BUS 120B Exam 3 Study Questions

Which of the following controls restrict access to programs, data, and documentation? a. access controls b. password controls c. authentication controls d. program change controls

A. Access controls

Approving a customer credit purchase would be an example of which basic events-processing function? a. authorizing events b. executing events c. recording events d. safeguarding resources

A. Authorizing events

____ sets the tone of the organization, influencing the control consciousness of its people. A. Control environment B. Risk assessment C. Control activities D. Monitoring

A. Control Environment

The business process objectives that an internal control system is designed to achieve are: a. control goals b. control plans c. general controls d. the control matrix

A. Control Goals

Approvals, authorizations, verification, reconciliation, reviews of operating performance, supervision, audit trails, and segregation of duties are example of: A. control activities B. event identification C. monitoring D. risk response

A. Control activities

The columns in a control matrix contain headings listing the business process: a. control goals b. control plans c. control environment d. control procedures

A. Control goals

The purpose of ____ control goals is to ensure that all resources used throughout the business process are being employed in the most productive manner. a. efficiency b. effectiveness c. security d. input

A. Efficiency

COBIT 5: a. has five GEIT principles and seven enablers b. can be implemented by updating from COBIT 4.1 c. does not have the enablers used in COBIT 4.1 d. all of the choices are correct

A. Has five GEIT principles and seven enablers

The department or function that develops and operates an organization's information system is often called the: a. information technology department b. computer operations department c. controller's office d. computer technology branch

A. Information technology department

Why is there usually no control goal called update validity? a. Input and update completeness achieve update validity. b. Input validity guarantees update validity. c. Update accuracy guarantees update validity. d. Input accuracy achieves update validity.

A. Input and update completeness achieve update validity

A business event which is not properly authorized violates the control goal of: a. input validity b. input completeness c. input accuracy d. update validity

A. Input validity

The purpose of input control goals is to ensure: a. input validity, input completeness, and input accuracy b. update completeness and update accuracy c. both a. and b. d. none of the choices are correct

A. Input validity, input completeness, and input accuracy

A policy: a. is a plan or process put in place to guide actions and achieve goals. b. can compel behavior and enforce penalties for failure to follow. c. can be used to prevent fraud in an organization. d. all of the choices are correct

A. Is a plan or process put in place to guide actions and achieve goals.

_____________ control plans relate to a multitude of goals and processes. a. Pervasive b. IT general c. Business process d. Preventive

A. Pervasive

The segregation of duties control plan consists of separating all of the following event-processing functions except: a. planning events b. authorizing events c. executing events d. recording events

A. Planning events

Controls that stop problems from occurring are called: a. preventive controls b. detective controls c. corrective controls d. programmed controls

A. Preventive controls

COBIT was developed to: a. provide guidance to managers, users, and auditors on the best practices for the management of information technology b. identify specific control plans that should be implemented to reduce the occurrence of fraud c. specify the components of an information system that should be installed in an e-commerce environment d. suggest the type of information that should be made available for management decision making

A. Provide guidance to managers, users, and auditors on the best practices for the management of information technology

A clerk receives checks and customer receipts in the mail. He endorses the checks, fills out the deposit slip, and posts the checks to the cash receipts events data. The clerk is exercising which functions? a. recording and executing events b. authorizing and executing events c. recording and authorizing events d. safeguarding of resources and authorizing events

A. Recording and executing events.

COBIT 5: a. shifts the center of attention from IT to governance b. can be implemented by updating from COBIT 4.1 c. does not have the enablers used in COBIT 4.1 d. all of the choices are correct

A. Shifts the center of attention from IT to governance.

The two primary steps in preparing the control matrix include: a. specifying control goals, identifying recommended control plans b. specifying control plans, specifying input goals c. specifying the control environment, identifying information process goals d. specifying control procedures, identifying process goals

A. Specifying control goals, identifying recommended control plans.

Which of the following has the major duties of prioritizing and selecting IT projects and resources? a. steering committee b. security supervisor c. CIO d. operations supervisor

A. Steering committee

The third level of protection in the control hierarchy is: a. the control environment b. business process control plans c. pervasive control plans d. IT general controls

B. Business process control plans

When segregation of duties cannot be effectively implemented because the organization is too small, we may rely on a more intensive implementation of other control plans such as personnel control plans. This is called: a. collusion controls b. compensatory controls c. authorizing controls d. inventory controls

B. Compensatory controls

The purpose of ____ control goals is to ensure the successful accomplishment of the goals set forth for the operations process under consideration. a. efficiency b. effectiveness c. security d. input

