Evaluate Design And Implementation Of Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Design And Implementation Of Controls
When evaluating the design of an internal control, an auditor is primarily assessing:
Whether the control, if operating as intended, is capable of preventing or detecting a material misstatement or significant risk.
Whether the control was implemented within the approved project budget.
Whether the control was performed correctly every time during the audit period.
Whether the control is documented in the organization's policy manual.
Explanation
Design evaluation asks whether the control as designed would be effective if it operated as intended. Answer B is correct. Operating effectiveness (A) is a separate assessment. Documentation (C) supports but does not define design. Budget (D) is irrelevant.
A control requiring manager approval of all journal entries above $10,000 before posting is designed to address which control objective?
Cutoff - ensuring entries are recorded in the correct period.
Valuation - ensuring entries are recorded at correct amounts.
Completeness - ensuring all entries are captured in the general ledger.
Authorization - ensuring significant entries receive appropriate approval before recording.
Explanation
A management approval requirement is an authorization control. Answer A is correct. Completeness (B) ensures all entries are captured. Valuation (C) relates to amounts. Cutoff (D) relates to timing.
Which of the following best describes the difference between a preventive control and a detective control?
Preventive controls are performed by management; detective controls are performed by auditors.
Preventive controls apply only to IT systems; detective controls apply to manual processes.
Preventive controls stop errors or fraud before they occur; detective controls identify them after they have occurred.
Preventive controls operate after a transaction is recorded; detective controls operate before.
Explanation
The key distinction is timing: preventive controls stop undesired events; detective controls identify them after the fact. Answer C is correct. Answers A, B, and D mischaracterize the distinction.
An automated three-way match control in accounts payable is best classified as:
A corrective control that reverses unauthorized payments automatically.
A detective control that identifies duplicate payments after processing.
A preventive control that stops payment of invoices not matched to an approved PO and goods receipt.
A compensating control used when segregation of duties cannot be achieved.
Explanation
Three-way match prevents payment unless a matching PO and receipt exist - stopping unauthorized payments before they occur. Answer D is correct. It prevents rather than detects (A), does not reverse payments (B), and is a primary control (C).
An auditor evaluates RBAC controls and finds that role definitions have not been updated in five years despite significant organizational changes. This represents:
A well-designed control that does not require updates once implemented.
A minor issue since role definitions are technical configurations.
An acceptable compensating control since the system was implemented years ago.
A design and implementation gap - outdated roles may grant inappropriate access.
Explanation
RBAC is only effective when role definitions match current job functions. Outdated roles create inappropriate access. Answer C is correct. Controls require ongoing maintenance (A, B, D).
Which of the following represents the strongest evidence that controls over financial reporting are well-designed?
Controls are documented in a policy manual approved by the CFO.
Controls are mapped to specific risks, cover all significant risks, operate at appropriate process points, and include both preventive and detective elements.
Controls were designed by an external consulting firm.
The organization has more controls than industry peers.
Explanation
Well-designed controls are risk-based, comprehensive, well-positioned, and layered. Answer A is correct. Documentation (B), quantity (C), and designer (D) do not demonstrate design adequacy.
A reconciliation control is performed daily but variances are routinely noted and ignored without investigation. This indicates:
A design or implementation gap - without variance investigation, the reconciliation does not achieve its objective.
The control should be redesigned as a preventive control.
The variance tolerance is too low, causing excessive false positives.
The reconciliation is well-designed and operating effectively.
Explanation
A reconciliation that identifies variances but never resolves them fails its objective. Answer D is correct. Uninvestigated variances mean the control is ineffective (A, B, C).
An auditor tests a dual-approval control for wire transfers over $50,000 and finds 3 of 25 sampled transfers had only one approver. The auditor should conclude:
The exceptions are acceptable since amounts may have been below $50,000.
The control should be redesigned to require only one approver since compliance is difficult.
Operating effectiveness exceptions exist - the control did not operate as designed in 12% of transactions, requiring assessment of deficiency severity.
The control is effective since 22 of 25 transactions were approved correctly.
Explanation
Three exceptions out of 25 is a meaningful deviation rate for a key authorization control. The auditor must assess deficiency severity. Answer A is correct. 88% compliance may be insufficient for key financial controls (B). Lowering the standard weakens the control (C). Assumptions require evidence (D).
Compared to a manual approval control for purchase orders, an automated control that rejects POs with invalid vendor IDs is:
Less reliable because automated systems are more prone to errors than humans.
More reliable and consistent - automation applies the rule every time without human error or override.
Only effective if IT monitors the automated control daily.
Equivalent in effectiveness to the manual control.
Explanation
Automated controls apply rules consistently to every transaction, eliminating human inconsistency. Answer B is correct. Automation is generally more consistent than humans for repetitive rules (A, C). Daily monitoring is not always required (D).
A payroll manager who enters payroll data and processes the payroll run also reviews and approves the payroll register. This represents:
An acceptable arrangement in small organizations with limited staff.
An efficient process that reduces payroll processing time.
A segregation of duties deficiency - the same person who prepares payroll should not also approve it.
An effective control since the manager is most knowledgeable about payroll.
Explanation
Having the same person prepare and approve payroll eliminates the independent check that approval provides. Answer C is correct. Knowledge (A) and efficiency (B) do not justify the gap. Small organization constraints require compensating controls, not acceptance (D).