Business Environment & Concepts
Which of the following organizations was established by the Sarbanes-Oxley Act of 2002 to control the auditing profession? 1. Public Company Accounting Oversight Board (PCAOB) 2. IT Governance Institute (ITGI) 3. Committee of Sponsoring Organizations (COSO) 4. Information Systems Audit and Control Foundation (ISACF)
1. Public Company Accounting Oversight Board (PCAOB) The Sarbanes-Oxley Act of 2002 (SOX) is administered by the Securities and Exchange Commission (SEC), and created a new agency, the Public Company Accounting Oversight Board (PCAOB), which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk? 1. Risk reduction 2. Risk sharing 3. Risk acceptance 4. Prospect theory
1. Risk reduction Risk reduction helps to lower costs and correct issues within a corporation. If the manufacturing firm relocates to an area closer to a firm that can provide the raw materials, the firm will reduce the risk of higher costs. Risk sharing involves working with another organization to spread the risk between the two entities. Risk acceptance is the assumption of all risk because it is determined to be acceptable. Prospect theory is a behavioral economic theory that describes the way people choose between alternatives that involve risk and where the probabilities of the outcomes are known. Management should always be in the process of identifying risks in order to assess and respond accordingly.
The Sarbanes-Oxley Act changed the way financial reports are treated. What section of the act requires the CEO to review the financial statements? 1. Section 302 2. Section 402 3. Section 202 4. Section 102
1. Section 302 Section 302 of the Sarbanes-Oxley Act requires that CEOs and CFOs certify the accuracy of the financial statements and the reliability of internal controls prior to the statements being signed.
Employees of an entity feel peer pressure to do the right thing; management appropriately deals with signs that problems exist and resolves the issues; and dealings with customers, suppliers, employees, and other parties are based on honesty and fairness. According to COSO, the above scenario is indicative of which of the following? 1. Tone at the top 2. Reporting reliability 3. Operational excellence 4. Strategic goals
1. Tone at the top "Tone at the top" is an accounting term used to describe the attitude established by the entity's board of directors, audit committee, officers, and senior management toward the control environment and internal controls, forming the foundation of the importance of the entity's general ethical climate. Establishing and maintaining a strong tone at the top helps in corporate governance, promotes honesty and fairness, and assists in preventing and detecting fraud and other unethical practices.
According to COSO, the difference between inherent risk and residual risk arises because of management's: 1. actions to reduce the inherent risk. 2. inability to reduce the inherent risk. 3. actions to reduce the residual risk. 4. inability to share the residual risk.
1. actions to reduce the inherent risk. According to COSO (the Committee of Sponsoring Organizations of the Treadway Commission), the difference between inherent risk and residual risk arises because of management's actions to reduce inherent risk. There are two types of risk: inherent risk is the risk that exists before management takes any steps to control the likelihood or impact of a risk, and residual risk is the risk that remains after management reacts to reduce the risk by taking action and implementing internal controls.
According to the Sarbanes-Oxley Act of 2002, a chief executive officer or chief financial officer who misrepresents the company's finances may be penalized by being: 1. fined and imprisoned. 2. imprisoned, but not fined. 3. removed from the corporate office and fined. 4. fined, but not imprisoned.
1. fined and imprisoned. A chief executive officer or chief financial officer who misrepresents the company's finances can be both fined and imprisoned. The Sarbanes-Oxley Act has no authority to remove individuals from corporate office. That is a responsibility of the corporate board of directors or the stockholders.
Regarding the requirements of the Sarbanes-Oxley Act, officers of a company are not permitted to: 1. move the activities of the organization outside of the United States to avoid complying with the Sarbanes-Oxley Act. 2. report material misstatements. 3. report deficiencies of internal controls. 4. keep the organization transparent.
1. move the activities of the organization outside of the United States to avoid complying with the Sarbanes-Oxley Act. Officers of an organization are not permitted to move the activities of the company outside of the United States in order to avoid the Sarbanes-Oxley Act requirements.
According to the COSO Report, the control environment in a business entity: 1. sets the tone of an organization, influencing the control consciousness of its people. 2. is the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. 3. refers to the policies and procedures that help ensure that management directives are carried out. 4. is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
1. sets the tone of an organization, influencing the control consciousness of its people. The control environment in a business entity sets the tone of an organization (often called "tone at the top"), influencing the control consciousness, attitude, and awareness of management and its employees. The identification and exchange of information is "information and communication"; identification and analysis of risks falls under "risk assessment"; and policies and procedures are the "control activities" component.
If controls add to the efficiency of operations, management must: 1. weigh the benefit of reducing loss or inefficiency against the cost of the control. 2. implement the controls immediately. 3. consider only the cost of the control. 4. ask the internal auditor for recommendations.
1. weigh the benefit of reducing loss or inefficiency against the cost of the control. Managers must weigh the benefit of reducing loss or inefficiency against the cost of the controls. They should not implement controls without first understanding whether any benefits of implementing these controls outweigh the costs. Although management can solicit recommendations from the internal auditor, it is not a requirement.
