedures in equal proportion
d. Neither tests of details nor analytical procedures
___67. Inherent risk and control risk differ from detection risk in that inherent risk and control risk are
a. Functions of client and its environment while detection risk is not.
b. Elements of audit risk while detection risk is not.
c. Changed at the auditor’s discretion while detection risk is not
d. Considered at the individual account-balance level while detection risk is not.

___68. Auditors appear not to exhibit due audit care if there was a
a. High audit risk
b. High inherent risk
c. Low control risk
d. Low detection risk

___69. What is the relationship between an entity’s objectives and the controls in implements to provide
reasonable assurance about their achievement?
a. Direct
b. Inverse
c. Adverse
d. Cannot be determined

___70. Internal auditing is considered to be part of an organization’s

a. Control environment
b. External controls
c. Accounting system
d. Internal control procedures

___71. A requirement of the application of PSA is for the auditor

a. To undertake a proper study and evaluation of the existing internal control
b. Not to obtain clients by solicitations
c. To charge fees fairly and reasonably in relation to costs of engagements
d. To inspect all fixed assets acquired during the year

___72. As the acceptable level of detection risk decreases, the assurance directly provided from
a. Substantive tests should increase
b. Substantive tests should decrease
c. Tests of controls should increase
d. Tests of controls should decrease

___73. Which of the following is least likely to be a benefit of a strong internal control structure?
a. Elimination of employee fraud
b. Availability of reliable data for decision-making purposes and protection of important documents and
records
c. Some assurance of compliance with SEC regulations
d. Reduces cost of an external audit

___74. Which of the following is an example of an inherent limitation in a client’s internal control system?
a. In the performance of most control procedures, there are possibilities of errors arising from mistakes in
judgments.
b. Procedures for handling large number of transactions are processed by information technology
equipment.
c. The effectiveness of procedures depends on the segregation of employee duties.
d. Procedures are designed to assure the execution and recording of transactions in accordance with
management’s authorization

Auditing Theory
Page 14 of 14
Auditing Theory
Page 15 of 14