AIS CH 13
Requiring a signed source document before recording a transaction is a _______ control.
preventive
COSO ERM framework indicates that:
- ERM provides reasonable assurance regarding the achievement of the firm's objectives. - ERM manages risk to be within the firm's risk appetite.
Based on SOX, which of the following sections is about corporate responsibility for financial reports?
302
Based on SOX, which of the following sections is about internal controls?
404
SOX requires companies to use COSO or COSO ERM as the framework in evaluating internal controls.
False
Which of the following is an example of IT general controls (ITGC)?
IT control environment
Select the component not part of the COSO ERM 2017 framework.
Control Environment
Management selects risk responses and develops a set of actions to align risks with the entity''s risk tolerances and risk appetite. The four options to respond to risks are: reducing, sharing, avoiding, and ___________ risks.
accepting
Select the principles related to review and revision in the COSO ERM 2017 framework:
- Assess substantial change - Review risk and performance
The responsibility of enterprise risk management belongs to?
Management
Match the following definitions with the different types of risks.
Inherent risk <-----> the risk related to the nature of the business activity itself Control risk <-----> the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system Residual risk <-----> the product of inherent risk and control risk
Which of the following is a correct statement about COBIT 2019 framework?
It is designed for information and technology governance and management.
__________ controls provide output to authorized people and ensure the output is used properly.
Output
__________ controls require compliance with preferred procedures to deter undesirable issues from happening.
Preventive
PCAOB stands for __________ __________ __________ __________ Board.
Public Company Accounting Oversight
Define the following batch totals. Instructions
Record count <-----> the total records in the batch Financial total <-----> the sum of a field containing dollar values Hash total <-----> the sum of a numeric field, such as employee number, which normally would not be the subject of arithmetic operations
Which of the following statements is correct?
Regarding IT control and governance, the COBIT framework is most commonly adopted by companies in the United States.
Which of the following components is not part of COSO ERM 2017 framework?
Risk Assessment
Which of the following professional organizations have a code of ethics?
- AICPA - IMA - IIA - ISACA
Select the principles related to information communication and reporting the COSO ERM 2017 framework.
- Communicate risk information - Leverage information and technology
Select correct statement regarding information technology governance and corporate governance.
- Information technology governance is the responsibility of management. - Information technology governance is a subset of corporate governance.
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Four of the seven key criteria of business requirements for information in COBIT are similar to COSO control objectives: effectiveness, efficiency, confidentiality, availability, __________ and ___________ .
- compliance - reliability
According to the COSO 2.0 framework, operations objectives are about __________ and __________ of a firm's operations on financial performance goals and safeguarding assets.
- effectiveness - efficiency
Match the following control or governance frameworks with their main purposes.
COSO <-----> a general internal control framework that can be applied to all firms COSO ERM <-----> a framework expands from internal control to risk management that can be applied to all firms COBIT <-----> a comprehensive framework for IT governance and management ITIL <-----> a framework focusing on IT infrastructure and IT service management ISO 27000 series <-----> a framework for information security management
Which of the five domains of COBIT 2019 is about IT governance?
EDM (Evaluate, Direct, and Monitor)
Which of the following is not a component in the COSO 2013 internal control framework?
Effective operations
IT controls are a subset of a firm's internal controls and are categorized as IT general and __________ controls.
application
Which of the following is not one of the five essential components in the COSO 2013 framework?
Control assessment
True or false: Each company should use only one of the control/governance frameworks in corporate and IT governance.
False
What are the purposes of the standards of ISO 27000 series?
It is designed to address information security issues.
Based on COSO 2013, which of the following statements is not correct?
The responsibility of monitoring the effectiveness of internal controls belongs to the internal audit group.
ISACA
This organization is for information systems auditors.
Prenumbering of source documents helps to verify that:
all transactions have been recorded because the numerical sequence serves as a control.
Identify physical control activities based on the COSO internal control framework.
authorization <-----> to ensure transactions are valid segregation of duties <-----> to prevent fraud and mistakes supervision <-----> to compensate imperfect segregation of duties accounting documents and records <-----> to maintain audit trails and accuracy of the financial data access control <-----> to ensure only authorized personnel have access to physical assets and information independent verification <-----> to double check for errors and misrepresentations
Corrective Controls fix problems that have been identified, such as using __________ files to recover corrupted data
backup
The computer sums the first four digits of a customer number to calculate the value of the fifth digit and then compares that calculation to the number typed during data entry. This is an example of a:
check digit verification.
We define corporate __________ as a set of processes and policies in managing an organization with sound ethics to safeguard the interest of its stakeholders. -Requiring a signed source document before recording a transaction is a preventive control.
governance
The risk assessment process starts with __________ the risks
identifying
The AICPA has indicated that issues on information security are critical to certified public accountants (CPAs) as one of the top 10 technologies that accounting professionals must learn. International Organization for Standardization (ISO) 27000 series is designed to address __________ __________ issues.
information security
In the COSO ERM framework, __________ is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
monitoring
A field check is a(n)
preventive control.
Segregation of duty is a:
preventive control.
