Walkthrough
What is the first step in documenting the Walkthrough EGA?
understanding of the "end to end" process
Which of the following is NOT a valid method for testing operating effectiveness alone? (A. Inquiry, B. Observation, C. Inspection, D. Reperformance)
A. Inquiry
What is a key report?
source of the information that management uses in the key manual business process controls
What year was the Sarbanes-Oxley Act (SOX) signed into law?
2002
True or False: Review controls are typically documented in a separate Review control template EGA than a transactional control.
True
During a walkthrough, which of the following is NOT typically tested?
A. Control design
B. Operating effectiveness
C. Process understanding
D. Risk of fraud
B. Operating effectiveness (That’s part of control testing, not walkthroughs.)
How many months should you test for a monthly control’s operating effectiveness with low risk?
2
True or False: Auditors must test the completeness and accuracy of key reports relied on for control testing.
True
What well-known scandal was a factor in the enactment of SOX?
Enron scandal
Which of the following best describes a strong review control?
A. It happens automatically without oversight
B. It is based on consistent, well-documented criteria
C. It is performed by entry-level staff
D. It does not require documentation
B. It is based on consistent, well-documented criteria
True or False: Not ALL key controls need to be in scope with the objective to address an LSPM.
False. The purpose of key controls is to address the identified LSPMs.
How does a walkthrough differ from a test of operating effectiveness?
A walkthrough focuses on understanding and design; operating effectiveness testing confirms the control actually works over time.
Which of the following best supports the completeness and accuracy of a key report?
A. Report has been used for years with no issues
B. It is reviewed by a senior employee
C. Auditor inspects report logic and agrees output to source data
D. It is generated from Excel
C. Auditor inspects report logic and agrees output to source data
True or False: SOX applies to all companies doing business in the U.S.
False – SOX applies primarily to public companies registered with the SEC.
What documentation is typically required to support the operating effectiveness of a review control?
Evidence of the review (e.g., reviewer’s initials, comments, documented follow-up, analysis performed).
What is a “control gap” identified during a walkthrough?
A point in the process where a control does not exist or is inadequate to address a risk of material misstatement.
Which of the following is an example of a test of operating effectiveness?
A. Reviewing whether management says they perform a control
B. Observing the controller reviewing a bank reconciliation in real-time
C. Asking how a process is supposed to work
D. Reading the process narrative
B. Observing the controller reviewing a bank reconciliation in real-time
Why is it important to evaluate user access controls when auditing key reports?
To ensure only authorized users can modify report data or logic.
Section 302 (i.e, 302 Certification) of SOX requires what from CEOs and CFOs?
They must personally certify the accuracy of financial statements.
Why are review controls often harder to test for operating effectiveness?
Because they often involve management judgment and require evaluating both the process and quality of review evidence.
Which is an example of an entity-level control?
A. Bank reconciliation approval
B. Physical inventory count
C. Tone at the top
D. Invoice coding procedures
C. Tone at the top
If the same key control is performed by 3 separate entities in the same business division, documented and executed the same way, on a monthly basis, what is the total population and what frequency grouping would we reference?
36, between Monthly and Weekly
If a key report is generated from a system with weak access controls (ITGCs), what should the auditor do?
Test the completeness and accuracy or identify compensating controls.
Who was Enron's auditor that was dissolved after the scandal?
Arthur Anderson
Name one example of a review control.
(Multiple answers)
Examples:
1)Review over EAC calculation
2) Review of Goodwill impairment
3) Business performance reviews (BS/PL analytic)
4) Balance Sheet reconciliations
5) Tax provision
6)Significant and unusual accounting transactions and accounting treatment (e.g., Business acquisitions/combinations)