BEC
Which of the following components of internal control encompass policies and procedures that ensure that management's directives are carried out? The control environment. Monitoring. Control activities. Information and communication.
Control activities. This answer is correct. Control activities encompass policies and procedures that ensure that management's directives are carried out.
This fundamental component of internal control is the core or foundation of any system of internal control. Control activities. Control environment. Information and communication. Risk assessment.
Control environment. The control environment is, "...the core or foundation of any system of internal control."
Audit committee members of issuers are required, under the Sarbanes-Oxley Act of 2002, to maintain which of the following traits? Integrity. Diligence. Independence. Proficiency.
Independence. Correct! SOX requires audit committee members to be independent of the firm.
A heat map used as a part of assessing risks plots the___________________ on the vertical axis against the___________________ on the horizontal axis. likelihood rating; impact ratings inherent risk; risk appetite target residual risk, actual residual risk internal control; inherent risk
likelihood rating; impact ratings Correct! A heat map that is used in assessing the severity of risk plots the likelihood of the risk occurring on the vertical axis against the impact of the risk, should it occur, on the horizontal axis.
An investment firm determines that investments in bitcoin are highly risky. For its portfolio, it sets a minimum investment of 3% and a maximum investment of 8% in bitcoin. This is an example of setting risk target (minimum) and risk roof (maximum). risk roof (minimum) and risk target (maximum). risk floor (minimum) and risk ceiling (maximum). risk ceiling (minimum) and risk floor (maximum).
risk roof (minimum) and risk target (maximum). Correct! A risk floor is a statement of the minimum amount of risk that an entity desires. A risk ceiling is a statement of the maximum amount of risk that an entity desires.
Match each statement below with the appropriate term that best describes it: After considering implemented controls, the desired level of the risk of a major cyber attack is low. Before considering controls, the level of risk of a major cyber attack is high. After considering implemented controls, the level of the risk of a major cyber attack is medium. Internal control; inherent risk; target residual risk target residual risk; internal control; inherent risk target residual risk; actual residual risk; assessed risk target residual risk; inherent risk; actual residual risk
target residual risk; inherent risk; actual residual risk Correct! Target residual risk is the desired risk after implementing a response. Statement I is a statement of target residual risk. Inherent risk is the risk, absent actions to change it. Statement II is a statement of inherent risk. Actual residual risk is the risk that remains after responding to it. Statement III is a statement of actual residual risk.
To be willing to accept higher risk, an organization should expect _________ A higher strategy. Vision questing. A higher return. A lower performance severity.
A higher return. Correct! In return for higher risk, an organization should expect to receive a higher expected return.
Which of the following are reasons that internal controls need to be monitored? People forget, quit jobs, get lazy, or come to work hung over. Machines fail. Advances in technology. All of the above.
All of the above. All of the above are reasons internal controls need to be monitored.
Which of the following components of internal control would encompass the routine controls over business processes and transactions? The control environment. Information and communication. Control activities. Risk assessment.
Control activities. Control activities, policies and procedures are designed to assure that management's directives are followed.
Multi National United Corporation is a private contractor that relocates aliens to temporary housing facilities. On its company home page, the company lists the following words: "integrity," professional," "teamwork," and "security." These words are probably part of the company's ____________ Core values. Mission statement. Statement of position (SOP). Vision.
Core values. Correct! These adjectives are most likely statements of the company's core values, which are the entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, and are statements that influence the behavior of the organization.
Which of the following factors is not included in the control environment component of internal control? Commitment to competence. Organizational structure. Integrity and ethical values. Information and communication.
Information and communication. This answer is correct. Information and communication is a separate component of internal control.
According to COSO, which of the following components of enterprise risk management addresses an entity's integrity and ethical values? Information and communication. Internal environment. Risk assessment. Control activities.
Internal environment. Integrity and ethical values are part of the internal environment.
Which of the following components of internal control are characterized by ongoing activities and separate evaluations? The control environment. Risk assessment. Monitoring. Information and communication.
Monitoring. This answer is correct. Monitoring is characterized by ongoing activities and separate evaluations.
