I. Enterprise Risk Management, Internal Controls, and Business Processes Part 1
Which statement is not one of the objectives of internal control as included in the definition of internal control developed by the Committee of Sponsoring Organizations (COSO)? a. Asset safeguarding. b. Compliance. c. Financial reporting. d. Operations.
a. Asset safeguarding.
According to the COSO framework, evaluators that monitor controls within an organization should have which of the following set of characteristics? a. Competence and objectivity. b. Respect and judgment. c. Judgment and objectivity. d. Authority and responsibility.
a. Competence and objectivity.
Which of the following would be the least likely choice to lead an ERM initiative? a. Controller b. Chief Internal Auditor c. Chief Risk Officer d. Chief Financial Officer
a. Controller
The overarching reason to implement ERM is: a. Creating and protecting shareholder value. b. Identifying needed risk management strategies. c. Identifying and prioritizing key risks. d. Assessing how key risks influence the performance review process.
a. Creating and protecting shareholder value.
Which of the following statements is false (untrue) regarding data analytics, data mining, and risk assessment? a. Emerging data analytic methods are unhelpful to risk assessment. b. Emerging data mining methods can help detect previously hidden relationships. c. Data analytic methods can help evaluate assumptions found in an organization's strategy d. Key risk indicators can be used to identify risk changes.
a. Emerging data analytic methods are unhelpful to risk assessment.
According to COSO, establishing, maintaining, and monitoring an effective internal control system can do each of the following, except a. Ensure an entity's financial survival. b. Promote an entity's compliance with laws and regulations. c. Help an entity achieve performance targets. d. Provide protection for an entity's resources.
a. Ensure an entity's financial survival.
Adventureland, a start-up Pittsburgh theme park, has a series of meetings with its investors, management, and employees to help identify its risk culture. This initiative most likely occurs as a part of which component in the ERM framework? a. Governance and Culture b. Performance c. Strategy and Objective-Setting d. Information, Communication, and Reporting
a. Governance and Culture
BigWig Costume Rentals recently implemented an initiative to attract and retain web programmers and systems analysts as a part of its expanded web development to support online sales. This initiative most likely occurs as a part of which component in the ERM framework? a. Governance and Culture b. Performance c. Strategy and Objective-Setting d. Information, Communication, and Reporting
a. Governance and Culture
Management of Johnson Company is considering implementing technology to improve the monitoring component of internal control. Which of the following best describes how technology may be effective at improving monitoring? a. Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. b. Technology can assure that items are processed accurately. c. Technology can provide information more quickly. d. Technology can control access to terminals and data.
a. Technology can identify conditions and circumstances that indicate that controls have failed or risks are present.
Management of Johnson Company is considering implementing technology to improve the monitoring of internal control. Which of the following best describes how technology may be effective at improving internal control monitoring? a. Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. b. Technology can ensure that items are processed accurately. c. Technology can provide information more quickly. d. Technology can control access to terminals and data.
a. Technology can identify conditions and circumstances that indicate that controls have failed or risks are present.
Which of the following is a general control rather than a transaction control activity? a. Technology development policies and procedures. b. Reconciliations. c. Physical controls over assets. d. Controls over standing data.
a. Technology development policies and procedures.
Which of the following bodies has developed a framework for enterprise risk management? a. The Committee of Sponsoring Organizations (COSO). b. The American Institute of Certified Public Accountants (AICPA). c. The Public Company Accounting Oversight Board (PCAOB). d. The Institute of Risk Management Professionals (IRMP).
a. The Committee of Sponsoring Organizations (COSO).
Consider the following two items, which are included in a risk report received by the CEO of Kiki's Delivery Service, a global transportation and logistics company. #1: IT reports 17 incidents of denied attempts to access the system. #2: IT analysis indicates a 5% probability of a level 2 system breach within the next 3 months. Item #1 is a __________ while item #2 is a __________. a. key performance indicator; key risk indicator b. portfolio view of risk, risk profile view c. key risk indicator; key performance indicator d. risk profile view; portfolio view of risk
a. key performance indicator; key risk indicator
According to COSO, which of the following activities provides an example of a top-level review as a control activity? a. Computers owned by the entity are secured and periodically compared with amounts shown in the records. b. A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. c. Reconciliations are made of daily wire transfers with positions reported centrally. d. Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.
b. A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.