Which of the following is not one of the benefits expected to be derived from implementation of COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance? 1. Increased range of opportunities 2. Reduced enterprise resiliency 3. Improved resource deployment 4. Reduced performance variability
2. Reduced enterprise resiliency The following benefits can be achieved when entities integrate the 2017 Enterprise Risk Management (ERM) framework throughout their organization: Enhanced (not reduced) enterprise resilience Increased range of opportunities Improved identification and management of risk entity-wide Increased positive outcomes; reduced negative surprises Reduced performance variability Improved resource deployment
COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, consists of five interrelated components, which are supported by a set of 20 principles. Which of the following is not the proper match of a principle to its component? 1. Governance and Culture: Demonstrate commitment to core values 2. Review and Revision: Prioritize risks 3. Performance: Develop portfolio view 4. Strategy and Objective-Setting: Define risk appetite
2. Review and Revision: Prioritize risks The principle of "prioritize risks" is associated with the Performance component, not the Review and Revision component. The Performance component is designed to identify and assess risks that may impact the achievement of strategy and business objectives, including prioritizing those risks, while the Review and Revision component is designed to help the organization consider how well the ERM (enterprise risk management) components are functioning over time.
COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance, which is designed to assist the board of directors (BOD) in fulfilling their risk oversight role. Which of the following is not one of the BOD's obligations in terms of ERM? 1. Approving management incentives and remuneration 2. Revising reporting options to improve stakeholder transparency 3. Reviewing and challenging management of proposed strategy and risk appetite 4. Participating in investor and stakeholder relations
2. Revising reporting options to improve stakeholder transparency Although expanding reporting to address expectations for greater stakeholder transparency is one of the topics addressed in the 2017 Enterprise Risk Management (ERM) framework, it is management's responsibility to improve transparency, not the BOD's responsibility. The BOD's function is to review and either approve or reject reporting options, not to create new ones. The remaining three answer choices (reviewing and challenging management of proposed strategy and risk appetite, approving management incentives and remuneration, and participating in investor and stakeholder relations) are some of the BOD's obligations listed in the 2017 framework.
Which of the following actions is required to ensure the validity of a contract between a corporation and a director of the corporation? 1. The shareholders must review and ratify the contract. 2. The director must disclose the interest to the independent members of the board and refrain from voting. 3. An independent appraiser must render to the board of directors a fairness opinion on the contract. 4. The director must resign from the board of directors.
2. The director must disclose the interest to the independent members of the board and refrain from voting. A corporation is permitted to enter into a contract for services or goods with a board member (director). This type of a transaction is called a "related-party transaction." This action could be seen by shareholders as preferential treatment to the director who receives the contract, and it could be interpreted as a lack of due care on the part of the directors in carrying out the corporation's business. In order to invoke the business judgment rule, where the directors are protected from shareholder lawsuits alleging a lack of due care, the board must: make an informed decision, eliminate conflict of interest, and have a rational basis for the decision. A rational basis for the decision could be that these services or products are not available elsewhere, or the director is offering the best quality for the lowest price (which would be in the shareholders' favor). In order to make an informed decision, the board must review all of its options and then come to the conclusion that the best decision is to contract with the director. Finally, to eliminate conflict of interest, the director must disclose his or her interest in the contract to the board and refrain from voting. It is not necessary that the contract be reviewed by an independent appraiser, that the shareholders approve the contract, or that the director resign.
An internal auditor is considering a client's organizational structure as it affects the ethical climate established by company management. Each of the following considerations is valid in this regard, except: 1. a decentralized environment may increase the risk that unethical decisions could be made by unit managers. 2. a company that is highly centralized will have a more diverse ethical culture than a company that is decentralized. 3. a highly structured organization with formal reporting lines may be appropriate regardless of entity size. 4. the appropriateness of an entity's organizational structure depends in part on the nature of its activities.
2. a company that is highly centralized will have a more diverse ethical culture than a company that is decentralized. Assuming that a highly centralized company will have a more diverse ethical culture than a company that is decentralized is not a valid consideration when considering a client's organizational structure and how it affects the ethical climate established by management. An organizational structure defines lines of authority, responsibility, and reporting. Centralized organizational structures tend to rely on one or a few individuals to make decisions and provide direction for the company, while decentralized organizations tend to rely on a team environment with multiple decision-making levels within the organization. Although a more formal, more rule-bound structure may be appropriate regardless of an entity's size, it is often found in larger organizations with multiple activities/purposes (i.e., a broader nature of activities), particularly those that are in the later stages of development. An overly complex or unclear organizational structure may indicate more serious problems, such as too many management layers stretching from the owner down to frontline operations, resulting in inefficient operations and sluggish decision making. Decentralized organizations can struggle with multiple individuals having different opinions on a particular business decision, and can face difficulties trying to get everyone on the same page when making decisions. Additionally, since there is less day-to-day supervision in a decentralized environment, unethical decisions could be made by unit managers and go undetected.
A top-down risk assessment (TDRA) is done in order for a company to be compliance with SOX 404. The purpose of a TDRA is to do all of the following except: 1. identify and assess the internal control procedures meant to limit the identified risks. 2. identify acts of fraud and embezzlement and assess the effect these items have had on company performance. 3. identify and assess the risks related to the financial reporting elements. 4. identify and assess financial reporting elements.
2. identify acts of fraud and embezzlement and assess the effect these items have had on company performance. A top-down risk assessment (TDRA) is used to identify and assess: financial reporting items. the risks related to financial reporting. the internal control procedures meant to limit the identified risks. The internal control procedures are meant to prevent fraud and embezzlement—not to find evidence of such actions.
The one component of internal control that sets the tone of an organization, influencing the control consciousness of its people and serving as the foundation for all other components of internal control is: 1. risk assessment. 2. the control environment. 3. control activities. 4. information and communication.
2. the control environment. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the entity's identification and analysis of relevant risks and the determination of how these risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication systems support the identification, capture, and exchange of information.