Which of the following situations most clearly illustrates a breach of fiduciary duty by one or more members of the board of directors of a corporation? A corporation previously has distributed 50% of its earnings as dividends. This year it has annual earnings per share of $2, and the board of directors voted 4 to 1 against paying any dividend to finance growth. A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board (absent the vendor co-owner) unanimously approved the purchase. Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years that the fifth person has been a director, the individual did not attend two other meetings. A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation.
A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same city that would have been suitable for use by the corporation. Correct! This director has breached a fiduciary duty by appropriating a business opportunity (to acquire retail space) for himself or herself.
DOUBLE-Which of the following is a general control rather than a transaction control activity? Technology development policies and procedures. Reconciliations. Physical controls over assets. Controls over standing data.
Technology development policies and procedures. (Correct!) This answer is correct because technology development policies and procedures are part of the general controls.
Which of the following bodies has developed a framework for enterprise risk management? The Committee of Sponsoring Organizations (COSO). The American Institute of Certified Public Accountants (AICPA). The Public Company Accounting Oversight Board (PCAOB). The Institute of Risk Management Professionals (IRMP).
The Committee of Sponsoring Organizations (COSO). This answer is correct. COSO has developed a framework for enterprise risk management.
This is the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives. Control activities. Control environment. Information and communication. Risk assessment.
Risk assessment. Risk assessment is, "...the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives."
Umbrella Corporation sells office and factory equipment. Company management is concerned that the company has not assumed sufficient risks in opening new offices. Which of the following results would best indicate that the company has not assumed sufficient risk? The company opened more new offices than expected. A 4% decrease in calls to the whistleblower hotline. Firing the CRO. The planning and logistics team, which is responsible for opening new offices, is operating below capacity.
The planning and logistics team, which is responsible for opening new offices, is operating below capacity. Correct! The availability of unused resources for opening new offices would indicate that the company has not assumed sufficient risk.
Which of the following is least likely to trigger a review and revision to an organization's ERM practices? The purchase and implementation of a system that enables real-time monitoring of customer satisfaction and complaints. A sales growth rate that is 2½ times that which was expected. A 4% increase in calls to the whistleblower hotline. Firing the CRO.
A 4% increase in calls to the whistleblower hotline. Correct! A relatively small (here 4%) increase in calls to a whistleblower hotline is the least likely event listed to trigger a review and revision to the organization's ERM practices.
According to COSO, which of the following activities provides an example of a top-level review as a control activity? Computers owned by the entity are secured and periodically compared with amounts shown in the records. A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. Reconciliations are made of daily wire transfers with positions reported centrally. Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.
A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. Correct! The performance review of the marketing plan is an example of a top-level review control activity.
Which of the following is the best definition of a compensating control? A control that accomplishes the same objective as another control. A condition within an internal control system requiring attention. The targets against which the effectiveness of internal control are evaluated. Metrics that reflect critical success factors.
A control that accomplishes the same objective as another control. This is the best answer. It is the definition of a compensating control.
Public company audit committees must contain which of the following? A majority of independent directors An accounting expert A financial expert A legal expert
A financial expert Correct! SOX requires that every audit committee of a public company have at least one "financial expert" with (a) an understanding of GAAP and financial statements; (b) experience in preparing or auditing financial statements; (c) experience with internal auditing controls; and (d) an understanding of audit committee functions.
Which of the following statements is true regarding internal control objectives of information systems? Primary responsibility of viable internal control rests with the internal audit division. A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies. Control objectives primarily emphasize output distribution issues. An entity's corporate culture is irrelevant to the objectives.
A secure system may have inherent risks due to management's analysis of trade-offs identified by cost-benefit studies.
Controls in the information technology area are classified into the categories of preventive, detective, and corrective. Which of the following is a preventive control? Contingency planning. Hash total. Echo check. Access control software.
Access control software. Access control software is a preventive control.
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control? Contingency planning. Hash total. Echo check. Access control software.
Access control software. This answer is correct. A preventive control is designed to prevent a misstatement from occurring. Access control software prevents unauthorized individuals from gaining access to a system or application and therefore prevents unauthorized transactions or changes in data.
