ACC 470 Test 2

Corruption

fraudsters wrongfully use their influence in a business transaction to secure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another (for example, kickbacks, self-dealing, or conflicts of interest.

Fraudulent statements

generally involves falsification of an organization's financial statements (for example, overstating revenues, and understating liabilities and expenses.

independent outside auditor

is not part of the organization's fraud risk management program because such a role would violate the public accounting profession's independence standards.

Local area network (LAN)

spans a relatively small area such as a building or group of buildings.

Four elements seem to characterize the incidence of occupational fraud:

Is clandestine (that is, secretive and suspicious). Violates the perpetrator's fiduciary duties to the victim organization Is committed for the purpose of direct or indirect financial benefit to the perpetrator. Costs the employing organization assets, revenues, or reserves.

Strategic sourcing involves bringing in technical experts for specific assignments. Two primary reasons for this approach include:

Permanent internal audit associates have a broad more generalized base of skills. Projected hours necessary to accomplish the internal audit plan exceed the time available from permanent staff, and it is not cost effective to hire additional permanent staff.

Internal audit functions are placed on a senior management level, giving the function the visibility, authority, and responsibility to:

Independently evaluate management's assessment of the organization's system of internal controls, and Assess the organization's ability to achieve business objectives and manage, monitor, and mitigate risks associated with the achievement of those objectives. Provide consulting services

Intranet

an organization's private network accessible only to an that organization's personnel.

Operating system

controls the basic input, processing, and output of the computer of the computer and manages the interconnectivity of the system hardware devices.

Audit Universe

A compilation of the subsidiaries, business units, departments, groups, processes, or other established subdivisions of an organization that exist to manage one or more business risks.

The CAE's presentation of the internal audit plan to the board usually occurs during a meeting. The proposed internal audit plan may include:

A list of proposed audit engagements (and specification regarding whether the engagements are assurance or consulting in nature). Rationale for selecting each proposed engagement (for example, risk rating, time since last audit, change in management, etc.) Objectives and scope of each proposed engagement. A list of initiatives or projects that result from the internal audit strategy but may not be directly related to an audit engagement.

detective control

An activity designed to discover undesirable events that have already occurred. A detective control must occur on a timely basis (before event occurs) to be considered effective.

Rationalization

An attitude, character, or set of ethical values exists that allows management or employees to commit a dishonest act, or they are in an environment that imposes sufficient pressure that causes them to rationalize committing a dishonest act.

Internal Audit Plan

An outline of the specific assurance and consulting engagements scheduled for a period of time (typically one year) based on an assessment of the organization's risks.

Perceived Opportunity

Circumstances provide opportunities for management or employees to commit fraud.

Wide area network (WAN)

Comprises a system of LANs connected together to span a regional, national, or global area.

Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity? I.Proper supervision. II.Proper training. III.Internal assessments. IV.External assessments.

I, III, IV

What is the difference between general controls and application controls?

IT general controls are those controls that are pervasive in nature and impact the overall technology environment. Information security controls to log on to a computer or overall disaster recovery plans are examples of general controls. Application controls are those controls that are specific to a particular system. Examples of application controls include input and output controls built into a specific software application.

Perceived Need (Pressures

Management or other employees have incentives or pressures to commit fraud.

What is the difference between physical access controls and logical access controls?

Physical access controls provide security over tangible IT resources and include such things as locked doors, surveillance cameras, and security guards. Logical access controls provide security over software and information imbedded in the system and include such things as firewalls, encryption, login IDs, passwords, authorization tables, and computer activity logs.

Consulting Services

The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Accepted engagements should be included in the plan.(Standard 2010.C1)

Assurance Services

The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management must be considered in this process.(Standard 2010.A1)

cybersecurity

The technologies, processes, and practices designed to protect an organization's information assets—computers, networks, programs, and data—from unauthorized access.

Value-added network (VAN)

a third party network that connects an organization with its trading partners.

Which of the following is an example of misappropriation of assets? a. A small amount of petty cash is stolen. b. A journal entry is modified to improve reported financial results .c. A foreign official is bribed by the chief operating officer (COO) to facilitate approval of a new product. d. A duplicate bill is sent to a customer in hopes that they will pay it twice.

a. A small amount of petty cash is stolen.