A top-down risk assessment (TDRA) is done in order for a company to be in compliance with Sarbanes-Oxley Act (SOX) Section 404. A TDRA is a set of steps used to identify and assess financial reporting elements, related risks, and internal control procedures meant to limit those risks. TDRA steps include all of the following except: 1. the identification of entity-level controls that would mitigate the risks with adequate precision. 2. the identification of financial-statement level controls that would mitigate the risks in the absence of precise entity-level controls. 3. the identification of important financial reporting elements. 4. the identification of material risks related to important financial reporting elements.
2. the identification of financial-statement level controls that would mitigate the risks in the absence of precise entity-level controls. TDRA steps include the following: The identification of important financial reporting elements The identification of material risks related to the important financial reporting elements The identification of entity-level controls that would mitigate the risks with adequate precision The identification of transaction-level controls (not financial-statement level controls) that would mitigate the risks in the absence of precise entity-level controls The analysis of the nature, extent, and timing of evidence collected about the internal controls as part of the assessment process
In respect to the roles and responsibilities within an internal control framework: 1. the goals of internal controls are to provide close to absolute assurance that the objectives of the company will be met. 2. the internal and external auditors are responsible for the assessment of internal controls in relation to design, implementation, and effectiveness. 3. since the board of directors do not devote themselves to the day-to-day operations, they have little influences on the internal control environment. 4. the CEO of an organization is expected to allow his senior staff to set the ethical tone for the organization so as not to micromanage and stifle the organization.
2. the internal and external auditors are responsible for the assessment of internal controls in relation to design, implementation, and effectiveness. The internal and external auditors are responsible for the following: The assessment of whether internal controls are correctly designed The assessment of whether internal controls are properly implemented The assessment of whether internal controls are effective Making recommendations for improvements in the internal control procedures The CEO of an organization is expected to set an ethical tone and provide direction and leadership in this area for senior staff. The board of directors provides additional guidance to help assure ethical behavior within the organization. Even though a company has excellent internal controls, there are still unexpected events outside the company's control, such as economic conditions and the competition that can prevent an organization from meeting its goals.
Internal controls are likely to fail for any of the following reasons, except: 1. they are designed and implemented properly, but their operation changes in some way. 2. they are designed and implemented properly as static controls, but the environment in which they operate changes. 3. they are designed and implemented properly, and their design changes as processes change. 4. they are not designed and implemented properly at the outset.
2. they are designed and implemented properly as static controls, but the environment in which they operate changes. Control activities are only designed to provide reasonable assurance related to the achievement of the stated objectives. Internal control will fail if the control is not designed, implemented, monitored, and modified for operational changes. If the control is designed and implemented properly, and the design changes as processes change, then the control should not fail. Internal controls are likely to fail if they are not designed and implemented properly, are static in nature (i.e., the control does not adapt to changes in the operating environment), or change operationally.
Who is required to make special certification statements regarding the establishment of internal control systems on Form 10-K? 1. The principal financial officer, but not the principal executive officer 2. The principal executive officer, but not the principal financial officer 3. Both the principal executive officer and the principal financial officer 4. Neither the principal financial officer nor the principal executive officer
3. Both the principal executive officer and the principal financial officer The Sarbanes-Oxley Act of 2002 requires that CEOs and CFOs of a corporation include certifications that: the signing officers have reviewed the reports. the signing officers are evaluating the internal controls within 90 days and reporting their findings. all deficiencies in internal controls are being reported. negative impacts on internal controls are being reported and corrected. the financials do not contain untrue statements or material misstatements. the financial statements present fairly the financial condition of the company.
According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum? 1. Change management 2. Control baseline 3. Change identification 4. Control revalidation/update
3. Change identification The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity's ability to manage those changes. To "identify and address changes" is part of change identification. The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.
According to COSO, which of the following components of enterprise risk management addresses an entity's integrity and ethical values? 1. Risk assessment 2. Control activities 3. Internal environment 4. Information and communication
3. Internal environment The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure. Internal environment factors include an entity's risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity's people; and the way management assigns authority and responsibility, and organizes and develops its people.
Which of the following items is one of the eight components of COSO's enterprise risk management framework? 1. Operations 2. Compliance 3. Monitoring 4. Reporting
3. Monitoring The eight components of COSO's ERM framework are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.
In order to comply with a director's duty of loyalty to a corporation, what action(s) should a director take when presented personally with a new business opportunity? 1. Reject the opportunity and not offer it to the corporation 2. Accept the opportunity and disclose the acceptance to the corporation 3. Offer the opportunity to the corporation and accept it only if the corporation rejects it 4. Accept the opportunity and not offer it to the corporation
3. Offer the opportunity to the corporation and accept it only if the corporation rejects it The director's duty of loyalty forbids the director or officer from taking an opportunity for his or herself before giving the opportunity to the company. The director or officer should first offer the opportunity to the corporation and, once the corporation denies the opportunity, he or she may then take the opportunity for him or herself.