An important benefit of an enterprise risk management system is Alignment of shareholder returns with management returns. Alignment of management risk taking with employee risk appetite. Alignment of management risk taking with shareholder risk appetite. Alignment of management risk taking with creditor risk appetite.
Alignment of management risk taking with shareholder risk appetite. This answer is correct. A major aspect of an enterprise risk management system is the alignment of management risk taking with shareholder risk appetite.
The IT department at Piggy Parts BBQ has recently learned of phishing attempts that rely on social engineering to break into its financial systems. Information about these attempts should be communicated to: Internal auditors. Other personnel. All personnel. Support functions.
All personnel. (Correct!). This answer is correct because information about social engineering efforts to break into systems should be communicated to all personnel.
Which of the following is not an advantage of the employment of an enterprise risk management (ERM) system? Helps an organization seize opportunities. Allows an organization to eliminate all risks. Improves the deployment of capital. Reduces operational surprises.
Allows an organization to eliminate all risks. This answer is correct. An ERM system does not eliminate all risks.
Henry Higgins of Jiffy Grill has learned that the controller is likely embezzling money to fund an expensive drug and gambling habit. Ideally, Henry should communicate this information to: The controller. His boss. An anonymous hotline set up by Jiffy Grill. His employees.
An anonymous hotline set up by Jiffy Grill. (Correct!) If Jiffy Grill has an anonymous hotline set up for this purpose, then this is the best way to communicate this information.
Which of the following is not true regarding the information and communication component of internal control? The information system captures both internal and external sources of data. The information and communication component involves developing channels for communication from external stakeholders. A whistleblower hotline is an important aspect of the information and communication component. An important aspect of the information and communication component is assessment of information about fraud.
An important aspect of the information and communication component is assessment of information about fraud. This item is related to the risk assessment component.
In a public company, which of the following officers must certify that the accuracy of their firms' financial statements as filed with the SEC? CEO and CAO CAO and CFO CFO and CEO CEO and COO
CFO and CEO Correct! SOX requires both the CEO and the CFO, but no other officers, to certify the accuracy of their firms' audited financial statements when filed with the SEC.
Which of the following is an example of a detective control? Use of pre-formatted screens for data entry. Comparison of data entry totals to batch control totals. Restricting access to the computer operations center to data-processing staff only. Employing a file librarian to maintain custody of the program and data files.
Comparison of data entry totals to batch control totals. Reconciliation of data entry totals with batch control totals will detect errors made by the data entry clerks.
According to the COSO framework, evaluators who monitor controls within an organization should have which of the following sets of characteristics? Competence and objectivity. Respect and judgment. Judgment and objectivity. Authority and responsibility.
Competence and objectivity. (Correct!) COSO indicates that the evaluator must have competence and objectivity. The other answers are incorrect because they do not describe the desired characteristics.
According to the COSO framework, evaluators that monitor controls within an organization should have which of the following set of characteristics? Competence and objectivity. Respect and judgment. Judgment and objectivity. Authority and responsibility.
Competence and objectivity. COSO indicates that the evaluator must have competence and objectivity.
Ashley's Tree and Trim has an automated system that monitors system access events and reports them, in real time, to the IT security manager. This type of monitoring is: Continuous. Self. XBRL-enabled. Supervisory.
Continuous. (Correct!) This monitoring occurs continuously.
Which of the following is not a control environment principle? Commitment to integrity and ethical values. Board of directors or audit committee independence and oversight. Competence. Control monitoring.
Control monitoring. Control monitoring is a separate component of internal control.
For the past three years, the management of AlphaCentaur Products, a U.S.-based company, has paid money to the Minister of Trade and Technology for the government of ChipstatLand (an Eastern European country) to obtain government contracts to purchase computers, software, and network products. These activities have increased AlphaCentaur's sales by 20%. These actions can best be described as Reporting fraud: nonfinancial. Misappropriate of assets. Corruption and illegal acts Reporting fraud: financial.
Corruption and illegal acts Correct! The described scenario describes the payment of bribes, which indicates corruption on the part of the government officials and a violation of the Foreign Corrupt Practices law by AlphaCentaur.
