BUS 120B Exam 3 Study Questions
Which of the following controls restrict access to programs, data, and documentation? a. access controls b. password controls c. authentication controls d. program change controls
A. Access controls
Approving a customer credit purchase would be an example of which basic events-processing function? a. authorizing events b. executing events c. recording events d. safeguarding resources
A. Authorizing events
____ sets the tone of the organization, influencing the control consciousness of its people. A. Control environment B. Risk assessment C. Control activities D. Monitoring
A. Control Environment
The business process objectives that an internal control system is designed to achieve are: a. control goals b. control plans c. general controls d. the control matrix
A. Control Goals
Approvals, authorizations, verification, reconciliation, reviews of operating performance, supervision, audit trails, and segregation of duties are example of: A. control activities B. event identification C. monitoring D. risk response
A. Control activities
The columns in a control matrix contain headings listing the business process: a. control goals b. control plans c. control environment d. control procedures
A. Control goals
The purpose of ____ control goals is to ensure that all resources used throughout the business process are being employed in the most productive manner. a. efficiency b. effectiveness c. security d. input
A. Efficiency
COBIT 5: a. has five GEIT principles and seven enablers b. can be implemented by updating from COBIT 4.1 c. does not have the enablers used in COBIT 4.1 d. all of the choices are correct
A. Has five GEIT principles and seven enablers
The department or function that develops and operates an organization's information system is often called the: a. information technology department b. computer operations department c. controller's office d. computer technology branch
A. Information technology department
Why is there usually no control goal called update validity? a. Input and update completeness achieve update validity. b. Input validity guarantees update validity. c. Update accuracy guarantees update validity. d. Input accuracy achieves update validity.
A. Input and update completeness achieve update validity
A business event which is not properly authorized violates the control goal of: a. input validity b. input completeness c. input accuracy d. update validity
A. Input validity
The purpose of input control goals is to ensure: a. input validity, input completeness, and input accuracy b. update completeness and update accuracy c. both a. and b. d. none of the choices are correct
A. Input validity, input completeness, and input accuracy
A policy: a. is a plan or process put in place to guide actions and achieve goals. b. can compel behavior and enforce penalties for failure to follow. c. can be used to prevent fraud in an organization. d. all of the choices are correct
A. Is a plan or process put in place to guide actions and achieve goals.
_____________ control plans relate to a multitude of goals and processes. a. Pervasive b. IT general c. Business process d. Preventive
A. Pervasive
The segregation of duties control plan consists of separating all of the following event-processing functions except: a. planning events b. authorizing events c. executing events d. recording events
A. Planning events
Controls that stop problems from occurring are called: a. preventive controls b. detective controls c. corrective controls d. programmed controls
A. Preventive controls
COBIT was developed to: a. provide guidance to managers, users, and auditors on the best practices for the management of information technology b. identify specific control plans that should be implemented to reduce the occurrence of fraud c. specify the components of an information system that should be installed in an e-commerce environment d. suggest the type of information that should be made available for management decision making
A. Provide guidance to managers, users, and auditors on the best practices for the management of information technology
A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions? a. recording and executing events b. authorizing and executing events c. recording and authorizing events d. safeguarding of resources and authorizing events
A. Recording and executing events.
COBIT 5: a. shifts the center of attention from IT to governance b. can be implemented by updating from COBIT 4.1 c. does not have the enablers used in COBIT 4.1 d. all of the choices are correct
A. Shifts the center of attention from IT to governance.
The two primary steps in preparing the control matrix include: a. specifying control goals, identifying recommended control plans b. specifying control plans, specifying input goals c. specifying the control environment, identifying information process goals d. specifying control procedures, identifying process goals
A. Specifying control goals, identifying recommended control plans.
Which of the following has the major duties of prioritizing and selecting IT projects and resources? a. steering committee b. security supervisor c. CIO d. operations supervisor
A. Steering committee
The third level of protection in the control hierarchy is: a. the control environment b. business process control plans c. pervasive control plans d. IT general controls
B. Business process control plans
When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called: a. collusion controls b. compensatory controls c. authorizing controls d. inventory controls
B. Compensatory controls
The purpose of ____ control goals is to ensure the successful accomplishment of the goals set forth for the operations process under consideration. a. efficiency b. effectiveness c. security d. input
B. Effectiveness
As a result of an inadequate design, a production process yields an abnormally high amount of raw material scrapped. Which control goal is being violated? a. ensure effectiveness of operations b. ensure efficient employment of resources c. ensure security of resources d. ensure input accuracy