Which of the following statements is true regarding internal control objectives of information systems? a. Primary responsibility of viable internal control rests with the internal audit division. b. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. c. Control objectives primarily emphasize output distribution issues. d. An entity's corporate culture is irrelevant to the objectives.
b. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Which of the following is not an advantage of the employment of an enterprise risk management (ERM) system? a. Helps an organization seize opportunities. b. Allows an organization to eliminate all risks. c. Improves the deployment of capital. d. Reduces operational surprises.
b. Allows an organization to eliminate all risks.
This fundamental component of internal control is the core or foundation of any system of internal control. a. Control activities. b. Control environment. c. Information and communication. d. Risk assessment.
b. Control environment.
Griswold Corp. is planning a data analytics program to manage the risk of vendor fraud in purchasing. Which of the following activities would occur last in this process? a. Determine the risk of management override of controls over purchases. b. Determine reporting procedures for vendor anomalies. c. Screen data to remove html tags from harvested vendor data. d. Validate scraped data to match to existing vendor files.
b. Determine reporting procedures for vendor anomalies.
According to COSO, the presence of a written code of conduct provides for a control environment that can a. Override an entity's history and culture. b. Encourage teamwork in the pursuit of an entity's objectives. c. Ensure that competent evaluators are implementing and monitoring internal controls. d. Verify that information systems are providing persuasive evidence of the effectiveness of internal controls.
b. Encourage teamwork in the pursuit of an entity's objectives.
The initial tasks of the ERM working group are to: a. First, assess strategic risks, and, second, determine appropriate responses to these risks. b. First, determine the working group's objectives and the expected benefits of ERM, and, second, inventory the organization's existing risk management practices. c. First, consider how to improve risk reporting and, second, inventory the organization's existing risk management practices. d. First, assess strategic risks, and, second, assess how these risks influence the performance review process.
b. First, determine the working group's objectives and the expected benefits of ERM, and, second, inventory the organization's existing risk management practices.
In a large public corporation, evaluating internal control procedures should be the responsibility of a. Accounting management staff who report to the CFO. b. Internal audit staff who report to the board of directors. c. Operations management staff who report to the chief operations officer. d. Security management staff who report to the chief facilities officer.
b. Internal audit staff who report to the board of directors.
Gimbly Cricket Corp. created a decision aid, linked to its data warehouse, to enable senior management to monitor, in real time, changes in oil production at its oil wells in Kazakhstan. This is an example of: a. Internal, financial reporting b. Internal, nonfinancial reporting. c. External, financial reporting. d. External, nonfinancial reporting.
b. Internal, nonfinancial reporting.
The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework? a. Governance and Culture b. Performance c. Strategy and Objective-Setting d. Information, Communication, and Reporting
b. Performance
Which of the following is not a component in the COSO framework for internal control? a. Control environment. b. Segregation of duties. c. Risk assessment. d. Monitoring.
b. Segregation of duties.
Layton Company has implemented an enterprise risk management system and has responded to a particular risk by purchasing insurance. Such a response is characterized by COSO's Enterprise Risk Management Framework as: a. Avoidance. b. Sharing. c. Acceptance. d. Reduction.
b. Sharing.
CFO Mar has been complicit in her public company's accounting fraud. She consults a lawyer as it becomes time for filing her firm's 10-K with the SEC. She is a little uncomfortable about what she might have to do. The lawyer will likely tell her that she will have to certify (and be potentially criminally liable for lying about) all of the following matters except: a. That she has reviewed the 10-K. b. That her CPA license is active. c. That she, along with the CEO, is responsible for establishing and maintaining her company's internal controls. d. That she has recently evaluated the effectiveness of the firm's internal controls.
b. That her CPA license is active.
The following statement is adapted from the annual report of a large corporation: "Overall responsibility for overseeing the management of risks, compliance with our risk management framework and risk appetite lies with _______." a. The CEO b. The board of directors c. Management d. The risk management team
b. The board of directors
Which of the following statements is correct regarding the requirements of the Sarbanes-Oxley Act of 2002 for an issuer's board of directors? a. Each member of the board of directors must be independent from management influence, based on the member's prior and current activities, economic and family relationships, and other factors. b. The board of directors must have an audit committee entirely composed of members who are independent from management influence. c. The majority of members of the board of directors must be independent from management influence. d. The board of directors must have a compensation committee, a nominating committee, and an audit committee, each of which is composed entirely of independent members.
b. The board of directors must have an audit committee entirely composed of members who are independent from management influence.
Which of the following internal control components includes the factor of management's philosophy and operating style? a. Control activities. b. The control environment. c. Risk assessment. d. Monitoring.
b. The control environment.