The process, __________ __________ , is to identify and analyze risks systematically to determine the firm's risk response and control activities. It allows a firm to understand the extent to which potential events might affect corporate objectives.
risk assessment
The COSO ERM framework categorizes objectives in the following four categories: __________ , operations, reporting, and compliance.
strategic
Given your understanding of COSO ERM framework, select factors regarding internal environment.
- a firm's organizational structure, board of directors and the audit committee - a firm's human resource policies/practices and development of personnel - a firm's risk management philosophy and risk appetite - a firm's integrity and ethical values
Most input controls are designed to assess one field only, which of the following input controls will need to examine a record to determine the control is effective or not?
Completeness check.
Backup is a preventive control.
False
ITIL organizes IT service management into five high-level categories. Define each category.
Service strategy <-----> the strategic planning of IT service management capabilities and the alignment of IT service and business strategies Service design <-----> the design and development of IT services and service management processes Service transition <-----> the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service Service operation <-----> the effective and efficient delivery and support of services, with a benchmarked approach for event, problem, and access management Continual service improvement <-----> ongoing improvement of the service and the measurement of process performance required for the service
IMA
This organization is for management accountants.
AICPA
This organization is for public accountants.
True or false: Integrity and individual ethics are formed through a person's life experience.
True
True or false: The internal environment of the COSO ERM framework provides the discipline and structure for all other components of enterprise risk management. It is the most critical component in the framework.
True
The ISO 27000 series of standards are designed to address __________ __________ issues
information security
Ethical behavior prompted by a code of ethics can be considered a form of
internal controls
Ethical behavior prompted by a code of ethics can be considered a form of __________ __________ .
internal controls
Fill in the blanks to complete the sentence. The IT Infrastructure Library (ITIL) is a de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL adopts a __________-__________ approach to IT services.
life cycle
During the objective setting stage, management should have a __________ in place to set strategic, operations, reporting, and compliance objectives.
process
Select correct statements about the COBIT framework.
- COBIT 2019 includes the main points of COSO ERM 2017. - COBIT 2019 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders. - COBIT is a generally accepted framework for IT governance and management.
Select the correct statement(s) regarding the concepts on internal control defined under COSO 2.0.
- Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. - Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.
To support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests five components of internal control including:
- Risk assessment - Control activities - Control environment - Information and communication
What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?
- SOX established the PCAOB to regulate and audit public accounting firms. - Under SOX, the PCAOB replaces AICPA to issue audit standards.
Select a correct statement on the monitoring component of the COSO ERM framework.
- The ERM components and internal control process should be monitored continuously and modified as necessary. - It is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
During the "Objective Setting" process, firms set specific objectives based on their __________ and __________ .
- mission - vision
Information technology controls involve processes that provide assurance for information and help to mitigate __________ associated with the use of __________ . Firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects.
- risks - technology
The COSO ERM framework indicates that an effective internal control system should consist of four categories of objectives: __________ objectives, operations objectives, __________ objectives, and __________ objectives.
- strategic - reporting - compliance
Provide the process of risk assessment in correct sequence (i.e., seven steps). The last step is to base on the results of the cost/benefit analysis, determine whether to reduce the risk by implementing a control, or to accept, share, or avoid the risk.
1. Identify the risks 2. Estimate the likelihood of each risk occurring 3. Estimate the impact 4. Identify controls to mitigate the risk 5. Estimate the costs and benefits from instituting controls 6. Perform a cost/benefit analysis for each risk and corresponding controls
COSO stands for Committee of Sponsoring Organizations. It composes of five organizations:
AAA, IIA, FEI IMA, and AICPA.
IT Governance Institute (ITGI) developed a control framework for the governance and management of enterprise IT. This framework, __________ , provides management with an understanding of risks associated with IT and bridges the gap between business among risks, control needs, and technical issues.
COBIT
Choose the main purpose for each framework.
COBIT <-----> provides the best IT security and control practices for IT management ITIL <-----> provides the concepts and practices for IT service management ISO 27000 series <-----> address information security issues
What is a concurrent update control?
Concurrent update controls prevent two or more users updating the same record simultaneously.
The information system of Carlsbad Bottle Inc. is deemed to be 90 percent reliable. A major threat in the procurement process has been discovered, with an exposure of $300,000. Two control procedures are identified to mitigate the threat. Implementation of control A would cost $18,000 and reduce the risk to 4 percent. Implementation of control B would cost $10,000 and reduce the risk to 6 percent. Implementation of both controls would cost $26,000 and reduce the risk to 2.5 percent. Given the information presented, and considering an economic analysis of costs and benefits only, which control procedure(s) should Carlsbad Bottle choose to implement?
Control B
Select the principle related to governance and culture in the COSO ERM 2017 framework.
Demonstrate commitment to core values
__________ controls find problems when they arise.
Detective
Which is not an example of a batch total?
Exception total
True or false: The most recent control framework designed by COSO is called control objectives for information and related technology (COBIT).
False
True or false: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices and is required by PCAOB to be used for SOX section 404 audit.
False. Reason: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices. SOX requires public companies to choose a framework in evaluating controls. However, the PCAOB or SOX did not require any specific control framework to be used in evaluating internal controls.