B. Effectiveness

As a result of an inadequate design, a production process yields an abnormally high amount of raw material scrapped. Which control goal is being violated? a. ensure effectiveness of operations b. ensure efficient employment of resources c. ensure security of resources d. ensure input accuracy

B. Ensure efficient employment of resources.

Failing to record a customer's order for the purchase of inventory violates the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure input validity d. ensure input accuracy and input validity

B. Ensure input completeness

Which of the following is a control goal regarding master data? a. ensure input validity b. ensure update accuracy c. ensure input accuracy d. ensure input completeness

B. Ensure update accuracy

A warehouse clerk manually completing an order document and forwarding it to purchasing for approval is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources

B. Executing events

IT users requiring advice and requiring assistance to overcome problems can turn to the: a. access control officer b. help desk c. database administrator d. operations desk

B. Help Desk

COBIT was developed by: a. COSO b. ISACA c. PCAOB d. AICPA

B. ISACA

The effect of an event's occurrence is: A. control B. impact C. risk D. opportunity

B. Impact

Establishing a viable internal control system is primarily the responsibility of: a. the external auditors b. management c. programmers d. government authorities

B. Management

Which of the following control plans is not a retention control plan? a. creative and challenging work opportunities b. occasional performance evaluations c. competitive reward structure d. viable career paths

B. Occasional performance evaluations

In the control matrix, the rows represent: a. control goals of the operations process b. recommended control plans including both present and missing controls c. control goals of the information process d. control goals of the management process

B. Recommended control plans including both present and missing controls

Which of the following has the responsibility to ensure the security of all IT resources? a. steering committee b. security officer c. CIO d. systems analyst

B. Security officer

IN a IT Department, which of the following reporting relationship makes the least sense? a. The security supervisor reports to the CIO. b. The access control officer reports to the security supervisor. c. The business analyst reports to the implementation supervisor. d. The data entry manager reports to the data center manager.

B. The access control officer reports to the security supervisor.

Application documentation that describes the application and contains instructions for preparing inputs and using outputs is a(n): a. operations run manual b. user manual c. program documentation d. systems documentation

B. User manual

The controlled access to data, programs, and documentation is a principal responsibility of which of the following functions? a. access control b. data preparation (data entry) c. access control officer d. computer operator

C. Access control officer

Automated business process controls contained within IT systems are called: a. preventive controls b. pervasive controls c. application controls d. management controls

C. Application controls

Which of the following is not one of COBIT's five domains? a. align, plan, and organize b. build, acquire, and implement c. assess, repair, and replace d. evaluate, deliver, and monitor

C. Assess, repair, and replace

A warehouse supervisor prepares a sales order listing items to be shipped to a customer and then signs it approving the removal of the items from the warehouse. The supervisor is performing which functions? a. authorizing events and safeguarding of resources b. executing and recording events c. authorizing and executing events d. authorizing and recording events

C. Authorizing and executing events

Alternative names for contingency planning include all of the following except: a. disaster recovery planning b. business interruption planning c. business disaster planning d. business continuity planning

C. Business disaster planning

____ relate to a specific AIS process, such as billing or cash receipts. a. Control procedures b. Information processing procedures c. Business process control plans d. Operations system control plans

C. Business process control plans

Planning IT acquisition and development is typically is a major duty of the: a. steering committee b. security supervisor c. CIO d. operations supervisor

C. CIO

Which of the following has the responsibility of efficient and effective operation of IT? a. steering committee b. security supervisor c. CIO d. systems analyst

C. CIO

A process captures only authorized transactions but fails to record them only once. Which control goal does this fail to achieve? a. validity b. accuracy c. completeness d. effectiveness

C. Completeness

____ are the policies and procedures that help ensure that the risk responses are effectively carried out. a. Control environment b. Risk assessment c. Control activities d. Monitoring

C. Control Activities

A tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans is: a. ERM b. control plans c. control matrix d. internal controls

C. Control Matrix

Having too many control plans directed at the same control goal is called: a. control efficiency b. control effectiveness c. control redundancy d. control completeness

C. Control Redundancy

Which of the following describes COSO's five interrelated components of internal control? a. internal environment, objective setting, event identification, risk assessment, monitoring b. auditor independence, corporate responsibility, financial disclosures, corporate and criminal fraud accountability, white-collar crime penalty enhancements c. control environment, risk assessment, control activities, information and communication, monitoring activities d. strategic, operations, reporting, compliance, monitoring

C. Control environment, risk assessment, control activities, information and communication, monitoring activities.

A control that involves reprocessing transactions that are rejected during initial processing is an example of: a. preventive controls b. detective controls c. corrective controls d. programmed controls