You walk into a little boutique in the nearby mall. As you walk up to the cash register with an item that you wish to purchase, you notice that there appears to be only one employee in this small store. With a limited number of personnel in the store at any given time, what would be the best internal control procedure to provide a reasonable guarantee that all cash sales are being rung up properly and cash put in the cash drawer? 1. Increase the minimum number of employees at the store at any given time to three 2. Carefully screen all new employees 3. Post a sign in a visible spot near the checkout counter that states, "If you do not get a receipt, your purchase is free." 4. Require that all sales be rung up on the cash register using barcodes
3. Post a sign in a visible spot near the checkout counter that states, "If you do not get a receipt, your purchase is free." Internal controls are designed to provide reasonable assurance that objectives are achieved and compliance to laws and regulations is obtained. All of the items listed would be reasonable control procedures; however, the store receipts may not be able to support a minimum of three employees at the store at any given time. The cost of an internal control procedure is not expected to exceed its benefit. Although it would be important to carefully screen all new employees, it is often difficult to judge an individual's character during one or two short interviews, and in today's litigious society, it is often difficult to get valuable information from prior employees or other references. Following are some of the internal control goals related to this transaction: Validity: The owner would want only valid, authorized, and legal transactions to be processed. By requiring all transactions to be rung up on the cash register, the owner has the ability to review all transactions. The owner could examine items sold, discounts given, and any other adjustments recorded in sales. However, when only one employee is in the store, it would be difficult to enforce the use of the cash register for cash sales. Accuracy of recording and evidence of supportability: The owner would want transactions to be recorded free of omissions. By using the customer as a part of the internal control process, the customer can be a "monitor" of the transaction when the owner is not in the store and/or when only one employee is on the selling floor. The transaction would need to be entered into the cash register (recorded) in order to print a register receipt. Given that it may be necessary to have only one employee in the store at slower times during the day, the owner has a final "backup" to have reasonable assurance that the employees are using the other required internal control procedures—thus making this procedure key in the internal control process.
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except: 1. comparisons of information from various sources within the company. 2. follow-up of customer and vendor complaints regarding amounts due and owed. 3. approval of high-dollar transactions by supervisors. 4. periodic analysis of variances between expectations and actual results.
3. approval of high-dollar transactions by supervisors. Monitoring of controls is a process that assesses the quality of internal control performance over time. Monitoring involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Approval of high-dollar transactions is a control activity, not a monitoring activity. The other answer choices are all examples of monitoring activities.
Internal auditors play a role in an entity's internal control through all of the following methods except: 1. evaluating the efficiency of controls. 2. promoting continuous improvement. 3. implementing control activities. 4. evaluating the effectiveness of controls.
3. implementing control activities. Internal auditors are required by the International Standards for the Professional Practice of Internal Auditing (set forth by the IIA, Institute of Internal Auditors) to assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal auditors do not act as management by implementing control activities. In fact, they are prohibited from doing so and must remain independent. Internal auditors cannot assess operations for which they have been responsible.
Management's attitude toward aggressive financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when: 1. internal auditors have direct access to the board of directors and the entity's management. 2. the audit committee is active in overseeing the entity's financial reporting policies. 3. management is dominated by one individual who is also a shareholder. 4. external policies established by parties outside the entity affect its accounting practices.
3. management is dominated by one individual who is also a shareholder. The auditor must consider the client's control environment when measuring control risk. One important factor regarding the control environment is the management philosophy and operating style, particularly when management is dominated by only a few individuals. Dominant control by only a few people can directly affect the control environment because it is the only item listed above over which management has significant influence. The other answers (external policies, internal auditors, and the audit committee) all involve a degree of independence from management.
A written policy and procedure manual should contain: 1. a formal job description. 2. corporation budgets. 3. proper business practices. 4. an employee training program.
3. proper business practices. Policies and procedures help the employee understand the organization's policies for operation and the procedures that are followed to meet the policies. The policies and procedures include such things as the proper business practices, the purpose of the organization, responsibilities, and definitions.
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires that all publicly traded firms establish internal controls related to financial reporting that are documented, tested, and maintained. The purpose of these controls is to reduce the probabilities of corporate fraud. In order to be in compliance with SOX 404, a company needs to: 1. develop documentation of existing controls and procedures associated with hiring practices. 2. provide documentation on future controls designed to prevent or detect employee collusion. 3. provide details on any deficiencies in the existing internal controls and/or documentation. 4. provide details on planned controls designed to ensure that controls can prevent or detect management override.
3. provide details on any deficiencies in the existing internal controls and/or documentation. In order to be in compliance with SOX 404, a company needs to: develop documentation of existing internal controls and procedures associated with financial reporting. test the effectiveness of those controls and procedures. provide details on any deficiencies in the controls and/or documentation.
The internal auditor who works in enterprise risk management (ERM) performs each of the following activities, except: 1. evaluating the risk-management process. 2. giving assurance that the risks of the organization are correctly evaluated. 3. setting the risk appetite of the organization. 4. coordinating ERM activities.
3. setting the risk appetite of the organization. The internal auditor who works in ERM does not set the risk appetite of the organization; this is generally done by the board of directors and/or executive management. Internal auditors do coordinate ERM activities across the organization, evaluate the risk management process, and give assurance that the risks of the organization are correctly evaluated. They also ensure that the organization's risk responses align with the defined risk appetite.
A company implements an enterprise resource planning application to help improve its financial and operational reporting, while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of: 1. an economic event. 2. segregation of duties. 3. a social event. 4. change management.
4. Change managment. "Change management" is correct because implementing an ERP application is a change to the entity's internal controls and documenting the change is part of the process of managing the change.
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in: 1. the law. 2. operating procedures. 3. technology. 4. risks.
4. risks. Monitoring of controls is a process designed to assess the quality of internal control performance over time, verifying that the internal control system remains adequate to address changes in risk. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The COSO Enterprise Risk Management (ERM) framework assists management in effectively dealing with uncertainty and its related risk and opportunity, thus building stakeholder value in the entity.