Match the following data entry controls with their definitions.
Field checks <-----> ensure the characters in a field are of the proper type Validity checks <-----> compare data entering the system with existing data in a reference file to ensure only valid data is are entered Size checks <-----> ensure the data fit into the size of a field Completeness checks <-----> ensure all required data are entered for each record Range checks <-----> test a numerical amount to ensure that it is within a predetermined range Closed-loop verifications <-----> retrieve and display related information to ensure accurate data entry Reasonableness checks <-----> ensure the logical relationship between two data values is correct
Define each type of controls properly.
General controls <-----> Internal controls pertain to enterprise wide issues Application controls <-----> Internal controls specific to a subsystem or an application Preventive controls <-----> Internal controls deter problems before they arise Detective controls <-----> Internal controls find problems when they arise Corrective controls <-----> Internal controls fix problems that have been identified
While COBIT defines the overall IT control framework, and __________ provides the details for IT service management which is released by the UK Office of Government Commerce (OGC) and is the most widely accepted model for IT service management.
ITIL
While COBIT defines the overall IT control framework, another framework, __________ , provides the details for IT service management and adopts a life-cycle approach to IT services, focusing on practices for service strategy, service design, service transition, service operation, and continual service improvement.
ITIL
Please match the control components with the principles in the COSO 2013 framework. Instructions
Information and Communication <-----> The organization communicates with external parties regarding matters affecting the functioning of internal control. Control Activities <-----> The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. Risk Assessment <-----> The organization identifies and assesses changes that could significantly impact the system of internal control. Control Environment <-----> The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Monitoring Activities <-----> The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Identify the purposes of IT application controls in three categories: input controls, processing controls and output controls. Instructions
Input controls <-----> ensuring the authorization, entry, and verification of data entering the system Processing controls <-----> ensuring that data and transactions are processed accurately Output controls <-----> providing output to authorized people and ensuring the output is used properly
Which of the following is a correct statement about COSO ERM 2017 framework?
It enhances alignment among strategy-setting, decision-making, and performance through enterprise risk management.
Determine the type of each internal control mechanism.
Require authorization before recording transactions <-----> preventive control Prepare monthly bank reconciliations matches <-----> detective control Using a backup file to recover corrupted data. matches <-----> detective control Require using user names and passwords to access the company's network <-----> general control When entering a sales transaction, use an input control to ensure the customer account number is entered accurately <-----> application control
Please match the control components with the principles in the COSO 2013 framework. Instructions
Risk assessment <-----> The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Control environment <-----> Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Monitoring <-----> The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Control activities <-----> The organization selects and develops general control activities over technology to support the achievement of objectives. Information and communication <-----> The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
IIA
This organization is for internal auditors.
Management selects risks responses and develops a set of actions to align risks with the entity's risk tolerances and risk __________-
appetite
Controls that are designed to prevent, detect, or correct errors in transactions as they are processed through a specific subsystem are referred to as:
application controls.
In the COSO ERM framework component __________ __________ , firms identify events affecting achievement of their objectives.
event identification
IT application controls are activities specific to a subsystem's or an application's __________ , processing, and output.
input
Most mistakes in an accounting information systems occur while entering data. Control efforts are focused on __________ rather than processing and output activities.
input
The processes of making sure changes to programs and applications are authorized and documented are called change __________ controls. Changes should be tested prior to implementation so they do not affect system availability and reliability.
management
Internal control is a __________ consisting of ongoing tasks and activities. It is a means to an end, not an end itself.
process
The application controls are grouped into three categories to ensure information processing integrity: input, __________, and output controls.
processing
What is enterprise risk management (ERM)?
- It aims to provide reasonable assurance regarding the achievement of objectives - It involves a company's board of directors, management, and other personnel in the process - It is applied in strategy setting and across the enterprise.
Choose proper examples of detective controls.
- Prepare monthly trial balances. - Prepare monthly bank reconciliations.
What are the main purposes of corporate governance?
- To promote accountability and transparency in a firm's operations - To protect the interests of a firm's stakeholders - To encourage the efficient use of the resources a firm has.
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Three of the seven key criteria of business requirements for information in COBIT are about security and people often call them CIA: confidentiality, __________ , and ___________ .
- integrity - availability
Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to achieving the firm's objectives. There are two categories of control activities: __________ controls and __________ controls
- physical - IT
The four options to respond to risks are:
- reducing - sharing - avoiding - accepting risks
The COSO 2.0 (COSO 2013) framework indicates that an effective internal control system should consist of three categories of objectives: operations objectives, __________ objectives, and __________ objectives.
- reporting - compliance
Internal and external events affecting achievement of a firm's objectives must be identified. When using COSO ERM framework, management must distinguish between __________ and __________ after identifying all possible events.
- risks - opportunities
True or false: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management.
False
True or False: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices and is required by PCAOB to be used for SOX section 404 audit.
False Reason: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices. SOX requires public companies to choose a framework in evaluating controls. However, the PCAOB or SOX did not require any specific control framework to be used in evaluating internal controls.
Access control to ensure only authorized personnel have access to a firm's network is a:
general control.