Assurance Quiz 1
An IS auditor would be primarily influenced by?? A. The charter of the audit department B. The representation by management C. The structure of the organization D. The number of outsourcing arrangements
A
When compiling the financial statements of a private entity, an accountant should? A. Review agreements with financial institutions for restrictions on cash balances B. Understand accounting principles and practices of the entity's industry C. Inquire of key personnel concerning related parties and subsequent events D. Perform ratio analyses of the financial data of comparable prior periods
B
Which is the purpose of segregation of duties controls in IT? A. To consolidate duties for efficiency B. To prevent conflicts of interest C. To improve network performance To manage software licenses
B
Which of the following SOC reports is designed for service organizations that store, process, or transmit customer data? A. SOC 1 B. SOC 2 C. SOC 3 D. All of these
B
Which of the following is NOT one of the three major control types A. Detective B. Deterrent C. Preventive D. Corrective
B
Which of the following is the first step in risk-based audit planning? A. To identify the requirements of relevant stakeholders B. To identify high-risk processes in the company C. To identify the budget D. To identify the profit function
B
Which of the following professional services would be considered an attest engagement A. A management consulting engagement to provide IT advice to a client B. An engagement to report on compliance with statutory requirements C. An income tax engagement to prepare federal and state tax returns D. Compilation of financial statements from a client's accounting records
B
Which of the following should be the first exercise while reviewing data center security? A. The evaluation of the physical security arrangement B. The evaluation of vulnerabilities and threats to the data center location C. The evaluation of the business continuity arrangement for the data center D. The evaluation of the logical security arrangement
B
Which type of IT application control validates data entered into a software application to ensure it is accurate and appropriate? A. Data validation controls B. Input controls C. Processing controls D. Output controls
B
Who should the auditor notify if an illegal or inappropriate act involves the persons responsible for governance of controls? A. Law enforcement B. Audit committee C. Federal regulators D. Whistle-blower hotline
B
The actions of the IS auditor is most likely to influence which of the following risks? A. Inherent B. Detection C. Control D. Business
B - detection risk - the risk of internal audit failure (IA does not detect control failures), IA controls detection risk by the extent and performance of its audit procedures
Which of the following functions should be separated from the others if segregation of duties cannot be achieved in an automated system? A. Origination B. Authorization C. Reprocessing D. Transaction logging
B Segregation of duties between: Authorization, Recording and Custody
A compilation engagement includes the following: A. CPA must be independent. B. Issue a compilation report. C. Perform substantive audit procedures. D. Provides an opinion - either reasonable or negative assurance.
A
An auditor discovers a likely fraud during an audit but concludes that the overall effect of the fraud is not sufficiently material to affect the audit opinion. The auditor should probably? A. Disclose the fraud to the appropriate level of the client's management. B. Disclose the fraud to appropriate authorities external to the client. C. Discuss with the client the additional audit procedures that will be needed to identify the exact amount of the fraud. D. None of the above
A
Encryption helps in achieving which of the following objectives in an EDI environment? A. Ensuring confidentiality and integrity of transactions B. Detecting invalid transactions C. Validating and ensuring reconciliation of totals between the EDI system and a trading partner system D. Providing functional acknowledgement to the sender
A
SOC 2 reports are typically issued by A. External auditors B. Internal auditors C. Management of the service organization D. External or internal auditor - it depends on the circumstances
A
The most important factor when implementing controls is ensuring that the control does which of the following? A. Helps to mitigate risk B. Does not impact productivity C. Is cost effective D. Is automated
A
The particular threat of an overall business risk indicated? A. The product of the probability and impact B. The probability of the threat realization C. The valuation of the impact D. The valuation of the risk management team
A
What is the most widely recognized way to prevent fraud? A. Implement a good system of internal controls B. Encourage employees to report suspicious activity C. Quickly punish employees found committing fraud D. Actively engage audit committee
A
What is the purpose of ISACA's professional ethics statement? A. To clearly specify acceptable and unacceptable behavior B. To provide procedural advisement to the new IS auditor C. To provide instructions on how to deal with irregularities and illegal acts by the client D. To provide advice on when it is acceptable for the auditor to deviate from audit standards
A
Which is an example of fraudulent reporting? A. Company management falsifies the inventory count, thereby overstating ending inventory and understating cost of sales. B. An employee diverts customer payments to his personal use, concealing his actions by debiting an expense account, thus overstating expenses. C. An employee steals inventory and the shrinkage is recorded as a cost of goods sold. D. An employee borrows small tools from the company and neglects to return them.