Which of the following situations most clearly illustrates a breach of fiduciary duty by one or more members of the board of directors of a corporation? Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years that the fifth person has been a director, the individual did not attend two other meetings. A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation. A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board (absent the vendor co-owner) unanimously approved the purchase. A corporation previously has distributed 50% of its earnings as dividends. This year, it has annual earnings per share of $2, and the board of directors voted 4 to 1 against paying any dividend to finance growth.
A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation. The board of directors (BOD) provides governance, guidance, and oversight for management. The BOD has a fiduciary duty to act in the best interests of the corporation. As fiduciaries, board members are held to a higher standard of care than would be exercised in discharge of those people's personal affairs. Directors may not put themselves in a position where their interests and duties conflict with the duties that they owe to the company. Purchasing a vacant building in the same city that would have been suitable for use by the corporation would violate the duty of loyalty.
Each of the following is a limitation of enterprise risk management (ERM), except: ERM operates at different levels with respect to different objectives. ERM is as effective as the people responsible for its functioning. ERM deals with risk, which relates to the future and is inherently uncertain. ERM can provide absolute assurance with respect to objective categories.
ERM can provide absolute assurance with respect to objective categories. The question asks which answer choice is not a limitation of ERM. Limitations refer to reasons the control system may not function as designed. Because of these limitations, any control system can provide only reasonable assurance rather than absolute assurance. All of the other answer choices are reasons that the control system may not function properly in some situations.
Which of the following describes the hedging approach to financing? Each asset is offset with a financing instrument of the same approximate maturity or duration. Maturity dates of financing instruments are staggered so that they mature in a steady, predictable fashion when it is expected that funds will be needed. Each asset is offset with either a put or a call. The firm takes out insurance to protect itself against uneven cash flows.
Each asset is offset with a financing instrument of the same approximate maturity or duration. Under the hedging approach the length of the financing term is matched to the maturity or duration of assets financed. Long-term debt is used to finance long-term assets and short-term debt is used to finance short-term assets. Thus, each asset is offset with a financing instrument of the same approximate maturity.
COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, includes several trends that should be monitored by entities. Which of the following is not one of those trends? Manage the cost of risk management Leverage artificial intelligence and automation Adapt to the proliferation of data Expand customer service to include texts and chatbots
Expand customer service to include texts and chatbots Although many entities are beginning to realize that their customers want immediate answers and alternate means of communication, expanding customer service to include texting and chatbots is not a trend related to enterprise risk management (ERM). The remaining three answer choices are ERM trends: adapt to the proliferation of data, leverage artificial intelligence and automation, and manage the cost of risk management.
COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, consists of five interrelated components, which are supported by a set of 20 principles. Which of the following is the definition for the Performance component? Provide a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization Assist the entity to determine how well the ERM components are functioning over time Identify and assess risks that may impact the achievement of strategy and business objectives Set the organization's tone, reinforcing the importance of and establishing oversight responsibilities for ERM
Identify and assess risks that may impact the achievement of strategy and business objectives The Performance component identifies and assesses risks that may impact the achievement of strategy and business objectives. The Governance and Culture component sets the organization's tone, reinforcing the importance of and establishing oversight responsibilities for enterprise risk management (ERM). The Information, Communication, and Reporting component provides a continual process of obtaining and sharing necessary information, from both internal and external sources. The Review and Revision component assists the entity in determining how well the ERM components are functioning over time.
According to the Sarbanes-Oxley Act of 2002, which of the following statements is correct regarding an issuer's audit committee financial expert? The issuer's current outside CPA firm's audit partner must be the audit committee financial expert. If an issuer does not have an audit committee financial expert, the issuer must disclose the reason why the role is not filled. The issuer must fill the role with an individual who has experience in the issuer's industry. The audit committee financial expert must be the issuer's audit committee chairperson to enhance internal control.
If an issuer does not have an audit committee financial expert, the issuer must disclose the reason why the role is not filled. The Sarbanes-Oxley Act of 2002 (SOX), also known as the Public Company Accounting Reform and Investor Protection Act, was enacted to develop new or enhanced standards for all U.S. public company boards, management, and public accounting firms. One of its requirements is that an issuer should have an audit committee, and at least one of its members should be an individual with significant financial reporting expertise. If the firm does not have an audit committee financial expert, the issuer must disclose the reason why the role is not filled.
Which of the following changes would most effectively halt a period of inflation? Increasing savings by a small amount Decreasing savings by a small amount Decreasing interest rates by a large amount Increasing interest rates by a large amount
Increasing interest rates by a large amount Monetary policy is one of the key policy tools that is available to attempt to influence the real GDP (gross domestic product) and the price level. To contain inflation, the Federal Reserve would have a restrictive monetary policy and sell bonds. Excess reserves would fall, and the money supply would fall. Interest rates would rise, and business investment would decline. Aggregate demand would fall, and the inflation rate would decline.
Which of the following actions is the acknowledged preventive measure for a period of deflation? Decreasing the money supply Increasing interest rates Decreasing interest rates Increasing the money supply
Increasing the money supply Deflation, or negative inflation, occurs when prices fall because the supply of goods is higher than the demand for those goods. This is usually due to a reduction in money, credit, or consumer spending. Deflation can occur as a result of a combination of four factors: the supply of money goes down; the supply of other goods goes up; demand for money goes up; or demand for other goods goes down. To prevent deflation, the opposite actions (i.e., inflationary actions) must take place: increase the money supply; decrease the supply of other goods; decrease the demand for money; or increase the demand for other goods. The only correct answer choice is increasing the money supply. When the Federal Reserve (the Fed) takes action to increase the money supply, it begins a cycle whereby interest rates decrease and the demand for goods and services increases. Eventually this creates inflationary pressure on the economy, and the Fed then begins to implement deflationary policies.
