AIS Chapter 10 Reading Questions
IIA
(institute of internal auditors) organization for internal auditors
What are some examples of detective controls
-Prepare monthly bank reconciliation -Prepare monthly trial balances -count inventory periodically
Given your understanding of COSO ERM framework, select factors regarding internal environment
-a firms integrity and ethical values -a firm's human resource policies/practices and development of personnel -a firm's risk management philosophy and risk appetite -a firm's organizational structure, board of directors and the audit committee
What are some examples of preventive controls
-require authorization before recording transactions -proper segregation of duties in daily operations
What are some examples of corrective controls
-using a backup file to recover corrupted data
COBIT
a comprehensive framework for IT governance and management
ITIL
a frame focusing on IT infrastructure and IT service management
ISO 27000 series
a framework for information security management
COCO
a general internal control framework that can be applied to all firms
Application controls are specific to
a subsystem or an application to ensure the validity, completeness, and accuracy of the transactions. EX: When entering a sales transaction, use an input control to ensure the customer account number is entering accurately
Management selects risk responses and develops a set of actions to align risks with entity's risk tolerances and risk appetite. The four options to respond to risk are: reducing, sharing, avoiding, and ______ risks.
accepting
IT controls are a subset of a firm's internal controls and are categorized as IT general and ______ controls
application
Corrective controls fix problems that have been identified, such as using ______ files to recover corrupted data
backup
validity checks
compare data entering the system with existing data in a reference file to ensure only valid data are entered
What is a concurrent update controll
concurrent update controls prevent two or more users updating the same record simultaneously.
Per COBIT 5, IT management includes, planning, building, running and _________, activities in alignment with the direction necessary to achieve the firm's objectives
monitoring
Select a correct statement on the monitoring component of the COSO ERM framework
monitoring is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model. The ERM components and internal control process should be monitored continuously and modified as necessary
Continual service improvement
ongoing improvement of the service and the measurement of process performance required for the service.
AICPA
organization for public accountants
requiring a signed source document before recording a transaction is a _______ control
preventive
During the objective setting stage, management should have a _____ in a place to set strategic, operations, reporting, and compliance objectives
process
COBIT
provides the best IT security and control practices for IT management
ITIL
provides the concepts and practices for IT service management
Internal and external events affecting achievement of a firm's objectives must be identified. When using COSO ERM framework, management must distinguish between ______ and ______ after identifying all possible events
risk and opportunity
Correct statements about COBIT
-COBIT is a generally accepted framework for IT governance and management -COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders -COBIT 5 integrates other frameworks and standards such as ITIL (Information Technology Infrastructure Library) and ISO (International Organization for Standardization) 27000 series
What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?
-under SOX, the PCAOB replaces AICPA to issue audit standards -SOX established the PCAOB to regulate and audit public accounting firms
To support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests five component of internal control
1. Control environment 2. Risk Assessment 3. Control Activities 4. Information and communication 5. Monitoring Activities
What is Enterprise Risk Management (ERM)
1. ERM identifies potential events that many affect the firm 2. ERM manages risk to be within the firm's risk appetite 3. ERM provides reasonable assurance regarding the achievement of the firm's objective It involves a company's board of directors, management, and other personnel in the process It is applied in strategy setting and across the enterprise it aims to provide reasonable assurance regarding the achievement of objectives
COSO ERM framework indicates that
1. ERM identifies potential events that may affect the firm 2. ERM manages risk to be within the firm's risk appetite 3. ERM provides reasonable assurance regarding the achievement of the firm's objectives
Select the correct statement(s) regarding the concepts on internal control defined under COSO 2.0
1. Internal control is a process consisting of ongoing tasks and activities. It is a means to an ends, not an end in itself 2. Internal control is affected by people. It is not merely about policy manuals, systems, and forms. Rather it is about people at every level of a firm who affect internal control. 3. Internal control can provide reasonable assurance, not absolute assurance, to an entity's management and board. 4. Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. 5. Internal control is adaptable to the entity structure
Provide the process of risk assessment in correct sequence. The last step is to base on the results on the cost/benefit analysis, determine whether to reduce the risk by implementing a control or to accept, share, or avoid risk.