B. Ensure efficient employment of resources.
Failing to record a customer's order for the purchase of inventory violates the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure input validity d. ensure input accuracy and input validity
B. Ensure input completeness
Which of the following is a control goal regarding master data? a. ensure input validity b. ensure update accuracy c. ensure input accuracy d. ensure input completeness
B. Ensure update accuracy
A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources
B. Executing events
IT users requiring advice and requiring assistance to overcome problems can turn to the: a. access control officer b. help desk c. database administrator d. operations desk
B. Help Desk
COBIT was developed by: a. COSO b. ISACA c. PCAOB d. AICPA
B. ISACA
The effect of an event's occurrence is: A. control B. impact C. risk D. opportunity
B. Impact
Establishing a viable internal control system is primarily the responsibility of: a. the external auditors b. management c. programmers d. government authorities
B. Management
Which of the following control plans is not a retention control plan? a. creative and challenging work opportunities b. occasional performance evaluations c. competitive reward structure d. viable career paths
B. Occasional performance evaluations
In the control matrix, the rows represent: a. control goals of the operations process b. recommended control plans including both present and missing controls c. control goals of the information process d. control goals of the management process
B. Recommended control plans including both present and missing controls
Which of the following has the responsibility to ensure the security of all IT resources? a. steering committee b. security officer c. CIO d. systems analyst
B. Security officer
IN a IT Department, which of the following reporting relationship makes the least sense? a. The security supervisor reports to the CIO. b. The access control officer reports to the security supervisor. c. The business analyst reports to the implementation supervisor. d. The data entry manager reports to the data center manager.
B. The access control officer reports to the security supervisor.
Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n): a. operations run manual b. user manual c. program documentation d. systems documentation
B. User manual
The controlled access to data, programs, and documentation is a principal responsibility of which of the following functions? a. access control b. data preparation (data entry) c. access control officer d. computer operator
C. Access control officer
Automated business process controls contained within IT systems are called: a. preventive controls b. pervasive controls c. application controls d. management controls
C. Application controls
Which of the following is not one of COBIT's five domains? a. align, plan, and organize b. build, acquire, and implement c. assess, repair, and replace d. evaluate, deliver, and monitor
C. Assess, repair, and replace
A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it approving the removal of the items from the warehouse. The supervisor is performing which functions? a. authorizing events and safeguarding of resources b. executing and recording events c. authorizing and executing events d. authorizing and recording events
C. Authorizing and executing events
Alternative names for contingency planning include all of the following except: a. disaster recovery planning b. business interruption planning c. business disaster planning d. business continuity planning
C. Business disaster planning
____ relate to a specific AIS process, such as billing or cash receipts. a. Control procedures b. Information processing procedures c. Business process control plans d. Operations system control plans
C. Business process control plans
Planning IT acquisition and development is typically is a major duty of the: a. steering committee b. security supervisor c. CIO d. operations supervisor
C. CIO
Which of the following has the responsibility of efficient and effective operation of IT? a. steering committee b. security supervisor c. CIO d. systems analyst
C. CIO
A process captures only authorized transactions but fails to record them only once. Which control goal does this fail to achieve? a. validity b. accuracy c. completeness d. effectiveness
C. Completeness
____ are the policies and procedures that help ensure that the risk responses are effectively carried out. a. Control environment b. Risk assessment c. Control activities d. Monitoring
C. Control Activities
A tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans is: a. ERM b. control plans c. control matrix d. internal controls
C. Control Matrix
Having too many control plans directed at the same control goal is called: a. control efficiency b. control effectiveness c. control redundancy d. control completeness
C. Control Redundancy
Which of the following describes COSO's five interrelated components of internal control? a. internal environment, objective setting, event identification, risk assessment, monitoring b. auditor independence, corporate responsibility, financial disclosures, corporate and criminal fraud accountability, white-collar crime penalty enhancements c. control environment, risk assessment, control activities, information and communication, monitoring activities d. strategic, operations, reporting, compliance, monitoring
