BEC 1
A manufacturer actively monitors a foreign country's political events whenever a supply chain disruption occurs within the country that exceeds 90 days. According to the COSO Enterprise Risk Management principles, the manufacturer is following which of the following risk-response strategies? Share Avoid Accept Reduce
Accept By taking no action and only monitoring the situation, it is not taking any steps to mitigate or reduce the risk. It is not sharing the risk by acquiring insurance or hedging instruments. Lastly, it is not avoiding the risk because it is staying in the foreign country.
COSO issued an update to the ERM (enterprise risk management) framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. The updated framework focuses on the importance of considering risk in both the strategy-setting process and in driving performance. Which of the following is not addressed by the update? Accommodate expectations for governance and oversight Recognize the globalization of markets and the need to apply a common approach across geographies Expand reporting for greater stakeholder transparency Achieve its financial and performance target
Achieve its financial and performance target
NALCO Co. is struggling with its sales data. The sales reps are unable to update the daily sales record; as a result, the company is losing a lot of business as there is no proper follow-up and closure of leads. NALCO wants to make use of technology to improve its conversion rate. Which technology should NALCO opt for? Cloud computing Radio frequency identification Electronic data interchange None of the answer choices are correct.
Cloud computing
Which of the following is not a 2017 COSO enterprise risk management (ERM) framework component? Strategy and objective-setting Review and revision Performance Control activities
Control activities
COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance, which focuses on the importance of considering risk in both the strategy-setting process and in driving performance. Which of the following does the 2017 framework not address? Expands reporting to address expectations for greater stakeholder transparency Enhances alignment between performance and enterprise risk management Accommodates evolving technologies and the proliferation of data and analytics Ensures compliance with laws, rules, and regulations
Ensures compliance with laws, rules, and regulations
When risk is evaluated, which of the following risk responses is generally considered a sharing response? Diversifying product offerings Entering into syndication agreements Reallocating capital among operating units Rebalancing the asset portfolio to reduce exposure to certain types of losses
Entering into syndication agreements "Entering into syndication agreements" is correct. A syndication agreement is a contract between the arranger and other participants whereby risk is split among all parties. Through a process of negotiations, the agreement establishes priorities in the event of default, insolvency, bankruptcy, and casualty. Since risk is diffused across multiple parties, this agreement is generally considered a sharing response.
According to COSO's enterprise risk management framework, which of the following is an essential element of the internal environment? Ethical values Risk assessment Control activities Event identification
Ethical values
According to the COSO internal control framework, which of the following is not an underlying structure of the control environment? Identify and analyze significant changes Demonstrate a commitment to integrity and ethical values Exercise oversight responsibility Demonstrate commitment to competence
Identify and analyze significant changes
COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance. One of the five interrelated components in the updated framework is "review and revision." Which of the following principles does not belong to this component? Identify risk Assess substantial change Review risk and performance Pursue improvement in ERM
Identify risk
According to COSO, which of the following identifies the group directly responsible for the implementation and development of the enterprise risk management framework? Management The board of directors External auditors Internal auditors
Management
You walk into a little boutique in the nearby mall. As you walk up to the cash register with an item that you wish to purchase, you notice that there appears to be only one employee in this small store. With a limited number of personnel in the store at any given time, what would be the best internal control procedure to provide a reasonable guarantee that all cash sales are being rung up properly and cash put in the cash drawer? Carefully screen all new employees Require that all sales be rung up on the cash register using barcodes Increase the minimum number of employees at the store at any given time to three Post a sign in a visible spot near the checkout counter that states, "If you do not get a receipt, your purchase is free."
Post a sign in a visible spot near the checkout counter that states, "If you do not get a receipt, your purchase is free."
Which of the following is an internal control objective that is not appropriately defined? Reasonable (Standard methodologies are used to determine the value representative of transactions.) Funded (Sufficient funds are on hand to meet current obligations.) Recording accuracy (Transactions are mostly free of error.) Supportable (The goods and services received and provided are recorded properly.)
Recording accuracy (Transactions are mostly free of error.) "Accurately recorded" is an objective of internal control but should be free of error, not "mostly free of error." Accuracy is essential.