1. identify risks to the firm 2.estimate the likelihood of each risk occurring 3. estimate the impact 4. identify controls to mitigate the risk 5. estimate the cost and benefits of implementing the controls 6. perform a cost/benefit analysis for each risk and corresponding controls
The COSO 2.0 (COSO 2013) framework indicates that an effective internal control system should consist of three categories of objectives: operations objective, ______ objectives, and ____________ objectives.
1. operations objectives: effectiveness and efficiency of a firm's operations of financial performance goals and safeguarding assets 2. reporting objectives: reliability of reporting, including internal and external financial and non-financial reporting 3. Compliance objectives: adherence to applicable laws and regulations.
COSO ERM
A framework expands from internal control to risk management that can be applied to all firms
T/F: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security an control practices and is required by (PCAOB) to be used for SOX section 404 audit
False; the COBIT framework is an internationally accepted set of best IT security and control practices for IT management released by the IT Governance Institute (ITGI)
T/F: The most recent control framework designed by COSO is called control objectives for information and related technology
False; They created the "Internal Control- Integrated Framework" in 1992, and the Enterprise Risk Management - Integrated Framework"
COBIT defines the overall IT control framework, and ______ provides the details for IT service management which is released by the UK Office of Government Commerce and is the most widely accepted model for IT service management
ITIL
Identify physical activities based on COSO internal control framework
authorization: to ensure transactions are valid segregation of duties: to prevent fraud and mistakes supervision: to compensate imperfect segregation of duties Accounting documents and records: to maintain audit trials access control: to ensure only authorized personnel have access to physical assets and information independent verification: to double check for errors and misrepresentations
General Controls pertain to
enterprise wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, and so on ex: Require using user names and passwords to access the company's network require policy on developing and maintaining applications
The COSO ERM framework component ______________ _______________ firms identify events affecting achievement of their objectives
event identification
We define corporate ______ as a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholder.
governance
That are the purposes of the standards of ISO 27000 series?
it is designed to address information security issues
The processes of making sure changes to programs and applications are authorized and documented are called change ____ controls. Changes should be tested prior to implementation so they do not affect system availability and reliability
management
Financial Total
sum of a field containing a dollar values
Service operation
the effective and efficient delivery and support of services, with a benchmarked approach for event, problem, and access management
Residual Risk
the product of inherent risk and control risk
Service strategy
the strategic planning of IT service management capabilities and the alignment of IT service and business strategies
Hash Total
the sum of a numeric field, such as employee number, which normally would not be the subject of arithmetic operations.
Control Risk
the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system
Service transisition
the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service
completeness checks
ensure all required data are entered for each record
field checks
ensure that the characters in a fields are of the proper type
______ Controls finds problems when they arise
Detective
Size Check
Ensure the data fit into the size of a field
T/F: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management
False
T/F: Each company should use only one of the control/governance frameworks in corporate and IT governance .
False
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Three of the seven key criteria of business requirements for information in COBIT are about security and people often call them CIA: confidentiality, _________, and ___________
Integrity and Availability
ISACA
Organization for information system auditors
IMA
Organization for management accountants
The COSO ERM framework categorized objectives in the following four categories:
Strategic, Operations, Reporting, Compliance
Inherent Risk
The risk related to the nature of the business activity itself
T/F: Integrity and individual ethics are formed through a person's life experience
True
What are the main purposes of corporate governance
corporate governance can be defined as a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. It also promotes accountability, fairness, and transparency in the organization's relationship with its stakeholders. 1. encourages the efficient use of the resources a firm has and protects the interests of a firm's stakeholders 2. to protect the interest of a firms stakeholders 3. To promote accountability and transparency in a firms operations
Record Count
indicates that the same total records are in the batch
The AICPA has indicated that issues on information security are critical to certified public accountants as one of the top 10 technologies that account professionals must learn. International Organization Standardization (ISO) 27000 series is designed to address ______________issues
information securities
IT application controls are activities specific to a subsystem's or applications ______ processing, and output
input
Service design
the design and development of IT services and service management processess