C. Control environment, risk assessment, control activities, information and communication, monitoring activities.
A control that involves reprocessing transactions that are rejected during initial processing is an example of: a. preventive controls b. detective controls c. corrective controls d. programmed controls
C. Corrective controls
Discrepancies between data items recorded by a system and the underlying economic events or objects they represent are a violation of the control goal of: a. ensure input validity b. ensure input completeness c. ensure input accuracy d. ensure update completeness
C. Ensure input accuracy
A programming error causes the sale of an inventory item to be added to the quantity on hand attribute in the inventory master data. Which control goal was not achieved? a. ensure update completeness b. ensure input accuracy c. ensure update accuracy d. ensure input completeness
C. Ensure update accuracy
Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure update accuracy d. ensure update completeness
C. Ensure update accuracy
A deliberate act or untruth intended to obtain unfair or unlawful gain is a(n): a. audit b. embezzlement c. fraud d. theft
C. Fraud
The IT function's key control concern is that organization and IT strategic objectives are misaligned: a. CIO b. quality assurance c. IT steering committee d. systems development manager
C. IT steering committee
Pervasive control plans: a. are unrelated to applications control plans b. are a subset of applications control plans c. influence the effectiveness of applications control plans d. increase the efficiency of applications control plans
C. Influence the effectiveness of applications control plans
Events that could have a positive impact on organizational objectives: A. controls B. fraud C. opportunities D. risks
C. Opportunities
A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance is: a. Enterprise risk management b. Internal control c. Organizational governance d. Risk assessment
C. Organizational Governance
The purpose of ____ control goals is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse. a. efficiency b. effectiveness c. security d. input
C. Security
Which of the following is not a strategic planning process? a. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including privacy, transborder data flows, e-business, and insurance contracts. b. Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. c. Systems development life-cycle adoption to ensure that comprehensive documentation is developed for each application. d. An inventory of current IT capabilities.
C. System development life-cycle adoption to ensure that comprehensive documentation is developed for each application.
The section of Sarbanes-Oxley that requires a company's CEO and CFO to certify quarterly and annual reports is: a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures
C. Title III Corporate Responsibility
Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once? a. ensure input validity b. ensure update accuracy c. ensure input completeness d. ensure update completeness
C. ensure input completeness
In an IT Department, all of the following functions might logically report to the operations supervisor except: a. quality assurance analyst b. help desk manager c. database administrator d. access control officer
D. Access control officer
As described in COSO 2013, elements of risk assessment might include which of the following? a. specifying objectives with clarity b. identifying risks to the achievement of its objectives c. considering the potential for fraud d. all of the choices are correct
D. All of the choices are correct
As described in COSO, elements of control activities might include which of the following? A. Selecting control activities that contribute to the mitigation of risks B. Selecting control activities to support the achievement of objectives C. Deploying control activities through procedures that put policies into action D. all of the choices are correct
D. All of the choices are correct
As described in COSO, elements of control environment might include the following: A. commitment to the importance of control B. reward systems C. tone at the top of the organization D. all of the choices are correct
D. All of the choices are correct
The major reasons for exercising control of the organization's business processes include: a. to provide reasonable assurance that the goals of the business are being achieved b. to mitigate risks of fraud and other intentional and unintentional acts c. to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations d. all of the choices are correct
D. All of the choices are correct
The COSO 1992 definition of internal control defines internal control as a process designed to provide reasonable assurance regarding the achievement of objectives in which category? a. effectiveness of operations b. reliability of financial reporting c. compliance with applicable laws and regulations d. all of the choices are correct
D. All of the choices are correct.
Which of the following statements is true? a. Management has a legal responsibility to protect an organization's informational assets. b. Proper protection of organizational information from unauthorized use required both physical and logical controls. c. The unauthorized disclosure of financial information is a violation of federal securities laws. d. All of the choices are correct.
D. All of the choices are correct.
Assuring that the accounts receivable master data reflects all cash collections recorded in the cash receipts event data addresses the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure update accuracy d. ensure update completeness
D. Ensure update completeness
Who is legally responsible for establishing and maintaining an adequate system of internal control? a. the board of directors b. stakeholders c. investors d. management
D. Management
____ is a process that evaluates the quality of internal control performance over time. a. Control environment b. Risk assessment c. Control activities d. Monitoring
D. Monitoring
Events that could have a negative impact on organizational objectives: A. opportunities B. embezzlement C. fraud D. risks
D. Risk
An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources
D. Safeguarding resources
Control goals of operations processes include: a. validity b. the control environment c. accuracy d. security of resources
D. Security of resources
The ERM framework addresses four categories of management objectives. Which category concerns high-level goals, aligned with and supporting its mission. a. compliance b. operations c. reporting d. strategic
D. Strategic
Risk assessment is best described by: A. Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. B. Management selects whether to avoid, accept, reduce, or share risk—developing a set of actions to align risks with the entity's risk tolerances and risk appetite. C. The entirety of enterprise risk management is monitored and modifications made as necessary. D. The likelihood and impact of risks are analyzed, as a basis for determining how they should be managed.
