. (LO 1) Internal control is defined as:

A. the entity's system to prevent, or detect and correct, misstatements in the financial statements.

B.a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance.

C a process, implemented by management, to ensure the integrity of the entity's management information system.

D. the entity's system to ensure that management and those charged with governance of the entity have quality information for decision making.

2. (LO 1) It is important for an auditor to understand a public company's system of internal control in order to:

A audit internal control over financial reporting.

B make a preliminary assessment of control risk.

C develop an audit strategy.

D All of these answer choices are correct.

3. (LO 1) The objectives of internal control include:

A operations objectives, internal control objectives, and financial reporting objectives.

B operations objectives, control environment objectives, and financial reporting objectives.

C operations objectives, reporting objectives, and compliance objectives.

D risk assessment objectives, compliance objectives, and reporting objectives.

4. (LO 2) The control environment:

A sets the tone of an entity with respect to internal control and influences the control consciousness of its people.

B is focused on how the entity addresses information-technology risks.

C only applies to public companies.

D directly addresses adequacy of segregation of duties.

5. (LO 2) An entity's risk assessment process:

A is designed to help an entity think about risk in the same way that an auditor thinks about risk.

B is established only if the entity is subject to unusually high risk.

C is the entity's process for identifying and responding to business risks and the results of those risks.

D never allows management of an entity to decide to accept a risk without taking any action.

6. (LO 2) The internal control component that addresses how an organization holds an individual accountable for his or her internal control responsibilities in pursuit of objectives is related to:

A the control environment.

B risk assessment.

C control activities.

D information and communication.

7. (LO 2) Which of the following represent a common categorization of control activities?

A Authorization controls, control over human error, information-processing controls, physical controls, and segregation of duties.

B Authorization controls, control over human error, information-processing controls, and segregation of duties.

C Authorization controls, information-processing controls, physical controls, and segregation of duties.

D Authorization controls, performance reviews, information-processing controls, physical controls, and segregation of duties.

8. (LO 2) In a good system of segregation of duties, which of the following duties should be segregated?

A Authorization of transactions, physical access to assets, and recording transactions.

B Authorization of transactions, physical access to assets, and management.

C Physical access to assets, recording of transactions, and consideration.

D Authorization of transactions, recording transactions, and management.

9. (LO 3) An auditor normally obtains an understanding of transaction-level controls by:

A conducting an interview with senior management.

B performing a system walkthrough.

C reading the prior year's management letter.

D testing the entity's risk assessment process.

10. (LO 4) Which of the following is a good example of an IT application control over the occurrence of revenue transactions?

A Physical access to IT systems is limited only to specific personnel who work in the revenue cycle.

B The software application compares information on a sales invoice with information from the bill of lading to ensure that sales invoices are only prepared for actual shipments. Any exceptions are not processed and are set aside for manual follow-up.

C The software changes to the revenue program must be tested and authorized before they may be used with live data.

D Strong segregation of duties exists between IT operations and IT program development.

11. (LO 4) If the auditor is able to collect evidence that IT general controls are strong, then the auditor can conclude that:

A application controls function properly and put the correct transactions on exception reports.

B software applications are more likely to operate consistently over time.

C IT transactions are adequately supported by source documents.

D the risk of batch totals failing to detect misstatements is low.

12. (LO 5) Documenting internal controls:

A is always handled through the use of checklists and preformatted questionnaires.

B is done after internal controls are tested so that the results can be included in the documentation.

C can be handled with a combination of narratives and flowcharts or logic diagrams.

D is not done for smaller clients because of the risk of management override.

13. (LO 6) When an auditor identifies internal control deficiencies, what levels of internal control deficiencies must be reported to those charged with governance of the entity?

A Material weaknesses only.

B Significant deficiencies only.

C Deficiencies and significant deficiencies in internal control.

D Significant deficiencies and material weaknesses in internal control.

14. (LO 7) A management letter:

A lists only the material weaknesses discovered during the audit.

B is written by management to the auditor at the start of the audit.

C contains recommendations for improving significant deficiencies and material weaknesses in internal control discovered during the course of the audit.

D is only required for public company audits.