The Buy N Large Company is a diversified, multinational consumer and wholesale products company. Which of the following is least likely to be a consideration in defining the company's risk appetite related to sustainability and climate change risk? a. The resources (e.g., financial and human) available to manage the risks. b. The method of communicating the risks to internal stakeholders. c. The risk profile. d. The risk capability.
b. The method of communicating the risks to internal stakeholders.
Which of the following events is least likely to trigger a need for substantial change in a trucking company's strategy and business objectives? a. The organization implements a new, innovative AI-based system to monitor and allocate trucks to drivers and routes. b. The organization promotes the longtime CFO to the position of CEO. c. Annual sales grow at twice the expected rate. d. Federal legislation changes the number of hours that drivers can spend on the road and the number of consecutive days that they can drive.
b. The organization promotes the longtime CFO to the position of CEO.
According to the COSO internal control framework, if an organization outsources certain activities within the business to an outside party: a. Responsibility also transfers to the outside party. b. The responsibilities never transfer to the outsourced party. c. The responsibilities only transfer if the outside party explicitly agrees to accept responsibility. d. The organization is no longer accountable for the outsourced activities.
b. The responsibilities never transfer to the outsourced party.
According to the COSO Enterprise Risk Management Framework, uncertainty in enterprise risk management refers to a. The impact of events or the time it would take to recover. b. The state of not knowing how or if potential events may manifest. c. The possibility that events will occur and affect the achievement of objectives. d. The boundaries of acceptable variation in performance related to achieving business objectives.
b. The state of not knowing how or if potential events may manifest.
According to COSO, which of the following is a compliance objective? a. To maintain adequate staffing to keep overtime expense within budget. b. To maintain a safe level of carbon dioxide emissions during production. c. To maintain material price variances within published guidelines. d. To maintain accounting principles that conform to GAAP.
b. To maintain a safe level of carbon dioxide emissions during production.
AppleNCheese Food Products recently completed a systematic analysis of the political, economic, social, technological, legal, and environmental conditions that it expects in the short and the long term. This analysis most likely occurs as a part of which component in the ERM framework? a. Governance and Culture b. Performance c. Strategy and Objective-Setting d. Information, Communication, and Reporting
c .Strategy and Objective-Setting
Which of the following is least likely to trigger a review and revision to an organization's ERM practices? a. The purchase and implementation of a system that enables real-time monitoring of customer satisfaction and complaints. b. A sales growth rate that is 2½ times that which was expected. c. A 4% increase in calls to the whistleblower hotline. d. Firing the CRO.
c. A 4% increase in calls to the whistleblower hotline.
To be willing to accept higher risk, an organization should expect _________ a. A higher strategy. b. Vision questing. c. A higher return. d. A lower performance severity.
c. A higher return.
A manufacturer actively monitors a foreign country's political events whenever a supply chain disruption occurs within the country that exceeds 90 days. According to the COSO Enterprise Risk Management principles, the manufacturer is following which of the following risk-response strategies? a. Share. b. Avoid. c. Accept. d. Reduce.
c. Accept.
An important benefit of an enterprise risk management system is a. Alignment of shareholder returns with management returns. b. Alignment of management risk taking with employee risk appetite. c. Alignment of management risk taking with shareholder risk appetite. d. Alignment of management risk taking with creditor risk appetite.
c. Alignment of management risk taking with shareholder risk appetite.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence? a. Preventive. b. Corrective. c. Application. d. Detective.
c. Application.
Which of the following is not a limitation of an enterprise risk management system? a. Risk relates to the future that is uncertain. b. Collusion among two or more individuals can result in enterprise risk management failure. c. Companies cannot avoid risk. d. Enterprise risk management is subject to management override.
c. Companies cannot avoid risk.
Which of the following components of internal control encompass policies and procedures that ensure that management's directives are carried out? a. The control environment. b. Monitoring. c. Control activities. d. Information and communication.
c. Control activities.
Devon Company is using an enterprise risk management system. Management of the company has set the company's objectives, identified events, and assessed risks. What is the next step in the enterprise risk management process? a. Establish control activities to manage the risks. b. Monitor the risks. c. Determine responses to the risks. d. Identify opportunities.
c. Determine responses to the risks.