According to COSO, which of the following identifies the group directly responsible for the implementation and development of the enterprise risk management framework? The board of directors Internal auditors Management External auditors
Management The COSO Enterprise Risk Management (ERM) framework takes a risk-based, rather than a controls-based, approach. It expands on the elements of the internal control integrated framework and is much more comprehensive. Management is charged with the responsibility of finding a balance between growth and profit while using resources in an efficient and effective manner. ERM helps ensure that reporting and compliance laws and regulations are met, and assists in protecting the entity's reputation.
Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? Monitoring activities Information and communication Risk assessment Control environment
Monitoring activities Monitoring of controls assesses the quality of internal control performance over time, including assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The control environment includes items such as a corporate code of conduct and ethical attitude of those charged with governance. Risk assessment refers to the identification, analysis, and management of risks relevant to the preparation of financial statements. The information and communication system refers to processing the data, including the source documents through the final reports.
Annual gross domestic product (GDP) for the past 10 years is available. To accurately compare each yearly amount, adjustments should be made for changes in which of the following? Technology Defective units Units produced Price level
Price level Gross domestic product is not affected by changes in units or technology because it is a monetary measure. The only answer choice that reflects a need for monetary adjustment is price level.
A company has a policy of frequently cutting prices to increase sales. Product demand is significantly elastic. What impact would this have on the company's situation? Quantity increases proportionally more than the price declines. Price increases proportionally more than the quantity declines. Price increases proportionally less than the quantity declines. Quantity increases proportionally less than the price declines.
Quantity increases proportionally more than the price declines. Elasticity of demand is calculated as the percentage change in quantity divided by the percentage change in price. If the fraction is greater than 1.0, the demand is elastic. If demand is elastic, then reducing the price will increase the total revenue because the quantity sold increases proportionally more than the price decreases (the percentage increase in quantity exceeds the percentage decrease in unit price).
Falser Co. increases all of its input factors by 100%, resulting in increased output of 90%. Which of the following statements identifies the effect of this change? Returns to scale decrease. Marginal costs decrease. Marginal returns rise. Returns to scale increase.
Returns to scale increase. The law of diminishing returns (also called the principle of diminishing marginal productivity) is an economic law stating that a point will eventually be reached in production at which additions of an input will yield progressively smaller, or diminishing, increases in output. In other words, returns to scale will decrease, not increase. For example, a firm exhibits decreasing returns to scale if its output less than doubles when all of its inputs are doubled. Marginal returns and costs deal with financial relationships; this question is asking about volume, or output issues.
A company has several long-term floating-rate bonds outstanding. The company's cash flows have stabilized, and the company is considering hedging interest rate risk. Which of the following derivative instruments is recommended for this purpose? Structured short-term note Swap agreement Forward contract on a commodity Futures contract on a stock
Swap agreement Interest rate risk is the risk that interest rates will change and the company will be obligated to meet the new interest rates because the underlying liabilities specify floating rather than fixed interest rates. A swap transforms one kind of interest stream into another. In this question, one party pays fixed interest and receives floating interest, while the other party receives fixed interest and pays floating interest. A structured short-term note is incorrect because it refers to a new type of liability rather than acquiring a derivative to mitigate the risk. A derivative is a new contract that gets value from the underlying existing contracts, but the original contracts still remain in effect. The other answer choices (forward contract on a commodity, and futures contract on a stock) are incorrect because they do not reduce the company's risk of increased interest expense due to rising interest rates.
According to COSO, which of the following provides oversight of an entity's enterprise risk management? Management Financial executives The board of directors The risk officer
The board of directors According to COSO (the Committee of Sponsoring Organizations of the Treadway Commission), the board of directors (BOD) provides oversight of an entity's enterprise risk management; it is the BOD members who are charged with overseeing management's role in keeping the internal controls of the entity operating effectively. The board should challenge management, ask the tough questions, and seek input and support from informed personnel (e.g., internal and external auditors). Company management, including the risk officer and financial executives, are responsible for establishing the internal control system and implementing monitoring procedures. The board of directors oversees the process and provides guidance as necessary.
In which of the following situations would it be advantageous for a country to export a manufactured product? The country has an absolute advantage in the production of a complementary product. The country's government prefers to be self-sufficient. The country has a higher opportunity cost for production of the item. The country has a comparative advantage in the production of the item.
The country has a comparative advantage in the production of the item. Exports are driven by consumer income and wealth in foreign nations as well as foreigners' tastes and preferences for foreign goods. A comparative (also called competitive) advantage can be achieved by developing a product that has unique attributes that are not offered by the competition (in this case, other countries). The firms that are the most successful using this "differentiation strategy" develop products that provide value to customers and cannot be easily duplicated, resulting in a situation where it would be advantageous for a country to export some of its manufactured products.