Devon Company is using an enterprise risk management system. Management of the company has set the company's objectives, identified events, and assessed risks. What is the next step in the enterprise risk management process? Establish control activities to manage the risks. Monitor the risks. Determine responses to the risks. Identify opportunities.
Determine responses to the risks. The next step in the process is to determine the risk responses to the assessed risks.
The CEO of Duke & Duke has been known to yell at employees. When the board first hears about such behavior, the role of the board in relation to the CEO's behavior is most likely to be to: Determine if the board is independent of the CEO. Define the organizational culture as risk averse. Fire the CEO. Discuss the CEO's behavior and challenge the CEO to overcome these issues.
Discuss the CEO's behavior and challenge the CEO to overcome these issues. Correct! This action is best supported by COSO's ERM framework. The board must challenge the CEO to address his or her behavior.
Tyrell Corporation, a start-up company, develops and manufactures robotic applications for use in manufacturing facilities. The company CEO is considering implementing two statements of company-wide risk appetite: The company will not invest more than 5% of its capital budget in projects that are categorized as high risk. The company will ensure that it realizes at least 80% of expected earnings at a 95% level of confidence. How should the CEO proceed with consideration of the proposed statements of risk appetite? Determine if the board is independent of the CEO. Define the organizational culture as risk averse. Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors. Discuss the proposed risk appetite statements with the management and risk management teams.
Discuss the proposed risk appetite statements with major company stakeholders, including the management and risk management teams, and the board of directors. Correct! The next step in adopting company-wide statements of risk appetite is to discuss these statements with, at a minimum, management and risk management teams and the board of directors. The CEO may also want to hold workshops related to defining risk appetite.
The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) in the professional standards includes the reliability of financial reporting, compliance with applicable laws and Effectiveness and efficiency of operations. Effectiveness of prevention of fraudulent occurrences. Incorporation of ethical business practice standards. Safeguarding of entity assets.
Effectiveness and efficiency of operations. This answer is correct. The requirement is to identify the reply, which is part of the definition of internal control developed by the Committee of Sponsoring Organizations (COSO). COSO defines internal control as a process—effected by an entity's board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Which of the following is not an advantage of establishing an enterprise risk management system within an organization? Reduces operational surprises. Provides integrated responses to multiple risks. Eliminates all risks. Identifies opportunities.
Eliminates all risks. An enterprise risk management system does not seek to eliminate all risks. Risks are avoided, reduced, shifted, or accepted based on the risk appetite of the organization.
Which of the following statements is false (untrue) regarding data analytics, data mining, and risk assessment? Emerging data analytic methods are unhelpful to risk assessment. Emerging data mining methods can help detect previously hidden relationships. Data analytic methods can help evaluate assumptions found in an organization's strategy Key risk indicators can be used to identify risk changes.
Emerging data analytic methods are unhelpful to risk assessment. Correct! This statement is false, and therefore it is the correct answer. In fact, many emerging data analytic methods are critical to risk assessment (e.g., data mining, data visualization, heat mapping, sentiment analysis).
According to COSO, the presence of a written code of conduct provides for a control environment that can Override an entity's history and culture. Encourage teamwork in the pursuit of an entity's objectives. Ensure that competent evaluators are implementing and monitoring internal controls. Verify that information systems are providing persuasive evidence of the effectiveness of internal controls.
Encourage teamwork in the pursuit of an entity's objectives. Correct! A code of conduct helps facilitate shared goals and encourages teamwork.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? Fraudulent reporting of employees' own hours. Errors in employees' overtime computation. Inaccurate accounting of employees' hours. Recording of other employees' hours.
Errors in employees' overtime computation. This is the best answer. Computing overtime requires a calculation (total hours - normal hours = overtime hours) that is independent of the system described. That is, the addition of a time clock and video camera will not directly help in allocating hours worked between normal and overtime hours. In addition, the other answers are, bad choices. Therefore, this is the best answer of the available choices.
The Wasabi Electronics employee survey related to fraud risk includes this question: "Employees who report suspected improprieties are protected from reprisal." This question best relates to which of the following fraud management principles and processes? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Establishing a communication program to obtain information about potential frauds
Establishing a communication program to obtain information about potential frauds Correct! This survey question is asking about employees' willingness to communicate fraud risks. Therefore, the question directly relates to the company's processes for establishing a communication program to obtain information about potential frauds.