Change management controls are a type of IT organization and management controls, which are a subset of IT management-level (general) controls. a. What are change management controls b. What effect would ineffective change management controls over application software have on the reliance that management can place on application-based controls? c. What effect would effective change management controls over application software have on internal audit's testing of controls?

a. Change management controls provide assurance that changes to the IT environment, systems, software, and data are properly authorized and appropriate. They also provide assurance that any changes made produce the desired results. b. Ineffective change management controls pertaining to application software increase the risk that unauthorized and/or inappropriate changes to the application software, including changes to application-based controls, may be made. Consequently, management cannot place as much reliance on application-based controls as they could if the change management controls were effective. c. When an organization has effective change management controls over an application in place, and the internal audit function determined last year that the controls in a computer application were designed adequately and operating effectively, then these controls need not be tested, or at least not tested as rigorously, this year.

Senior management has requested that the internal audit function perform an operational review of the telephone marketing operationsof a major division and recommend procedures and policies for improving management control over the operation. The internal audit function should: a.Accept the audit engagement because independence would not be impaired. b.Accept the engagement, but indicate to management that recommending controls would impair audit independence so that management knows that future audits of the area would be impaired. c.Not accept the engagement because internal audit functions are presumed to have expertise on accounting controls, not marketing controls. d.Not accept the engagement because recommending controls would impair future objectivity of the department regarding this client.

a.Accept the audit engagement because independence would not be impaired.

Which of the following best describes an auditor's responsibility after noting some indicators of fraud? a.Expand activities to determine whether an investigation is warranted. b.Report the possibility of fraud to senior management and ask how to proceed. c.Consult with external legal counsel to determine the course of action to be taken. d.Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.

a.Expand activities to determine whether an investigation is warranted.

Organizational independence exists if the CAE reports <List A> to some other organizational level other than the CEO or similar head of the organization as long as the internal audit activity <List B> without interference: a.List A: administratively; List B: controls the scope and performance of work and reporting of results .b.List A: administratively; List B: approves the internal audit budget and risk-based internal audit plan. c.List A: functionally; List B: controls the scope and performance of work and reporting of results. d.List A: functionally; List B: approves the internal audit budget and risk-based internal audit plan.

a.List A: administratively; List B: controls the scope and performance of work and reporting of results

According to research in personality psychology, the three "dark triad personalities" do not mention: a.Sociopaths. b.Psychopaths. c.Narcissists. d. Machiavellians.

a.Sociopaths.

Utility software

augments the operating system with functionality such as encryption disk space optimization, and protection against viruses.

The possibility of someone maliciously shutting down an information system is most directly an element of: a. Availability risk. b. Access risk. c. Confidentiality risk. d. Deployment risk.

b. Access risk.

Which of the following best illustrates the use of EDI? a. Purchasing merchandise from a company's internet site. b. Computerized placement of a purchase order from a customer to its supplier. c Transfer of data from a desktop computer to a database server. d. Withdrawing cash from an ATM.

b. Computerized placement of a purchase order from a customer to its supplier.

An internet firewall is designed to provide protection against: a. Computer viruses. b. Unauthorized access from outsiders. c. Lightning strikes and power surges. d. Arson.

b. Unauthorized access from outsiders.

An organization that manufactures and sells computers is trying to boost sales between now and the end of the year. It decides to offer sales representatives a bonus based on the number of units they deliver to customers before the end of the year. The price of all computers is determined by the vice president of sales and cannot be changed by sales representatives. Which of the following presents the greatest reason a sales representative may commit fraud with this incentive program? a.Sales representatives may sell units that have a lower margin than other units. b.Customers have the right to return a laptop for up to 90 days after purchase. c.The units delivered may be defective. d.The customers may not pay in a timely manner for the computers.

b.Customers have the right to return a laptop for up to 90 days after purchase.

When conducting a consulting engagement to improve the efficiency and quality of a production process, the audit team is faced with a scope limitation because several months of the production data have been lost or are incomplete. Faced with this scope limitation, the CAE should: a.Resign from the consulting engagement and conduct an audit to determine why several months of data are not available. b.Discuss the problem with the customer and together evaluate whether the engagement should be continued. c.Increase the frequency of auditing the activity in question. d.Communicate the potential effects of the scope limitation to the audit committee.

b.Discuss the problem with the customer and together evaluate whether the engagement should be continued.