C. Corrective controls

Discrepancies between data items recorded by a system and the underlying economic events or objects they represent are a violation of the control goal of: a. ensure input validity b. ensure input completeness c. ensure input accuracy d. ensure update completeness

C. Ensure input accuracy

A programming error causes the sale of an inventory item to be added to the quantity on hand attribute in the inventory master data. Which control goal was not achieved? a. ensure update completeness b. ensure input accuracy c. ensure update accuracy d. ensure input completeness

C. Ensure update accuracy

Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure update accuracy d. ensure update completeness

C. Ensure update accuracy

A deliberate act or untruth intended to obtain unfair or unlawful gain is a(n): a. audit b. embezzlement c. fraud d. theft

C. Fraud

The IT function's key control concern is that organization and IT strategic objectives are misaligned: a. CIO b. quality assurance c. IT steering committee d. systems development manager

C. IT steering committee

Pervasive control plans: a. are unrelated to applications control plans b. are a subset of applications control plans c. influence the effectiveness of applications control plans d. increase the efficiency of applications control plans

C. Influence the effectiveness of applications control plans

Events that could have a positive impact on organizational objectives: A. controls B. fraud C. opportunities D. risks

C. Opportunities

A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance is: a. Enterprise risk management b. Internal control c. Organizational governance d. Risk assessment

C. Organizational Governance

The purpose of ____ control goals is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse. a. efficiency b. effectiveness c. security d. input

C. Security

Which of the following is not a strategic planning process? a. IT-related requirements to comply with industry, regulatory, legal, and contractual obligations, including privacy, transborder data flows, e-business, and insurance contracts. b. Acquisition and development schedules for hardware, software, and application systems and for personnel and financial requirements. c. Systems development life-cycle adoption to ensure that comprehensive documentation is developed for each application. d. An inventory of current IT capabilities.

C. System development life-cycle adoption to ensure that comprehensive documentation is developed for each application.

The section of Sarbanes-Oxley that requires a company's CEO and CFO to certify quarterly and annual reports is: a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures

C. Title III Corporate Responsibility

Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once? a. ensure input validity b. ensure update accuracy c. ensure input completeness d. ensure update completeness

C. ensure input completeness

In an IT Department, all of the following functions might logically report to the operations supervisor except: a. quality assurance analyst b. help desk manager c. database administrator d. access control officer

D. Access control officer

As described in COSO 2013, elements of risk assessment might include which of the following? a. specifying objectives with clarity b. identifying risks to the achievement of its objectives c. considering the potential for fraud d. all of the choices are correct

D. All of the choices are correct

As described in COSO, elements of control activities might include which of the following? A. Selecting control activities that contribute to the mitigation of risks B. Selecting control activities to support the achievement of objectives C. Deploying control activities through procedures that put policies into action D. all of the choices are correct

D. All of the choices are correct

As described in COSO, elements of control environment might include the following: A. commitment to the importance of control B. reward systems C. tone at the top of the organization D. all of the choices are correct

D. All of the choices are correct

The major reasons for exercising control of the organization's business processes include: a. to provide reasonable assurance that the goals of the business are being achieved b. to mitigate risks of fraud and other intentional and unintentional acts c. to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations d. all of the choices are correct

D. All of the choices are correct

The COSO 1992 definition of internal control defines internal control as a process designed to provide reasonable assurance regarding the achievement of objectives in which category? a. effectiveness of operations b. reliability of financial reporting c. compliance with applicable laws and regulations d. all of the choices are correct

D. All of the choices are correct.

Which of the following statements is true? a. Management has a legal responsibility to protect an organization's informational assets. b. Proper protection of organizational information from unauthorized use required both physical and logical controls. c. The unauthorized disclosure of financial information is a violation of federal securities laws. d. All of the choices are correct.

D. All of the choices are correct.

Assuring that the accounts receivable master data reflects all cash collections recorded in the cash receipts event data addresses the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure update accuracy d. ensure update completeness

D. Ensure update completeness

Who is legally responsible for establishing and maintaining an adequate system of internal control? a. the board of directors b. stakeholders c. investors d. management

D. Management

____ is a process that evaluates the quality of internal control performance over time. a. Control environment b. Risk assessment c. Control activities d. Monitoring

D. Monitoring

Events that could have a negative impact on organizational objectives: A. opportunities B. embezzlement C. fraud D. risks

D. Risk

An outside auditing firm annually supervises a physical count of the items in a retail store's shelf inventory. This is an example of: a. authorizing events b. executing events c. recording events d. safeguarding resources

D. Safeguarding resources

Control goals of operations processes include: a. validity b. the control environment c. accuracy d. security of resources

D. Security of resources

The ERM framework addresses four categories of management objectives. Which category concerns high-level goals, aligned with and supporting its mission. a. compliance b. operations c. reporting d. strategic

D. Strategic

Risk assessment is best described by: A. Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. B. Management selects whether to avoid, accept, reduce, or share risk—developing a set of actions to align risks with the entity's risk tolerances and risk appetite. C. The entirety of enterprise risk management is monitored and modifications made as necessary. D. The likelihood and impact of risks are analyzed, as a basis for determining how they should be managed.