A
Which of the following IT application controls verifies the consistency and accuracy of data within the application's database? A. Data validation controls B. Input controls C. Processing controls D. OITIL - infutput controls
A
Which of the following covers the overall authority to perform an IS audit? A. The approved audit charter B. Management's request to perform an audit C. The audit scope with goals and objectives D. The approved audit schedule
A
Which of the following is NOT true regarding the audit committee? A. Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs B. Executives can by hired and fired by the audit committee because this committee is responsible for management oversight C. The audit committee is composed of members from the board of directors. This committee has the authority to hire external auditors. D. The audit committee provi
A
Which of the following is correct concerning required auditor communications about fraud? A. Fraud that involves senior management should be reported directly by the auditor to the audit committee regardless of the amount involved. B. Fraud with a material effect on the financial statements should be reported directly by the auditor to the SEC. C. Any requirement to disclose fraud outside the entity is the responsibility of management and not that of the auditor.
A
Which of the following statements is NOT true with respect to assurance, attest and audit services? A. These services are applied only to financial statements and financial statement accounts. B. These services all involve obtaining and evaluating evidence. C. These services all involve determining the correspondence of some information to a set of criteria. D. These services all involve issuing a report
A
Which of the following statements is correct concerning both an engagement to compile and an engagement to review a private entity's financial statements? A. The accountant is not required to obtain an understanding of internal control B. The accountant must be independent in fact and appearance C. The accountant expresses no assurance on the financial statements D. The accountant should obtain a written management representation letter
A · A - understanding of IC not required for either · B - Compilation independence not required, Review requires independence · C - Compilation no assurance, Review limited assurance · D - Review requires a mgt representation letter (similar to an audit)
Computer Services Company (CSC) processes payroll transactions for schools. Drake CPA, is engaged to report on CSC's policies and procedures placed in operation as of a specific date. These policies and procedures are relevant to the schools' internal control structure. Drake's report expressing an opinion on CSC's policies and procedures placed in operations as of a specified date should contain a
A · Need to recognize that the schools needs SOC 1 type 1 report. · Read the question again and notice that the service Drake is providing is essential a description of a SOC 1 type 1 report. Report will be used for audit planning
Which of the following would an IS auditor MOST likely focus on when developing a risk-based audit program? A. Business processes B. Administrative controls C. Environmental controls D. Business strategies
A - focus on the understanding the nature of the business
Which of the following procedures would be generally performed when evaluating the accounts receivable balance in an engagement to REVIEW financial statements?
A - review - perform mostly analytical procedures and inquiries
1. Which of the following factors most likely would heighten an auditor's concern about the risk of fraudulent financial reporting? A. Inability to generate cash flows from operations while reporting substantial earnings growth B. Management's lack of interest in increasing the entity's earnings trend C. Large amounts of liquid assets that are easily converted into cash D. Inability to borrow necessary capital without granting debt covenants
A. Notes - B is not an indicator or fraud risk, C - turning liquid assets is a risk factor for Misappropriation of assets not Fraudulent reporting. D is okay, granting debt covenants to receive debt financing is common,
Review each control - identify the type of control is represents (Preventive, Detective, Corrective, Compensating) A. Checkpoints in a production job B. Controls that minimize the impact of a threat C. Segregation of duties D. Disaster recovery planning E. Variance analysis
A. detective B. Corrective C. Preventive D. Corrective E. Detective
What is the auditor's responsibility for detecting fraud?