The Sarbanes-Oxley Act requires that all financial statements include: all material off-balance sheet liabilities, obligations, or transactions. neither material nor immaterial off-balance sheet liabilities, obligations, or transactions. only material off-balance sheet liabilities. all immaterial off-balance sheet liabilities, obligations, or transactions.
all material off-balance sheet liabilities, obligations, or transactions. All material off-balance sheet liabilities, obligations (including contingent liabilities), arrangements, transactions, and relationships of the issuer with unconsolidated entities that may have a material effect on the financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, or resources must be reported on financial statements. This will help the user understand the full scope of the firm's financial obligations.
Fixed interest rate loans lock in a particular interest rate over the duration of a loan. If price levels and interest rates rise during this period: lenders benefit. borrowers benefit. both borrowers and lenders benefit. neither borrowers nor lenders benefit.
borrowers benefit. Borrowers in fixed rate loans benefit when interest rates and price levels rise because they are still subject to the lower rate of interest while the money used to pay interest and repay principle is worth less than when borrowed. The opposite applies to lenders.
Entity-level internal controls mitigate financial reporting risks. All of the following are examples of such controls except: variance analysis procedures. documentation of future internal controls. an internal audit department. oversight by senior management.
documentation of future internal controls. Documentation of future internal controls does not mitigate financial reporting risks. Examples of entity-level controls that do mitigate this risk include a company policy and procedure manual, the existence of an independent internal audit department, controls related to the period-ending procedures, variance analysis procedures, and oversight by senior management.
The primary sources of funds for sovereign wealth funds would be: the export earnings that are driven by government policies designed to have a strong currency. earnings from commodity-based exports and trade surpluses driven by the export of manufactured goods. foreign direct investment attracted by donor governments that hope to gain political leverage by making such investments. the Central Bank in an attempt to sterilize the inflationary impact of the inflow of foreign exchange reserves on the money supply of the country.
earnings from commodity-based exports and trade surpluses driven by the export of manufactured goods. The primary sources of funds for sovereign wealth funds are export earnings from commodity (energy)-based exports and the trade surplus generated by the export of manufactured goods. The trade surplus is often tied to the country having a weak currency that causes a country's goods and services to be priced lower in terms of a foreign currency. Additionally, increases in commodity prices have shifted the terms-of-trade in favor of nations exporting goods from extractive- and commodity-based industries.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a widely accepted and used framework for internal control that was designed to provide reasonable assurance for a company's objectives related to all items except: compliance with laws and regulations. expansion of markets. reliability of financial reporting. effectiveness and efficiency of operations.
expansion of markets. COSO has developed a widely accepted and used framework for internal control that was designed to provide reasonable assurance for a firm's objects related to: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Although the expansion of markets may be in the strategic plan for a company and may come about due to the effectiveness and efficiency of operations, it is not a focus of the COSO Framework designed for internal control.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls, except: having two officers who significantly influence management and operations. having an effective internal auditor function. establishing a corporate culture in which integrity and ethical values are highly appreciated. establishing an effective and anonymous whistleblower program with which employees can feel comfortable reporting any irregularities.
having two officers who significantly influence management and operations. Internal controls can provide reasonable assurance that the objectives of the company will be met and that external laws and regulations will be adhered to; however, even the most effective internal control system cannot guarantee these results. Limitations, particularly in smaller companies, include the fact that staff size can result in the inability to properly have a segregation of duties, and management could override various controls for illegitimate purposes. This is particularly true for a small- to mid-size entity's control culture, where some controls, such as adequate segregation of duties, may not be cost effective. Mitigating factors include all of the answer choices listed except having two officers who significantly influence management and operations.
In the short-run, average variable cost for a firm is rising; therefore: marginal cost is above average variable cost. average total cost is at a minimum. average fixed cost is constant. average variable cost is below average fixed cost.
marginal cost is above average variable cost. The average-marginal rule states that when the marginal magnitude is above the average magnitude, the average magnitude rises; therefore, since average variable cost is rising, marginal cost must be higher than average variable cost.
Companies will often use strategic alliances and collaborative partnerships in order to: develop defenses against foreign competitors that are entering U.S. markets as low-cost leaders due to lower resource costs. develop strong customer loyalties and goodwill in an ever more diverse global market. lessen competition by forming cartels. open up new markets, gain technology, improve manufacturing expertise, and improve supply chain efficiency
open up new markets, gain technology, improve manufacturing expertise, and improve supply chain efficiency Companies will use strategic alliances to: open up or improve access to new markets, learn from other companies by sharing technology and various types of expertise, improve supply chain efficiency, get into critical countries in an effective and efficient manner, and gain access to necessary resources.
The Enterprise Risk Management—Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as a: process that replaces the COSO Internal Control Framework. process that takes a control-based approach to an organization. process effected by an entity's board of directors, management, and other personnel. serial process in which one component affects only the next component.
process effected by an entity's board of directors, management, and other personnel. "A process effected by an entity's board of directors, management, and other personnel" is correct because the board of directors has overall responsibility for managing enterprise risk and can delegate parts of the process to entity personnel. "A serial process in which one component affects only the next component" is incorrect because the components are interrelated, not sequential. "A process that takes a control-based approach to an organization" is incorrect because the framework is much more than the resulting internal controls. "A process that replaces the COSO Internal Control Framework" is incorrect because the process is the framework; it does not replace it.
The discount rate set by the Federal Reserve System is the: rate that the central bank charges for loans to commercial banks. rate that commercial banks charge for loans to each other. required percentage of reserves deposited at the central bank. rate that commercial banks charge for loans to the general public.
rate that the central bank charges for loans to commercial banks. The discount rate set by the Federal Reserve System is the rate that the central bank charges for loans to commercial banks. The federal funds rate is the rate paid by commercial banks when borrowing excess reserves from other institutions in the Fed Funds market. The prime rate is the base rate that banks use in pricing short maturity loans to their best, or most creditworthy, customers. The interest rate that commercial banks charge for loans to the general public is determined by conditions in the money market.