D. The likelihood and impact of risks are analyzed, as a basis for determining how they should be managed.
The section of Sarbanes-Oxley that requires each annual report filed with the SEC to include an internal control report is: A. Title I Public Company Accounting Oversight Board B. Title II Auditor Independence C. Title III Corporate Responsibility D. Title IV Enhanced Financial Disclosures
D. Title IV Enhanced Financial Disclosures.
A corrective control plan is designed to discover problems that have occurred.
FALSE
A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error.
FALSE
A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resources controls.
FALSE
According to COSO, monitoring has often been overused by organizations.
FALSE
Alternative control plans are commonly called collusion controls.
FALSE
Application controls restrict access to data, programs, and documentation.
FALSE
COBIT 5 is more procedure-based than COBIT 4.1
FALSE
COBITs definition of internal control diverges from COSOs
FALSE
Control effectiveness addresses how individual control plans achieve multiple control goals.
FALSE
Control efficiency addresses whether control goals are being achieved.
FALSE
Operations process control goals include input goals and update goals.
FALSE
Security goals are part of operation process control goals.
FALSE
Segregation of duties software works poorly with major ERP systems.
FALSE
The IS function with the principal responsibilities of ensuring the security of all IT resources is data control.
FALSE
The chief information officer (CIO) prioritizes and selects IT projects and resources.
FALSE
The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended.
FALSE
The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.
FALSE
The control matrix is a computer virus that takes control of the computer's operating system for malicious purposes.
FALSE
The external environment is a system of integrated elements - people, structures, processes, and procedures - acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals.
FALSE
The highest level of control plans are pervasive controls.
FALSE
The information system functions is synonymous with the accounting function
FALSE
The operations run manual describes users procedures for an application and assists the use in preparing inputs and using outputs.
FALSE
The purpose of security controls is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.
FALSE
The user manual gives detailed instructions to computer operators and to data control about a particular application.
FALSE
Under the Sarbanes-Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits.
FALSE
In input validity, the edits reduce input errors.
FALSE - Input Accuracy
In input accuracy, the edits reduce the possibility of the input of invalid events.
FALSE - Input Validity
The key provisions of SOX are that SOX created a new accounting oversight board - PCAOB
FALSE - SOX did not create PCAOB, but high-lighted the importance of PCAOB role.
A batch of business events is accurately entered into a business event data store, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error.
TRUE
A control matrix is a tool that assists in evaluating the potential effectiveness of control goals in a particular business process.
TRUE
A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.
TRUE
A major reason management must exercise control over an organization's business processes is to provide reasonable assurance that the company is in compliance with applicable laws and regulations.
TRUE
A policy is a plan or process put in place to guide actions and thus achieve goals.
TRUE
Access control software ensures that only authorized users gain access to a system through a process of identification and authentication.
TRUE
According to COBIT, IT resources include applications, information, infrastructure, and people.
TRUE
According to COBIT, IT resources must be managed by IT control processes to ensure that an organization has the information it needs to achieve its objectives.
TRUE
Alternative control plans are commonly called compensatory controls.
TRUE
An important update COSO 2013 made to SAS No. 78 and related audit literature is the promulgation of seventeen principles.
TRUE
Automation of segregation of duties may provide a more efficient and effective system of internal control in automated processes.
TRUE
Biometric identification system identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, or writing dynamics.
TRUE
Business continuity planning is the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate when the threatened event occurs or resumes operations with a minimum of disruption.
TRUE
Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts.
TRUE
COBIT 5 has five domains and seven enablers.
TRUE
COSO 1992 and 2013 describe five interrelated components of internal control.
TRUE
Combining the functions of authorizing and executing is a violation of the organizational control plan known as segregation of duties.
TRUE
Combining the functions of authorizing and recording events is a violation of organizational control plan known as segregation of duties.