COSO's 2017 updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, consists of five interrelated components, which are supported by a set of 20 principles. Which of the following is not the proper match of a principle to its component? Review and revision: Prioritize risks Governance and culture: Demonstrate commitment to core values Performance: Develop portfolio view Strategy and objective-setting: Define risk appetite
Review and revision: Prioritize risks
COSO issued an update to the 2004 ERM framework in 2017, Enterprise Risk Management—Integrating with Strategy and Performance, which is designed to assist the board of directors (BOD) in fulfilling their risk oversight role. Which of the following is not one of the BOD's obligations in terms of ERM? Reviewing and challenging management of proposed strategy and risk appetite Approving management incentives and remuneration Revising reporting options to improve stakeholder transparency Participating in investor and stakeholder relations
Revising reporting options to improve stakeholder transparency
Under COSO, which of the following principles falls under control activities? Assesses fraud risk Selects and develops control activities Exercises oversight Specifies suitable objectives
Selects and develops control activities
According to COSO, which of the following provides oversight of an entity's enterprise risk management? Management The risk officer The board of directors Financial executives
The board of directors
According to the Sarbanes-Oxley Act of 2002, an issuer must disclose whether or not it has adopted a code of ethics for which of the following? All employees of the issuer The issuer's senior financial officers, but not for other employees of the issuer The audit committee Audit staff
The issuer's senior financial officers, but not for other employees of the issuer
Why is a well-defined organizational structure important? To inspect corporate records To elect officers To define lines of authority To oversee the internal control structure
To define lines of authority
According to the Sarbanes-Oxley Act of 2002, when an issuer's board of directors selects members to be on the company's audit committee, the board of directors must select individuals who: receive consulting fees, but not advisory fees, from the company. are members of the company's board of directors. are employed by the company in a financial management role. are affiliated persons of the company's subsidiary.
are members of the company's board of directors.
COSO's enterprise risk management framework encompasses each of the following, except: enhancing risk response decisions. decreasing inherent risk appetite. improving deployment of capital. seizing opportunities.
decreasing inherent risk appetite.
A company's internal controls are established to provide protection for the company's assets as well as to detect fraud. An internal control allows for the firm's resources to be all of the following except: monitored. designed. properly used. measured.
designed
The industrial internet of things combines technologies to improve operational: efficiency and reliability. efficiency. reliability. None of the answer choices are correct.
efficiency and reliability.
According to COSO, the presence of a written code of conduct provides for a control environment that can: override an entity's history and culture. encourage teamwork in the pursuit of an entity's objectives. ensure that competent evaluators are implementing and monitoring internal controls. verify that information systems are providing persuasive evidence of the effectiveness of internal controls.
encourage teamwork in the pursuit of an entity's objectives.
According to the Sarbanes-Oxley Act of 2002, the audit committee of an issuer is responsible for each of the following activities, except: evaluating and reporting on the effectiveness of the company's internal control over financial reporting. preapproving all audit and nonaudit services provided by the company's auditor. establishing procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal control, and auditing matters. the appointment, compensation, and oversight of the work of the registered public accounting firm employed by the company.
evaluating and reporting on the effectiveness of the company's internal control over financial reporting.
The human resource cycle includes: hiring, training, compensating, and promoting. hiring, arriving at the net pay of employees, and promoting. hiring, filing payroll taxes, arriving at the net pay of employees, and promoting. hiring, filing payroll taxes, arriving at the net pay of employees, and training.
hiring, training, compensating, and promoting.
According to COSO, the four categories of entity objectives in the enterprise risk management framework include each of the following, except: effective and efficient use of the entity's resources. compliance with applicable laws and regulations. implementation of internal controls. reliability of reporting.
implementation of internal controls.
The Sarbanes-Oxley Act of 2002 (SOX) requires that all publicly traded firms establish internal controls related to financial reporting that are documented, tested, and maintained for the purpose of preventing fraud. Per SOX, a company needs to do all of the following except: develop documentation of existing internal controls and procedures associated with financial reporting. test the effectiveness of the existing internal controls and procedures. provide information on deficiencies in the controls and/or documentation of those controls. include all areas of potential risk to the misstatement of the financial statements in this documentation, testing, and reporting process.
include all areas of potential risk to the misstatement of the financial statements in this documentation, testing, and reporting process.
The Enterprise Risk Management—Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as a: process effected by an entity's board of directors, management, and other personnel. serial process in which one component affects only the next component. process that takes a control-based approach to an organization. process that replaces the COSO internal control framework.
process effected by an entity's board of directors, management, and other personnel.
An example of a detective control activity would be: separation of duties. required authorizations. reconciliations. security guards and cameras.
reconciliations Detective activities would include: audits, required vacations, background investigations, rotation of duties, variance analysis, reconciliations, and physical inventories.