D. The likelihood and impact of risks are analyzed, as a basis for determining how they should be managed.

The section of Sarbanes-Oxley that requires each annual report filed with the SEC to include an internal control report is: A. Title I Public Company Accounting Oversight Board B. Title II Auditor Independence C. Title III Corporate Responsibility D. Title IV Enhanced Financial Disclosures

D. Title IV Enhanced Financial Disclosures.

A corrective control plan is designed to discover problems that have occurred.

FALSE

A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error.

FALSE

A small organization that does not have enough personnel to adequately segregate duties must rely on alternative controls, commonly called resources controls.

FALSE

According to COSO, monitoring has often been overused by organizations.

FALSE

Alternative control plans are commonly called collusion controls.

FALSE

Application controls restrict access to data, programs, and documentation.

FALSE

COBIT 5 is more procedure-based than COBIT 4.1

FALSE

COBITs definition of internal control diverges from COSOs

FALSE

Control effectiveness addresses how individual control plans achieve multiple control goals.

FALSE

Control efficiency addresses whether control goals are being achieved.

FALSE

Operations process control goals include input goals and update goals.

FALSE

Security goals are part of operation process control goals.

FALSE

Segregation of duties software works poorly with major ERP systems.

FALSE

The IS function with the principal responsibilities of ensuring the security of all IT resources is data control.

FALSE

The chief information officer (CIO) prioritizes and selects IT projects and resources.

FALSE

The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended.

FALSE

The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.

FALSE

The control matrix is a computer virus that takes control of the computer's operating system for malicious purposes.

FALSE

The external environment is a system of integrated elements - people, structures, processes, and procedures - acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals.

FALSE

The highest level of control plans are pervasive controls.

FALSE

The information system functions is synonymous with the accounting function

FALSE

The operations run manual describes users procedures for an application and assists the use in preparing inputs and using outputs.

FALSE

The purpose of security controls is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.

FALSE

The user manual gives detailed instructions to computer operators and to data control about a particular application.

FALSE

Under the Sarbanes-Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits.

FALSE

In input validity, the edits reduce input errors.

FALSE - Input Accuracy

In input accuracy, the edits reduce the possibility of the input of invalid events.

FALSE - Input Validity

The key provisions of SOX are that SOX created a new accounting oversight board - PCAOB

FALSE - SOX did not create PCAOB, but high-lighted the importance of PCAOB role.

A batch of business events is accurately entered into a business event data store, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error.

TRUE

A control matrix is a tool that assists in evaluating the potential effectiveness of control goals in a particular business process.

TRUE

A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.

TRUE

A major reason management must exercise control over an organization's business processes is to provide reasonable assurance that the company is in compliance with applicable laws and regulations.

TRUE

A policy is a plan or process put in place to guide actions and thus achieve goals.

TRUE

Access control software ensures that only authorized users gain access to a system through a process of identification and authentication.

TRUE

According to COBIT, IT resources include applications, information, infrastructure, and people.

TRUE

According to COBIT, IT resources must be managed by IT control processes to ensure that an organization has the information it needs to achieve its objectives.

TRUE

Alternative control plans are commonly called compensatory controls.

TRUE

An important update COSO 2013 made to SAS No. 78 and related audit literature is the promulgation of seventeen principles.

TRUE

Automation of segregation of duties may provide a more efficient and effective system of internal control in automated processes.

TRUE

Biometric identification system identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, or writing dynamics.

TRUE

Business continuity planning is the process that identifies events that may threaten an organization and provide a framework whereby the organization will continue to operate when the threatened event occurs or resumes operations with a minimum of disruption.

TRUE

Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts.

TRUE

COBIT 5 has five domains and seven enablers.

TRUE

COSO 1992 and 2013 describe five interrelated components of internal control.

TRUE

Combining the functions of authorizing and executing is a violation of the organizational control plan known as segregation of duties.

TRUE

Combining the functions of authorizing and recording events is a violation of organizational control plan known as segregation of duties.