TRUE
Control efficiency relates to ensuring hat resources are being employed in the most productive manner.
TRUE
Control redundancy addresses whether too many control plans are directed towards the same control goals.
TRUE
Controls to prevent unauthorized execution of events help prevent fraud by ensuring that only valid.
TRUE
Ensuring the security of resources is the control goal that seeks to provide protection of an organization's resources from loss, destruction, disclosure, copying, sale or other misuse of an organization's resources.
TRUE
Establishing and maintaining a viable internal control system is the responsibility of management.
TRUE
Event identification is used to identify risk and opportunities that would affect achievement of an organization's objectives
TRUE
IT governance is a process that ensures that the organization's IT sustains and extends the organization's strategies and objectives.
TRUE
In the control matrix, goals are listed across the top of the matrix.
TRUE
Input control goals include those to ensure input validity, input completeness, and input accuracy.
TRUE
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness of operations; reliability of financial reporting compliance with applicable laws and regulations.
TRUE
Management is responsible for establishing and maintaining an adequate system of internal controls.
TRUE
Monitoring is a process that assesses the quality of internal control performance over time.
TRUE
Organizational governance is a process by which organizations select objectives establish processes to achieve objectives, and monitor performance.
TRUE
People and computers should always be considered in the efficiency assessments related to accounting information systems.
TRUE
Pervasive controls are an important element in organizational governance and IT governance initiatives.
TRUE
Pervasive controls plans influence the effectiveness of the control plans at lower levels of the control.
TRUE
Procedures for rejected inputs include input completeness and input accuracy.
TRUE
Programs documentation provides a description of an application program and usually includes the program's purpose, program flowcharts, and source code listing.
TRUE
Section 404 mandates the annual filing of an internal control report of each audited (i.e., publicly traded) company to the SEC.
TRUE
Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events.
TRUE
Specifying control goals is the first step in preparing a control matrix.
TRUE
Systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures and sample source documents, outputs, and reports.
TRUE
The IS function of quality assurance conducts review to ensure the attainment of IT objectives.
TRUE
The IS function with the responsibility of guiding the IT organization in establishing and meeting user information requirements is the IT steering committee.
TRUE
The IT steering committee guides the IT organization in establishing and meeting user information requirements and in ensuring the effective and efficient use of its resources.
TRUE
The control environment reflects the organization's general awareness of and commitment to the importance of control throughout the organization.
TRUE
The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.
TRUE
The function composed of people, procedures, and equipment is typically called the information systems department, IS department, or the IT department is the information systems organization.
TRUE
The system of controls used in this text consists of the controls environment, pervasive control plans, IT general controls, and business process and application control plans.
TRUE
To exploit the system and conceal abuse collusion would need to occur between one or more person (or department).
TRUE
Under the Sarbanes-Oxley Act of 2002, the section on Corporate Responsibility requires a company's CEO and CFO to certify quarterly and annual reports.
TRUE
Under the Sarbanes-Oxley Act of 2002, the section on Enhanced Financial Disclosures require each annual report filed with the SEC to include an internal control report.
TRUE
Update control goals of the information process ensure update completeness and update accuracy.
TRUE
Valid input data are appropriately authorized and represent actual economic events and objects.
TRUE
Within the data center, the data control group is responsible for routing all work into and out of the data center, correcting errors, and monitoring error correction.
TRUE
Which of the following statements regarding a system of internal control is false? a. Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlement. b. Internal control systems depend largely on the competency and honesty of people. c. Because internal control systems have a cost, management should evaluate the cost/benefit of each control plan. d. The development of an internal control system is the responsibility of management.
a. Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlement.
A control goal that is a measure of success in meeting a set established goals is called: a. effectiveness b. monitoring c. efficiency d. risk
a. effectiveness
As described in COSO, elements of a monitoring might include which of the following? a. selecting and developing evaluations to ascertain whether the components of internal control are functioning b. performing evaluations to ascertain whether the components of internal control are functioning c. communicating internal control deficiencies in a timely manner to those parties responsible for taking corrective action d. all of the choices are correct
d. all of the choices are correct
As described in COSO, elements of information and communication might include which of the following? a. using relevant, quality information to support the functioning of internal control b. internally communicating information to support the functioning of internal control c. communicating information with external parties regarding matters affecting the functioning of internal control d. all of the choices are correct
d. all of the choices are correct