Which of the following is not an example of a fraud prevention program element? a.Background investigations of new employees. b.Exit interviews of departing employees. c.Establishing authority limits related to purchasing commitments. d.Analyzing cash disbursements to determine whether any duplicate payments have been made.

b.Exit interviews of departing employees.

A payroll clerk increased the hourly pay rate of a friend and shared the resulting overpayment with the friend. Which of the following controls would have best served to prevent this fraud? a.Requiring that all changes to pay records be recorded on a standard form .b.Limiting the ability to make changes in payroll system personnel information to authorized HR department supervisors. c.Periodically reconciling pay rates per personnel records with those of the payroll system. d.Monitoring payroll costs by department supervisors monthly.

b.Limiting the ability to make changes in payroll system personnel information to authorized HR department supervisors.

Which of the following activities undertaken by the internal auditor might be in conflict with the standard of independence? a.Risk management consultant. b.Product development team leader. c.Ethics advocate. d.External auditor liason.

b.Product development team leader.

Who is ultimately responsible for determining that the objectives for an internal audit engagement have been met? a.The individual internal audit staff member. b.The CAE. c.The audit committee. d.The internal audit engagement supervisor.

b.The CAE.

Predication is the technical term that refers to: a.The ability of internal auditors to predict fraud successfully. b.The ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has occurred. c.The activities of fraud perpetrators in concealing their tracks so that fraud is covered up and may not be discovered. d.Management's analysis of fraud risks to they can put in place effective anti-fraud programs and controls.

b.The ability of a fraud examiner to commence an investigation if a form of evidence exists that fraud has occurred.

From an organization's standpoint, because internal auditors are seen to be "internal control experts," they also are: a.Fraud risk management process owners, and hence, the first and most important line of defense against fraudulent financial reporting or asset misappropriation. b.The best resource for audit committees, management, and others to consult in-house when setting up anti-fraud programs and controls, even if they may not have any fraud investigation experience. c.The best candidates to lead an investigation of a fraud incident involving the potential violation of laws and regulations. d.The primary decision-maker in terms of determining punishment or other consequences for fraud-perpetrators.

b.The best resource for audit committees, management, and others to consult in-house when setting up anti-fraud programs and controls, even if they may not have any fraud investigation experience.

Which of the following in not a responsibility of the CAE? a.To communicate the internal audit function's plans and resource requirements to senior management and the board for review and approval. b.To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management practices. c.To follow up on whether appropriate management actions have been taken on significant issues cited in the internal audit reports. d.To establish a risk-based plan to accomplish the objectives of the internal audit function consistent with the organization's goals.

b.To oversee the establishment, administration, and assessment of the organization's system of internal controls and risk management practices.

The software that manages the interconnectivity of the system software devices is the: a. Application software. b. Utility software .c. Operating system software. d. Database management system software.

c. Operating system software.

If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error would most likely be detected by a: a. Completeness check. b. Limit check. c. Validity check. d. Reasonableness check.

c. Validity check.

Which of the following types of companies would most likely need the strongest anti-fraud controls: a.A manufacturer of popular athletic shoes. b.A grocery store. c.A bank. d.An internet-based electronics retailer.

c.A bank.

How should an organization handle an anonymous accusation from an employee that a supervisor in the organization has manipulated time reports: a.Assign a staff internal auditor to review all time reports for the past six months in the supervisor's area. b.Make a record of the accusation but do nothing as anonymous accusations are typically not true. c.Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted. d.Turn the issue over to the HR department because this type of anonymous accusation is usually just a human resource issue.

c.Assess the facts provided by the anonymous party against pre-established criteria to determine whether a formal investigation is warranted.

The internal audit function's responsibilities with respect to fraud are limited to: a.The organization's operational and compliance activities only because financial reporting matters are the responsibility of the independent outside auditor. b.Monitoring any calls received through the organization's whistleblower hotline but not necessarily conducting a follow-up investigation. c.Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist. d.Ensuring that all employees has received adequate fraud awareness training.

c.Being aware of fraud indicators, including those relating to financial reporting fraud, but not necessarily possessing the expertise of a fraud investigation specialist.