Tyrell Corporation, a start-up company, develops and manufactures robotic applications for use in manufacturing facilities. The company CEO is considering implementing two statements of company-wide risk appetite: *The company will not invest more than 5% of its capital budget in projects that are categorized as high risk. The company will ensure that it realizes at least 80% of expected earnings at a 95% level of confidence. How should the CEO proceed with consideration of the proposed statements of risk appetite?* a. Determine if the board is independent of the CEO. b. Define the organizational culture as risk averse. c. Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors. d. Discuss the proposed risk appetite statements with the management and risk management teams.
c. Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization? a. Reduces operational surprises. b. Provides integrated responses to multiple risks. c. Eliminates all risks. d. Identifies opportunities.
c. Eliminates all risks.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls except a. Establishing an effective and anonymous whistleblower program with which employees can feel comfortable reporting any irregularities. b. Establishing a corporate culture in which integrity and ethical values are highly appreciated. c. Having two officers who significantly influence management and operations. d. Having an effective internal auditor function.
c. Having two officers who significantly influence management and operations.
Which of the following is not a principle related to the component of the control environment? a. Demonstrate a commitment to integrity and ethical values. b. Demonstrate a commitment to attract, develop and retain competent individuals. c. Identify and assess changes that could significantly impact the system of internal control. d. Hold individuals accountable for their internal control responsibilities.
c. Identify and assess changes that could significantly impact the system of internal control.
The component of COSO's framework for internal control that includes the goal of proper measurement of transactions is a. The control environment. b. Control activities. c. Information and communication. d. Monitoring.
c. Information and communication.
Which of the following is not a type of control under the control activity component of the COSO framework for internal control? a. Supervisory controls. b. Physical controls. c. Monitoring controls. d. Verifications.
c. Monitoring controls.
Which of the following components of internal control are characterized by ongoing activities and separate evaluations? a. The control environment. b. Risk assessment. c. Monitoring. d. Information and communication.
c. Monitoring.
Which of the following is not a factor included in the control environment? a. Board of directors or audit committee participation. b. Commitment to competence. c. Monitoring. d. Organizational structure.
c. Monitoring.
Which of the following is not a risk of a strategy of a car rental company? a. Customer accident and damage incidents may be higher than expected. b. Customers may choose only low-margin cars and options. c. The organization has a well-defined plan to achieve its mission and vision and apply its core values. d. Cars may be stolen.
c. The organization has a well-defined plan to achieve its mission and vision and apply its core values.
Which of the following is the best risk statement in relation to executive management's role in a major IT project undertaken by a large telecommunications company? a. The risk that executive management disregards project communications and meetings b. The risk that executive management disregards project communications and meetings, resulting in inadequate oversight, because of management's inattention and lack of focus c. The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems d. The risk that executive management disregards project communications and meetings, despite frequent efforts by the project management team to inform executive management of the importance of their involvement and engagement
c. The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems
According to COSO controls systems fail for all of the following reasons except: a. They are not designed or implemented properly. b. They are properly designed and implemented but environment changes have occurred making the controls ineffective. c. They are properly designed and implemented but management overrides them making them ineffective. d. They are properly designed and implemented but the way they operate has changed making them ineffective.
c. They are properly designed and implemented but management overrides them making them ineffective.
While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or levels with the entity. a. incident, root cause b. root cause, incident c. portfolio, profile d. profile, portfolio
c. portfolio, profile
An investment firm determines that investments in bitcoin are highly risky. For its portfolio, it sets a minimum investment of 3% and a maximum investment of 8% in bitcoin. This is an example of setting a. risk target (minimum) and risk roof (maximum). b. risk roof (minimum) and risk target (maximum). c. risk floor (minimum) and risk ceiling (maximum). d. risk ceiling (minimum) and risk floor (maximum).
c. risk floor (minimum) and risk ceiling (maximum).
Match the statements below with the associated categories in ERM: We will improve the quality of life of ... We will be known for outstanding ... We will treat our customers and employees with respect ... a. 1 core values, 2 risk appetite, 3 mission b. 1 strategy, 2 values, 3 vision c. 1 tolerance, 2 mission, 3 appetite d. 1 mission, 2 vision, 3 core values
d. 1 mission, 2 vision, 3 core values
Copyright © 2017 by the American Institute of Certified Public Accountants, Inc., is reprinted and/or adapted with permission. Which of the following situations most clearly illustrates a breach of fiduciary duty by one or more members of the board of directors of a corporation? a. A corporation previously has distributed 50% of its earnings as dividends. This year it has annual earnings per share of $2, and the board of directors voted 4 to 1 against paying any dividend to finance growth. b. A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board (absent the vendor co-owner) unanimously approved the purchase. c. Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years that the fifth person has been a director, the individual did not attend two other meetings. d. A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation.
d. A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation.