An auditor is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatements, whether caused by error or fraud. DIRECT and MATERIAL
1. Which of the following assurances is not provided by compliance with Trust Services principles? A. There are procedures to protect the system against unauthorized physical access B. The financial statements created by the system are free of material misstatements C. The documented system availability objectives, policies, and standards have been communicated to authorized users and controls are functioning as documented D. Documented system processing integrity
B
1. Which of the following factors creates an opportunity for fraud to be committed in an organization? A. Management demands financial success. B. Poor internal control. C. Commitments tied to debt covenants. D. Management is aggressive in its application of accounting rules.
B
As opposed to a manual control, an automated control A. Can never by circumvented B. Should function consistently in the absence of program changes C. Need not be tested by the auditor D. Must be tested using the same techniques as a manual control
B
Audit designed to assess issues related to the efficiency of operational productivity within an organization? A. Administrative audit B. Operational audit C. IS audit D. Compliance audit
B
Auditing standards require auditors to make certain inquiries of management regarding fraud. Which of the following inquiries is required? A. Whether management has ever intentionally violated the securities laws. B. Whether management has any knowledge of fraud that has been perpetrated on or within the entity. C. Management's attitudes toward regulatory authorities. D. Management's attitudes about hiring ethical employees.
B
Financial statements of a non-public entity that have been reviewed by an accountant should be accompanied by a report stating that? A. The scope of the inquiry and the analytical procedures performed by the accountant have not been restricted B. All information included in the financial statements is the representation of the management of the entity C. A review includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements D. A review is ...
B
In recent years, organizations have implemented a number of initiatives to more proactively detect fraud. The most common proactive fraud detection approach has been to. A. Install surveillance cameras B. Install reporting hotlines C. More effective use of internal audit D. External audit
B
In the context of audit data analytics, what is "predictive analytics? A. A technique for detecting historical anomalies in financial data. B. Using historical data to forecast future events or outcomes. C. A method to identify errors in financial statements. D. Type of visualization tool for audit data.
B
In which of the following processes are details entered by one employee re-entered by another employee to check their accuracy? A. Reasonableness check B. Key verification C. Control total D. Completeness check
B
What does COBIT stand for? A. Computer operations, business and information technology B. Control objectives for information and related technologies C. Comprehensive operational blueprint for information technology Central organization of business and information technology
B
What does SOC 1 reporting primarily focus on? A. Security controls B. Financial controls C. Privacy controls D. Data breach response
B
What function does an auditor provide? A. Second set of eyes, which are external to the subject under review B. Independent assurance that the claims of management are correct C. Assistance by fixing problems found during the audit D. Adapting standards to fit the needs of the client
B
What is the main objective of conducting a risk assessment? A. To determine segregation of duties for critical functions B. To ensure that critical vulnerabilities and threats are recognized C. To ensure that regulations are complied with D. To ensure business profitability
B
What is the primary difference between fraud and error in financial statement reporting? A. The materiality of the misstatement. B. The intent to deceive. C. The level of management involved. D. The type of transaction effected.
B
What is the primary goal of disaster recovery planning in IT? A. To prevent all disasters from occurring B. To minimize the impact of disasters and ensure business continuity. C. To recover lost data after a disaster To create a disaster response team
B
What is the purpose of the audit committee? A. To provide daily coordination of all audit activities B. To challenge and review assurances C. To assist the managers with training in auditing skills D. To govern, control and manage the organization
B
Audit is designed to collect and evaluate an information system and any related resources? A. Compliance audit B. Operational audit C. IS audit D. Specialized audit
C
IS auditors often perform risk assessments to identify potential vulnerabilities and threats in an organization's IT environment. What is the main goal of this activity? A. To sell software to the organizations B. To prevent all IT related risk C. To prioritize and mitigate risks to protect critical assets. D. To detect areas that could reasonably impact potential misstatement.
