An internal auditor noted that several shipments were not billed. To prevent recurrence of such nonbilling, the organization should
Answer (A) is correct. The sequential numbering of documents provides a standard control over transactions. The numerical sequence should be accounted for by an independent party. A major objective is to detect unrecorded and unauthorized transactions.
Controls can be classified according to function they are intended to perform; for example, to discover the occurrence of an unwanted event (detective), to avoid the occurrence of an unwanted event (preventive), or to ensure the occurrence of a desirable event (directive). Which of the following is a directive control?
Answer (D) is correct. Requiring all members of the internal auditing department to be CIAs is a directive control. The control is designed to encourage a desirable event to occur, i.e., to enhance the professionalism and level of expertise of the internal auditing department.
An audit of the payroll function revealed several instances in which a payroll clerk had added fictitious employees to the payroll and deposited the checks in accounts of close relatives. What control should have prevented such actions?
Answer (D) is correct. The payroll department is responsible for assembling payroll information (recordkeeping). The personnel department is responsible for authorizing and executing employee transactions such as hiring, firing, and changes in pay rates and deductions. Segregating these functions helps prevent fraud. Thus, the payroll for each period should be compared with the active employment files of the personnel department. Authorization by the personnel department is the only control placed in the transaction flow early enough to prevent the addition of bogus employees to the payroll.
An audit of the receiving function at the company’s distribution center revealed inadequate control over receipts. Which of the following controls would be appropriate for the receiving function?
Answer (B) is correct. The receiving department should maintain a file of properly authorized purchase orders so that unauthorized shipments are not accepted. However, prices and quantities should be omitted from these copies of the orders. If the receiving clerk does not know the quantity ordered, an independent count can be ensured.
The director of internal auditing at a large multinational firm is evaluating the draft of a new travel policy that requires preparation of a travel planning form for all travel. The travel planning form must be approved by the employee’s supervisor and the regional vice president. The director of internal auditing should
Answer (D) is correct. The objectivity of internal auditors is not impaired by recommending standards of control for systems or reviewing procedures before implementation (Standard 120). Indeed, the scope of work encompasses examining and evaluating the adequacy and effectiveness of internal control (Standard 300). The review for adequacy concerns efficiency and economy. According to SIAS 1, "Efficient performance accomplishes objectives and goals in an accurate and timely fashion with minimal use of resources." The review for effectiveness is to determine whether the system will function as intended. Effective control is present when there is reasonable assurance that objectives and goals will be achieved.
Which one of the following situations represents an internal control weakness in accounts receivable?
Answer (B) is correct. Internal control over accounts receivable begins with a proper separation of duties. Hence, the cashier, who performs an asset custody function, should not be involved in recordkeeping. Accounts should be periodically confirmed by an auditor, and delinquent accounts should be reviewed by the head of accounts receivable and the credit manager. Customer statements should be mailed monthly by the accounts receivable department without allowing access to the statements by employees of the cashier’s department. The sales manager should not be the only person to review delinquent accounts because (s)he may have an interest in not declaring an account uncollectible.
Control risk is the risk that a material misstatement in an account will not be prevented or detected on a timely basis by the client’s internal control structure policies or procedures. The best control procedure to prevent or detect fictitious payroll transactions is
Answer (B) is correct. The payroll department is responsible for assembling payroll information (recordkeeping). The personnel department is responsible for authorizing employee transactions such as hiring, firing, and changes in pay rates and deductions. Segregating the recording and authorization functions helps prevent fraud.
One characteristic of an effective internal control structure is the proper segregation of duties. The combination of responsibilities that would not be considered a violation of segregation of functional responsibilities is
Answer (D) is correct. Combining the timekeeping function and the preparation of the payroll journal entries would not be improper because the employee has no access to assets or to employee records in the personnel department. Only through collusion could an embezzlement be perpetrated. Accordingly, the functions of authorization, recordkeeping, and custodianship remain separate.
According to SAS 55 (AU 319), Consideration of Internal Control in a Financial Statement Audit, an entity’s internal control structure (ICS) consists of the policies and procedures established to provide reasonable assurance that specific entity objectives will be achieved. Only some of these objectives, policies, and procedures are relevant to a financial statement audit. Which one of the following would most likely be considered in such an audit?
Answer (B) is correct. The policies and procedures most likely to be relevant to a financial statement audit pertain to the entity’s ability to record, process, summarize, and report financial data consistent with the assertions embodied in the financial statements. Maintenance of control over unused checks is an example of a relevant procedure because the objective is to safeguard cash. The auditor must understand the ICS policies and procedures relevant to the assertions about cash in the financial statements. (S)he must then assess control risk for those assertions; that is, (s)he must evaluate the effectiveness of the ICS in preventing or detecting material misstatements in the assertions.
Auditors regularly evaluate controls. Which of the following best describes the concept of control as recognized by internal auditors?
Answer (B) is correct. “A control is any action taken by management to enhance the likelihood that established goals and objectives will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organizing, and directing by management.”