Which of the following factors is not included in the control environment component of internal control? a. Commitment to competence. b. Organizational structure. c. Integrity and ethical values. d. Information and communication.
d. Information and communication.
Pierce and Pierce is an investment and brokerage company that manages client investments and seeks exceptional market opportunities for these clients. The company recently issued a report on its investment philosophy and risk management culture. This initiative most likely occurs as a part of which component in the ERM framework? a. Governance and Culture b. Performance c. Strategy and Objective-Setting d. Information, Communication, and Reporting
d. Information, Communication, and Reporting
The ERM component that includes email, board meeting minutes, and reports as important elements is a. Governance and Culture. b. Performance. c. Review and Revision. d. Information, Communication, and Reporting.
d. Information, Communication, and Reporting.
Jeffrey Smiggles of Rajon Rondo Sportswear has developed a software application that helps monitor key production risks at company factories. In order to reduce costs, his approach to monitoring risks is likely to be: a. Monitor all risks using indirect information. b. Monitor all risks using direct information. c. Monitor more important risks using indirect information and less important risks using direct information. d. Monitor more important risks using direct information and less important risks using indirect information
d. Monitor more important risks using direct information and less important risks using indirect information
Which of the following is the best description of the potential root cause of a risk? a. Emerging data analytic methods are unhelpful to risk assessment. b. Low staff morale contributes to the risk that key employees leave, creating high turnover. c. Lack of training increases the risk that processing errors and incidents occur. d. Operator processing errors will reduce the quality of manufacturing units.
d. Operator processing errors will reduce the quality of manufacturing units.
Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities? a. Establishing a fraud risk management program b. Selecting, developing, and deploying fraud controls c. Selecting, developing, and deploying evaluation and monitoring processes d. Performing a comprehensive fraud risk assessment
d. Performing a comprehensive fraud risk assessment
Which of the following statements presents an example of a general control for a computerized system? a. Limiting entry of sales transactions to only valid credit customers. b. Creating hash totals from Social Security numbers for the weekly payroll. c. Restricting entry of accounts payable transactions to only authorized users. d. Restricting access to the computer center by use of biometric devices.
d. Restricting access to the computer center by use of biometric devices.
__________ is a financial performance measure while ___________ is an operating performance measure. a. Profitability; regulatory compliance b. Discreteness; employment skill delivery c. Data velocity; data integrity d. Revenue; production yield
d. Revenue; production yield
An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which of the following is the organization most likely to do? a. Review its internal control procedures. b. Investigate new technologies to improve product performance. c. Revise its tolerance and decrease its risk appetite d. Review its ERM practices.
d. Review its ERM practices.
Riley, Ripley, and RudBack are builders of high-end (i.e., expensive) customized homes. They want to create a report on the risks that they face in their human resources function. Which level of reporting would be appropriate to this goal? a. Portfolio view b. Risk view c. Risk category view d. Risk profile view
d. Risk profile view
Jiffy Grill has an ERP system. It has assigned responsibility for determining who has what access rights within the ERP system. Based on this, to whom is it most likely that Jiffy Grill has assigned this responsibility? a. Internal auditors. b. Other personnel. c. Management d. Support functions
d. Support functions
In a risk-aware organization, a. The organizational culture is independent of management. b. The organizational culture will be risk averse. c. Investments in unproven technologies will be minimized. d. The organizational culture is closely linked to the organization's strategy, objectives, and business context.
d. The organizational culture is closely linked to the organization's strategy, objectives, and business context.
According to the Sarbanes-Oxley Act of 2002, anyone who knowingly alters, destroys, covers up, or makes a false entry in any record or document with the intent to obstruct or influence the investigation of any matter within the jurisdiction of any department or agency of the United States may be fined and/or imprisoned for up to: a. Five years. b. Ten years. c. Fifteen years. d. Twenty years.
d. Twenty years.
Match each statement below with the appropriate term that best describes it: *I. After considering implemented controls, the desired level of the risk of a major cyber attack is low. II. Before considering controls, the level of risk of a major cyber attack is high. III. After considering implemented controls, the level of the risk of a major cyber attack is medium.* a. Internal control; inherent risk; target residual risk b. target residual risk; internal control; inherent risk c. target residual risk; actual residual risk; assessed risk d. target residual risk; inherent risk; actual residual risk
d. target residual risk; inherent risk; actual residual risk