C
Limited assurance is provided in A. An audit engagement B. A compilation engagement C. A review engagement D. None of these
C
The prime reason for the review of an organization chart is to? A. Get details related to the flow of data B. Analyze the department-wise employee ratio C. Understand the authority and responsibility of individuals D. Analyze department-wise IT assets
C
The standard report issued by an accountant after reviewing the financial statements of a non-public entity states that? A. A review includes assessing the accounting principles used and significant estimates made by management B. A review includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements C. The accountant is not aware of any material modifications that should be made to the financial statements
C
What is the primary consideration when evaluating the acceptable level of risk? A. The acceptance of risk by higher management B. That not all risk need to be addressed C. That all relevant risks must be recognized and documented for analysis D. The involvement of line management in risk analysis
C
Which of the following characteristics most likely would heighten an auditor's concern about the risk of intentional manipulation of financial statements? A. Turnover of senior accounting personnel is low. B. Insiders recently purchased additional shares of the entity's stock. C. Management places substantial emphasis on meeting earnings projections. D. The rate of change in the entity's industry is slow.
C
Which of the following covers the overall authority to perform an IS audit? A. The audit scope with goals and objectives B. Management's request to perform an audit C. The approved audit charter D. The approved audit schedule
C
Which of the following functions is governed by the audit charter? A. The information technology function B. The external audit function C. The internal audit function D. The information security function
C
Which of the following is NOT a component of an attestation engagement? A. Information or a process (the subject matter) on which the assurance is provided. B. Criteria for evaluation, such as regulations C. Federal regulatory guidelines D. Written attestation report E. Sufficient appropriate evidence
C
Which of the following is a misappropriation of assets? A. Classifying inventory for resale as supplies B. Investing cash and earning at a 3% rate of return as opposed to paying off a loan with an interest rate of 7% C. An employee of a consumer electronics store steals 12 CD players D. Management estimates bad debt expense as 2% of sales when it actually expects bad debts equal to 10% of sales
C
Which of the following is not a Trust Services Principle? A. Processing integrity B. Online privacy C. Digital certification D. Availability
C
Which of the following is not one of the general areas of the IIA's International Standards for Professional Practice of Internal Auditing? A. Performance standards B. Implementation standards C. Ethical standards D. Attribute standards
C
Which of the following statements concerning prospective financial statements is correct? A. Only a financial forecast would normally be appropriate for limited use B. Only a financial projection would normally be appropriate for general use C. Any type of prospective financial statement would normally be appropriate for limited use D. Any type of prospective financial statement would normally be appropriate for general use
C
Which of the following would be considered an attestation assurance service engagement? A. Express an opinion about the reliability of an entity's financial statements. B. Reporting that a company's sustainability metrics are complete and accurate. C. Both of these D. None of these
C
Which type of IT general control is responsible for governing who has access to IT systems and data? A. Change management B. Segregation of duties C. Access control D. Data validation
C
The of the following is NOT true concerning the IT steering committee? A. The committee typically reviews and approves major acquisitions of IT software and hardware B. The committee typically reports to the board of directors on IS activities C. The committee focuses the on the day-to-date or routine management of the IT organization D. It establishes IT priorities for the business as a whole
C - This is a committee composed of senior executives that direct, review and approve IT strategic plans, oversee major initiatives and allocate resources. It helps establish IT priorities. It conveys business requirements to the IT executive. It does not focus on agenda of IT issues. Its focus is at a higher level - senior level, strategic.
Which of the following is the best choice to ensure that internal control objectives are met? A. Top executive issues a policy stating compliance objectives B. Procedures are created to govern employee conduct C. Suitable systems for tracking and reporting incidents are used D. The clients operating records are audited annually
C - designing, implementing and using suitable systems for tracking and reporting incidents is the best way to ensure IC objectives are met. What gets measured gets done. Tracking the detection of problems is important. Timely detection is a priority of IC
The accountant's knowledge of the accounting principles and practices of a client's industry should enable him/her to compile appropriate financial statements. The accountant should also understand the nature of the entity's business, its accounting records, the qualifications of its personnel, the accounting basis of the financial statements, and their content. The accountant DOES ALL of the following EXCEPT? C. Obtains an understanding of internal control and assess control risk
C - this is a compilation. Gain knowledge to format financials appropriately. Do not need to assess risk and controls
The auditor can respond to an increased risk of fraud by doing all of the following except? A. Evaluating whether the accounting policies selected may be indicative of fraudulent financial reporting through earnings management. B. Assigning more experienced personnel to the audit. C. Increasing detection risk. D. Taking steps to obtain more reliable evidence.