An example of a detective control activity would be: required authorizations. separation of duties. security guards and cameras. reconciliations.
reconciliations. Control activities are included in an organization's policies, procedures, techniques, and mechanisms to aid management in achieving the firm's objectives, protect the firm's assets, and measure performance. These activities can be either preventive or detective. Detective activities would include: audits, required vacations, background investigations, rotation of duties, variance analysis, reconciliations, and physical inventories. Preventive activities would include: separation of duties, use of passwords, required authorizations, required approvals, alarm systems, use of locks, security guards and cameras, and education, training, and monitoring of employees.
Each of the following statements is correct regarding the existence and implementation of codes of conduct, except: employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior. the codes of conduct must be in writing and displayed in public areas, such as a break room. the codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading. the codes of conduct are periodically acknowledged by all employees.
the codes of conduct must be in writing and displayed in public areas, such as a break room. The incorrect statement is, "The codes of conduct must be in writing and displayed in public areas, such as a break room," because there are numerous ways to make a code of conduct available to employees, such as distributing written handbooks or presenting the code of conduct on the entity's website. The other answer choices are correct statements: "Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior." A code of conduct is only effective if employees understand the limits on behavior contained in the code and are able to take appropriate action when improper behavior is encountered. "The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading." A code of conduct that omitted any of these topics would be incomplete and unable to meet its objectives. "The codes of conduct are periodically acknowledged by all employees." It is important that employees periodically review the code of conduct and acknowledge agreement to its ethical restrictions.
Differentiation strategies can be successful when: buyers are particularly price-conscious and competition is strong. buyers are easily convinced to switch products through aggressive advertising and the costs for product switching are low. most buyers have similar requirements for the product attributes. the differentiating product attribute cannot be easily copied.
the differentiating product attribute cannot be easily copied. For a differentiation strategy to be successful, a company must be able to supply a product that is of value to the consumer and cannot be easily duplicated.
When economists are concerned about the liquidity preference function they are interested in: the relationship of the demand for money and the rate of interest. the preference for a currency backed by gold. a bank's desire for accounts receivable as collateral. the proportion of liquid (cash) reserves maintained by commercial banks.
the relationship of the demand for money and the rate of interest. The demand for money varies inversely with the rate of interest. The liquidity preference (LP) function relates money demand to the rate of interest. As interest rates fall, the quantity of money demanded increases. As rates rise, the quantity of money demanded decreases.
Globalization is a process by which nations of the world become integrated through global networks of communication. Its current success is tied to a number of socioeconomic effects, with one of the key effects being: an understanding that the success of the emerging economies is more than simply the cost advantage they have due to having relatively low-cost labor. the fact that innovation blowbacks as the low-priced, high-quality products developed for the emerging economics now will be effectively marketed and sold in the developed world. an undervalued currency in emerging economies that would stimulate exports and strong investment in infrastructure. the relatively large labor force in emerging markets and declining birth rates that have historically been associated with dynamic positive economic change.
the relatively large labor force in emerging markets and declining birth rates that have historically been associated with dynamic positive economic change. Socioeconomic effects are the social and economic experiences and realities that help mold one's personality, attitudes, and lifestyle. Declining birth rates reduce the dependency ratio, and the large labor force tends to keep wages low as economic activity expands. Most of the world's currently developed economies were in this phase of the demographic cycle when they began their economic expansion.
Financial risk management is a process that involves developing strategies to manage risk related to participating in financial markets. Assume that a credit union has been offering fixed-rate real estate mortgages to its members. Given conditions in financial markets, the credit union believes that it no longer can afford to offer this service and decides to begin offering variable-rate mortgages with the mortgage interest rate tied to an index and adjusted once a year. In terms of interest rate risk, the credit union has decided to ________ the risk. accept hedge transfer systematize
transfer In this instance, the credit union gives the member a variable rate mortgage where the payment would change in response to changes in an interest rate index. This involves transferring the risk of interest rate changes from the institution to the member. If the credit union did nothing in response to this situation, they would be accepting the interest rate risk. If the institution chooses to use some form of options and/or futures contract strategy to deal with the interest rate risk, they would be hedging the risk.
An example of a preventive control activity would be: required vacations. use of passwords. internal audits. rotation of duties.
use of passwords. Control activities are included in an organization's policies, procedures, techniques, and mechanisms to aid management in achieving the firm's objectives, protect the firm's assets, and measure performance. These activities can be either preventive or detective. Preventive activities would include: separation of duties, use of passwords, required authorizations, required approvals, alarm systems, use of locks, security guards and cameras, and education, training, and monitoring of employees. Detective activities would include: audits, required vacations, background investigations, rotation of duties, variance analysis, reconciliations, and physical inventories.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should: visibly participate in a global information security campaign. refer to the organization's U.S. human resources policies on privacy in a company newsletter. allocate additional budget resources for external audit services. review and accept the information security risk assessments in a staff meeting.
visibly participate in a global information security campaign. "All team members" refers to the entire international organization, which implies the executive would provide this message to all employees worldwide. The tone at the top is most clearly demonstrated by personal example set by senior executives. The other answer choices are good behaviors but they are not visible to the worldwide entity.