The internal audit function must determine whether risk management processes are effective. This judgment results from the internal auditor's assessment of all of the following except: organizational objectives support and align with the organization's mission. significant risks are identified and assessed. appropriate risk responses are selected that align risks with the organization's risk appetite. relevant risk information is captured and communicated only to the board of directors in a timely manner.
relevant risk information is captured and communicated only to the board of directors in a timely manner. Relevant risk information is captured and communicated in a timely manner across the organization (not only to the board of directors), enabling staff, management, and the board to carry out their responsibilities.
According to the Sarbanes-Oxley Act of 2002, each of the following is a corporate responsibility requirement, except: the audit committee of the issuer is directly responsible for the appointment, compensation, and oversight of the registered accounting firm. the audit committee chairperson must certify that the quarterly report filed with the SEC fairly presents the financial condition and results of operations. the audit committee of the issuer must establish whistleblowing mechanisms and procedures within the issuer. each audit committee member of the issuer must be independent.
the audit committee chairperson must certify that the quarterly report filed with the SEC fairly presents the financial condition and results of operations.
Each of the following statements is correct regarding the existence and implementation of codes of conduct, except: employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior. the codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading. the codes of conduct are periodically acknowledged by all employees. the codes of conduct must be in writing and displayed in public areas, such as a break room.
the codes of conduct must be in writing and displayed in public areas, such as a break room.
In relation to the internal control process, control sufficiency is: the group of controls with a variety of degrees of precision necessary to achieve a control objective. the alignment between a risk and the control activity designed to mitigate that risk. the measurement of the effectiveness of a specific control in alleviating the defined risk. the testing of the effectiveness of a control procedure.
the group of controls with a variety of degrees of precision necessary to achieve a control objective.
A top-down risk assessment (TDRA) is done in order for a company to be in compliance with Sarbanes-Oxley Act (SOX) Section 404. A TDRA is a set of steps used to identify and assess financial reporting elements, related risks, and internal control procedures meant to limit those risks. TDRA steps include all of the following except: the identification of important financial reporting elements. the identification of material risks related to important financial reporting elements. the identification of entity-level controls that would mitigate the risks with adequate precision. the identification of financial-statement level controls that would mitigate the risks in the absence of precise entity-level controls.
the identification of financial-statement level controls that would mitigate the risks in the absence of precise entity-level controls.
In respect to the roles and responsibilities within an internal control framework: the goals of internal controls are to provide close to absolute assurance that the objectives of the company will be met. the CEO of an organization is expected to allow his senior staff to set the ethical tone for the organization so as not to micromanage and stifle the organization. since the board of directors do not devote themselves to the day-to-day operations, they have little influences on the internal control environment. the internal and external auditors are responsible for the assessment of internal controls in relation to design, implementation, and effectiveness.
the internal and external auditors are responsible for the assessment of internal controls in relation to design, implementation, and effectiveness.
According to the 2004 COSO enterprise risk management (ERM) framework, uncertainty in enterprise risk management refers to: the impact of events or the time it would take to recover. the state of not knowing how or if potential events may manifest. the possibility that events will occur and affect the achievement of objectives. the boundaries of acceptable variation in performance related to achieving business objectives.
the state of not knowing how or if potential events may manifest.
An example of a preventive control activity would be: rotation of duties. use of passwords. required vacations. internal audits.
use of passwords Preventive activities would include: separation of duties, use of passwords, required authorizations, required approvals, alarm systems, use of locks, security guards and cameras, and education, training, and monitoring of employees.
The 2017 COSO ERM (enterprise risk management) framework lists five components, one of which is performance. Which of the following is not used by managers for performance? Formulates business objectives Identifies risks Develops a portfolio view Assesses the severity of risks
Formulates business objectives
The Sarbanes-Oxley Act changed the way financial reports are treated. What section of the act requires the CEO to review the financial statements? Section 202 Section 302 Section 102 Section 402
Section 302
A computer making decisions is an example of: artificial intelligence. robotic process automation. radio frequency identification. electronic data interchange.
artificial intelligence.
Pursuant to the Sarbanes-Oxley Act of 2002, an accountant who destroys documents to impede an investigation by a U.S. agency can be: suspended or barred from being associated with a registered public accounting firm or be required to end such association. temporarily or permanently limited on the activities, functions, or operations conducted on behalf of a registered public accounting firm. fined and/or imprisoned not more than 20 years. fined and/or imprisoned not more than 10 years.
fined and/or imprisoned not more than 20 years.