C - we didn't go over the audit risk model but hopefully you remember. AR = IR x CR x DR. Auditor SETS Audit Risk (AR), ASSESSES - Inherent Risk and Control Risk (IR and CR), Detection Risk is calculated based on other three components
Define corporate governance
Corporate governance entails all management-administered policies and procedures to control risk and oversee operations within a company
Identify the level of assurance provided by a CPA
Identify the level of assurance provided by a CPA a. Examination - positive (or reasonable) b. Review - negative (moderate) c. Agreed Upon Procedure (none) d. Compilation (none) e. Preparation (none)
An IS auditor performs risk assessments to identify risk and threats to an IT system. These assessments will help develop the auditor develop audit plans. (T/F)
T
COBIT is an IT governance and management framework developed by ISACA to help business develop, organize and implement strategies around information management and governance (T/F)
T
When is a duty to disclose fraud to parties other than the entity's senior management and its audit committee most likely to exist? A. When the amount is material. B. When the fraud results from misappropriation of assets rather than fraudulent financial reporting. C. In response to inquiries from a successor auditor. D. When a line manager rather than a lower-level employee commits the fraudulent act. E. A and C
E
Provide two examples of attestation engagements
Examples of attestation engagements are (1) reporting on an entity's internal control over financial reporting, (2) assurance on financial forecasts and projections, and (3) assurance on compliance with the requirements of specified laws, regulations, rules, contracts, or grants
A review involves assessing fraud risk. (T/F)
False
It is management's responsibility to design and implement programs and controls to prevent, deter and detect fraud. (T/F)
T
The primary purpose of forensic audit is the development of evidence for review by law enforcement or to be used in judicial proceedings (T?F)
T
Identify the components of the fraud risk triangle (or said another way - what are the three conditions that are generally present when fraud occurs)
Fraud risk factors (triangle) · Incentive / pressure - provides a reason to commit fraud. · Opportunity - circumstances that exist which allow the fraud to occur · rationalization - justification to commit fraud. Person may possess attitude, character or set of ethical values that allow them to intentionally commit a dishonest act
An accountant may accept an engagement to apply agreed-upon procedures to prospective financial statements, provided that A. The prospective financial statements are also examined B. Responsibility for the adequacy of the procedures performed is taken by the accountant C. Negative assurance is expressed on the prospective financial statements taken as a whole D. Distribution of the report is restricted to the specified users
D
An assurance report on information can provide assurance about the information's A. Reliability B. Relevance C. Timeliness D. All of the above
D
The general accreditation granted by the Institute of Internal Auditors is known as the? A. CFE B. CGAP C. CFSA D. CIA
D
The primary objective of the audit charter is to A. Document the procedural aspect of an audit B. Document system and staff requirements to conduct the audit C. Document the ethics and code of conduct for the audit department D. Document the responsibility and authority of the audit department
D
What is the most common way to overstate revenue? A. Record revenue prematurely B. Channel stuffing C. Abuse sales cutoff line for recording revenue D. Create fictitious sales
D
What should be the next step of an IS auditor after identifying threats and vulnerabilities in a business process? A. Identifying the relevant process owner B. Identifying the relevant information assets C. Reporting the threat and its impact to the audit committee D. Identifying and analyzing the current controls
D
Which group developed COBIT framework for IT governance? A. AICPA B. ITIL - information technology infrastructure library C. FASB D. ISACA
D
Which of the following statements best describes detective controls and corrective controls? A. Both controls can prevent the occurrence of errors B. Detective controls are used to avoid financial loss and corrective controls are used to avoid operational risks D. Detective controls are used to identify that an error has occurred and corrective controls fix a problem before a loss occurs
D
Which type of IT application control ensures that information produced by a software application is accurate, secure, and sent to the appropriate recipients? A. Data validation controls B. Input controls C. Processing controls D. Output controls
D
What does a lack of appropriate control measures indicate? A. Threat B. Magnitude of impact C. Probability of occurrence D. Vulnerability
D - lack of controls or security is a vulnerability (definition of vulnerability)
An accountant compiled the financial statements of a non-issuer in accordance with AICPA standards. If the accountant has an ownership interest in the entity, which of the following statements is correct?