According to COSO, what is the first ongoing monitoring step in evaluating the effectiveness of an internal control system? Establishing a control baseline. Identifying changes in internal control that have taken place. Re-evaluating the design and implementation to establish a new baseline. Periodically revalidating operations where no known change has occurred.
Establishing a control baseline. Correct! This is the first step in evaluating the effectiveness of an internal control system.
A public company audit committee's "financial expert" must have all of the following except: An understanding of GAAP and financial statements. Experience in preparing or auditing financial statements of comparable companies and application of such principles in connection with accounting for estimates, accruals, and reserves. Experience with internal auditing controls. Experience on a public company's compensation committee.
Experience on a public company's compensation committee. Correct! SOX does not require that a "financial expert" have experience on a compensation committee. It does require that she have an understanding of GAAP and GAAS, an ability to assess the general application of these principles, experience in preparing, auditing, analyzing or evaluating F/S, an understanding of internal controls and procedures for financial reporting, and an understanding of audit committee functions.
Kentucky Fried Opossums reports annually on its environmental impact to the Commonwealth of Kentucky. This is an example of: Internal, financial reporting. Internal, nonfinancial reporting. External, financial reporting External, nonfinancial reporting
External, nonfinancial reporting (Correct!) This answer is correct because this is an external report, and it is nonfinancial. (Environmental impact is not in currency.)
Every audit committee of a public company must have at least one: Legal expert who understands the liabilities that public companies can face if they misreport financial information. Financial expert who understands GAAP and financial statements. Ethics expert who is familiar with Immanuel Kant's writings. Accounting expert who is familiar with the AICPA Code of Professional Conduct.
Financial expert who understands GAAP and financial statements. Correct! SOX required financial experts (who often have accounting experience), but not legal experts or "accounting experts" familiar with the AICPA Code.
Public company external audit firms must audit their clients': Financial statements. Internal controls. Financial statements and internal controls. Neither financial statements nor internal controls.
Financial statements and internal controls. Correct! SOX requires the auditors of public companies to audit both their financial statements and their internal controls.
BigWig Costume Rentals recently implemented an initiative to attract and retain web programmers and systems analysts as a part of its expanded web development to support online sales. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Governance and Culture Correct! Governance is the allocation of roles, authorities, and responsibilities among stakeholders including attracting, retaining, and developing capable individuals. The listed activities are part of COSO ERM Principle 5, which relates to attracting, retaining, and developing capable individuals.
Compared to a more risk-averse entity, the ERM of a more risk-aggressive entity demands __________. Greater integration A discrete, autonomous ERM unit Lower-velocity data Lower performance expectations
Greater integration Correct! Accepting more risk requires greater integration of the ERM function into the entity's structure and processes compared to a more risk-averse entity. This is because the ERM unit in a risk-aggressive entity must monitor risk information more quickly and nimbly than a risk-averse entity. Monitoring risk information quickly requires greater integration.
According to the 17 COSO control principles, information quality primarily relates to which fundamental component of internal control: Control activities. Control environment. Information and communication. Monitoring.
Information and communication. According to the COSO principles, Information and communication primarily relate to the quality of information supporting controls, and internal and external communications.
The component of COSO's framework for internal control that includes the goal of proper measurement of transactions is The control environment. Control activities. Information and communication. Monitoring.
Information and communication. This answer is correct. This is one of the goals of the information and communication system.
Dennis Rodman's Shoes and Shinola recently implemented a whistleblower hotline to facilitate the reporting of events and concerns related to potential violations of its code of conduct. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Information, Communication, and Reporting Correct! Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. The listed activities are part of COSO ERM Principle 19, which relates to creating communication channels that support ERM.
Pierce and Pierce is an investment and brokerage company that manages client investments and seeks exceptional market opportunities for these clients. The company recently issued a report on its investment philosophy and risk management culture. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Information, Communication, and Reporting Correct! Communication is the process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. The listed activities are part of the information, communication and reporting process.