Per IIA Standards, internal audit functions must establish: a.Internal quality assurance and improvement program assessments. b.External quality assurance and improvement program assessments. c.Both internal and external quality assurance and improvement program assessments. d.Neither internal nor external quality assurance and improvement program assessments.

c.Both internal and external quality assurance and improvement program assessments.

What fraud schemes were reported to be most common in the ACFE's 2016 Report to the Nations? a.Corruption. b.Fraudulent billing. c.Misappropriation of assets. d.Inappropriately reporting revenues in published results.

c.Misappropriation of assets.

The Standards require the CAE to share information and coordinate activities with other internal and external providers of assurance services. With regard to the independent outside auditor, which of the following would not be an appropriate way for the CAE to meet this requirement? a.Holding a meeting between the CAE and the independent outside audit firm's partner to discuss the upcoming audit of the financial statements. b.Providing the independent outside auditor with access to the working papers for an audit of third-party contractors. c.Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit. d.Requesting that the internal audit function receive a copy of the independent outside auditor's management letter.

c.Requiring the independent outside auditor to have the CAE's approval of their annual audit plan for conducting the financial statement audit.

An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility a. Aligning investments in IT with business strategies. b. Overseeing changes to IT systems. c. Monitoring IT security procedures. d. Designing IT application-based controls.

d. Designing IT application-based controls.

The Standards require policies and procedures to guide the internal audit staff. Which of the following statements is false with respect to this requirement? a.A small internal audit function may be managed informally through close supervision and written memos. b.Formal administrative and technical audit manuals may not be needed by all internal audit functions. c.The CAE should establish the function's policies and procedures. d.All internal audit functions should have a detailed policies and procedures manual.

d.All internal audit functions should have a detailed policies and procedures manual.

The Cressey Fraud Triangle does not include, as one of its vertices: a.Pressure. b.Opportunity. c.Rationalization. d.Fraudster personality.

d.Fraudster personality.

Which of the following is not a typical "rationalization" of a fraud perpetrator? a.It's in the organization's best interest. b.The company owes me because I'm underpaid. c.I want to get back at my boss (revenge). d.I'm smarter than the rest of them.

d.I'm smarter than the rest of them.

Which of the following is not something all levels of employees should do? a.Understand their role within the internal control framework. b.Have a basic understanding of fraud and be aware of the red flags. c.Report suspicious incidences of fraud. d.Investigate suspicious activities that they believe may be fraudulent.

d.Investigate suspicious activities that they believe may be fraudulent.

According to the IPPF, the independence of the internal audit activity is achieved through: a.Staffing and supervision. b.Continuing professional development and due professional care. c.Human relations and communications. d.Organizational status and objectivity.

d.Organizational status and objectivity.

Audit committees are most likely to participate in the approval of: a.Audit staff promotions and salary increases. b.The internal audit report of observations and recommendations. c.Audit work schedules. d.The appointment of the CAE.

d.The appointment of the CAE

Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan? a.To emphasize the importance of the internal audit function to the organization. b.To make recommendations to improve the strategic plan. c.To ensure that the internal audit plan supports the overall business objectives. d.To provide assurance that the strategic plan is consistent with the organization's values.

d.To provide assurance that the strategic plan is consistent with the organization's values.

Firewall software

enforces access control between two networks by allowing only authorized data transmissions to pass through the firewall in both directions.

Application software

includes accounting software that is used to process transactions as well as other types of software such as word processing and spreadsheets.

Asset misappropriation

involves the theft or misuse of an organization's assets (for example, skimming revenues, stealing inventory, or payroll fraud).

Collusion

is defined as acts involving two or more persons, working together, whereby established controls or procedures may be circumvented for the gain of those individuals.

Client-server network

links two or more client computers with a server, and information processing is shared between the client(s) and the server in a manner that optimizes processing efficiency

Database management system software (DBMS)

manages the data stored in the database, controls access to the database, and automatically backs up the database.

Internal audit

provides independent assurance to the board and management that controls are in place to manage fraud risks and that the controls are adequately designed and operating effectively.

chief audit executive (CAE)

responsible for periodically assessing whether the internal audit function's purpose, authority, and responsibility, as defined in the internal audit charter, continue to be adequate to enable the internal audit function to accomplish its objectives.

Quality Assurance

the process of assuring that an internal audit function adheres to a set of standards defining the specific elements that must be present to ensure that the function operates appropriately.