D - lack of independence is okay in a compilation, but must disclose lack of independence
What are the three types of engagements can be performed under the attestation standard?
Three types of engagements: (1) examination, (2) review, and (3) agreed-upon procedures. · Note: A compilation is not a type of attest engagement
A compilation of prospective financial statements includes reading the prospective financial statements, along with their assumptions and accounting policies, and considering whether they appear to be presented in conformity with AICPA presentation guidelines and that they are not obviously inappropriate. (T/F)
True
Corporate governance is the system of rules, practices and processes by which a firm is directed and controlled. It provides a framework for an organization to achieve its goals (provides oversight to management) (T/F)
True
The primary purpose of forensic engagements is to detect, investigate, and document a situation in which fraud almost certainly exists (T/F)
True
What are Trust Services categories · I will not ask this as an essay or short answer question. But this is good review / awareness of what is covered · Essentially covers characteristics of Electronic commerce
Trust Services are built on five principles: · Security: The system is protected against unauthorized access (both physical and logical). · Availability: The system is available for operation and use as committed or agreed. · Processing Integrity: System processing is complete, accurate, timely, and authorized. · Confidentiality: Information designated as confidential is protected as committed or agreed. · Privacy: The system's collection, use, retention, disclosure, and disposal of personal information are in accordance with the entity's commitments and system requirements
Yes or no - Identify which engagements a CPA may / would use analytical procedures
Use of Analytical procedures A. Financial statement audit - Yes absolutely B. Examination - YES - if financial in nature, no if non-financial C. Review - YES, Required D. Agreed upon procedures - depends on what the procedures the parties agree on E. Compilation - NO F. Preparation - NO
Yes or no - which engagements require independenc
Yes or no - which engagements require independence a. Examination - YES b. Review - YES c. Agreed upon procedure - YES d. Compilation - NO - but must disclose that CPA is not independent. Compilation is used by external 3rd party. So do not need to be independent because NO assurance is provided. But 3rd party is involved, so disclosure required by standards e. Preparation - NO, end user will be owner f. SOC reports - YES, these are a type of examination (Attestation) · Note all attestation reports require independence - Examination, Review and agreed upon procedure · Compilation and preparations are accounting services, no independence needed
Compilations and review engagements of historical financial statements are primarily performed for public companies (i.e, publicly traded companies on exchanges like NASDAQ, NYSE....) (T/F)
false- private companies
IT application controls apply to the processing of specific computer applications and are part of the computer programs used in the accounting systems to ensure the occurrence (validity), completeness, and accuracy of transaction processing. (T/F)
true
IT audit is an examination of IT infrastructure, policies and operations of an organization. (T/F)
true
IT general controls include control activities over technology infrastructure, security management and technology acquisition, development and maintenance. They related to the overall information system processing environment and not specifically to individual software applications. (T/F)
true
Define an attest engagement. List the two conditions necessary to perform an attest engagement
· A practitioner is engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about subject matter, that is the responsibility of another party · The conditions necessary to perform an attestation engagement are that the practitioner have reason to believe that the subject matter is (1) capable of evaluation against criteria that are (2) suitable and available to users.
Define assurance services
· Independent professional services that improve the quality of information, or its context, for decision makers · good decision-making requires quality information that can be financial or nonfinancial. · An assurance service engagement can aid the decision maker in searching through the available information in order to identify which pieces of information are relevant for the required decision and in improving the quality of the information or its context. · An assurance service engagement can also improve quality through increasing confidence in the information's reliability and relevance