TRUE

Control efficiency relates to ensuring hat resources are being employed in the most productive manner.

TRUE

Control redundancy addresses whether too many control plans are directed towards the same control goals.

TRUE

Controls to prevent unauthorized execution of events help prevent fraud by ensuring that only valid.

TRUE

Ensuring the security of resources is the control goal that seeks to provide protection of an organization's resources from loss, destruction, disclosure, copying, sale or other misuse of an organization's resources.

TRUE

Establishing and maintaining a viable internal control system is the responsibility of management.

TRUE

Event identification is used to identify risk and opportunities that would affect achievement of an organization's objectives

TRUE

IT governance is a process that ensures that the organization's IT sustains and extends the organization's strategies and objectives.

TRUE

In the control matrix, goals are listed across the top of the matrix.

TRUE

Input control goals include those to ensure input validity, input completeness, and input accuracy.

TRUE

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness of operations; reliability of financial reporting compliance with applicable laws and regulations.

TRUE

Management is responsible for establishing and maintaining an adequate system of internal controls.

TRUE

Monitoring is a process that assesses the quality of internal control performance over time.

TRUE

Organizational governance is a process by which organizations select objectives establish processes to achieve objectives, and monitor performance.

TRUE

People and computers should always be considered in the efficiency assessments related to accounting information systems.

TRUE

Pervasive controls are an important element in organizational governance and IT governance initiatives.

TRUE

Pervasive controls plans influence the effectiveness of the control plans at lower levels of the control.

TRUE

Procedures for rejected inputs include input completeness and input accuracy.

TRUE

Programs documentation provides a description of an application program and usually includes the program's purpose, program flowcharts, and source code listing.

TRUE

Section 404 mandates the annual filing of an internal control report of each audited (i.e., publicly traded) company to the SEC.

TRUE

Segregation of duties consists of separating the four functions of authorizing events, executing events, recording events, and safeguarding the resources resulting from consummating the events.

TRUE

Specifying control goals is the first step in preparing a control matrix.

TRUE

Systems documentation provides an overall description of the application, including the system's purpose; an overview of system procedures and sample source documents, outputs, and reports.

TRUE

The IS function of quality assurance conducts review to ensure the attainment of IT objectives.

TRUE

The IS function with the responsibility of guiding the IT organization in establishing and meeting user information requirements is the IT steering committee.

TRUE

The IT steering committee guides the IT organization in establishing and meeting user information requirements and in ensuring the effective and efficient use of its resources.

TRUE

The control environment reflects the organization's general awareness of and commitment to the importance of control throughout the organization.

TRUE

The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.

TRUE

The function composed of people, procedures, and equipment is typically called the information systems department, IS department, or the IT department is the information systems organization.

TRUE

The system of controls used in this text consists of the controls environment, pervasive control plans, IT general controls, and business process and application control plans.

TRUE

To exploit the system and conceal abuse collusion would need to occur between one or more person (or department).

TRUE

Under the Sarbanes-Oxley Act of 2002, the section on Corporate Responsibility requires a company's CEO and CFO to certify quarterly and annual reports.

TRUE

Under the Sarbanes-Oxley Act of 2002, the section on Enhanced Financial Disclosures require each annual report filed with the SEC to include an internal control report.

TRUE

Update control goals of the information process ensure update completeness and update accuracy.

TRUE

Valid input data are appropriately authorized and represent actual economic events and objects.

TRUE

Within the data center, the data control group is responsible for routing all work into and out of the data center, correcting errors, and monitoring error correction.

TRUE

Which of the following statements regarding a system of internal control is false? a. Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlement. b. Internal control systems depend largely on the competency and honesty of people. c. Because internal control systems have a cost, management should evaluate the cost/benefit of each control plan. d. The development of an internal control system is the responsibility of management.

a. Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlement.

A control goal that is a measure of success in meeting a set established goals is called: a. effectiveness b. monitoring c. efficiency d. risk

a. effectiveness

As described in COSO, elements of a monitoring might include which of the following? a. selecting and developing evaluations to ascertain whether the components of internal control are functioning b. performing evaluations to ascertain whether the components of internal control are functioning c. communicating internal control deficiencies in a timely manner to those parties responsible for taking corrective action d. all of the choices are correct

d. all of the choices are correct

As described in COSO, elements of information and communication might include which of the following? a. using relevant, quality information to support the functioning of internal control b. internally communicating information to support the functioning of internal control c. communicating information with external parties regarding matters affecting the functioning of internal control d. all of the choices are correct

d. all of the choices are correct