The ERM component that includes email, board meeting minutes, and reports as important elements is Governance and Culture. Performance. Review and Revision. Information, Communication, and Reporting.
Information, Communication, and Reporting. Correct! Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the organization's risk, culture, and performance. This is the component that includes email, board meeting minutes, and reports as important elements.
Covington Financial, a large financial services corporation, has a unit responsible for conducting regular, recurring reviews to prevent and detect fraud. This unit should be part of the ______ function at Covington. IT HR Legal Internal audit
Internal audit Correct! The primary responsibility for conducting regular, recurring reviews to prevent and detect fraud is best located within the internal audit function of an organization.
In a large public corporation, evaluating internal control procedures should be the responsibility of Accounting management staff who report to the CFO. Internal audit staff who report to the board of directors. Operations management staff who report to the chief operations officer. Security management staff who report to the chief facilities officer.
Internal audit staff who report to the board of directors. The key to recognizing the correctness of this answer is that the question asks who should engage in "evaluating" internal control procedures (not design or implement control procedures). Among the offered choices, an independent internal audit staff, i.e., who report to the board of directors or an audit committee, but not the CFO, are best qualified to monitor and evaluate internal control procedures.
Gimbly Cricket Corp. created a decision aid, linked to its data warehouse, to enable senior management to monitor, in real time, changes in oil production at its oil wells in Kazakhstan. This is an example of: Internal, financial reporting Internal, nonfinancial reporting. External, financial reporting. External, nonfinancial reporting.
Internal, nonfinancial reporting. (Correct!) This answer is correct because this is an internal report, and it is nonfinancial. (Oil production is not in currency.)
Farmers and Ranchers Credit Union has set the following statement of risk appetite: "Net credit losses will be really low." Which of the following claims regarding this statement are most accurate? It is vague and imprecise. It is excellent and appropriate. "Net credit losses" are not an appropriate metric for a statement of risk appetite. Statements of risk appetite must be stated in the active voice.
It is vague and imprecise. Correct! Statements of risk appetite should be measurable and precise, such as: "Net credit losses will be less than 1% of average loan balances." The statement given is too vague and imprecise.
According to the COSO ERM framework, which of the following is least likely to impede the independence of a board member? Jane was a partner at the accounting firm that conducted the organization's financial statement audit five years ago but has no existing business or contractual relationships with the entity or its key stakeholders currently. June has a material consulting contract with the organization related to facilitating marketing and sales promotion. Laura is a board member of the organization's major competitor. Megan has served on the board for 15 years.
Jane was a partner at the accounting firm that conducted the organization's financial statement audit five years ago but has no existing business or contractual relationships with the entity or its key stakeholders currently. Correct! The COSO ERM framework does not list former financial statement auditors as having a potential independence impediment regarding board membership. In addition, the absence of a current business or contractual relationship (as is the case here) is a consideration for a board member's independence. Hence, Jane's independence is not impaired, according to the COSO ERM framework.
Jeffrey Smiggles of Rajon Rondo Sportswear has developed a software application that helps monitor key production risks at company factories. In order to reduce costs, his approach to monitoring risks is likely to be: Monitor all risks using indirect information. Monitor all risks using direct information. Monitor more important risks using indirect information and less important risks using direct information. Monitor more important risks using direct information and less important risks using indirect information
Monitor more important risks using direct information and less important risks using indirect information (Correct!) Collecting direct information is often costlier than collecting indirect information. Hence, to reduce costs, less important risks are likely to be monitored with indirect information.
Which of the following is not a type of control under the control activity component of the COSO framework for internal control? Supervisory controls. Physical controls. Monitoring controls. Verifications.
Monitoring controls. Monitoring is a separate component of internal control.
Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? Control environment. Risk assessment. Information and communication. Monitoring.
Monitoring. Monitoring is the core, underlying control component in the COSO ERM model. Its position at the foundation is not accidental and reflects the importance of monitoring to achieving strong internal control and effective risk management. Ensuring that internal controls continue to operate effectively is the primary purpose of monitoring.
Which of the following is not a factor included in the control environment? Board of directors or audit committee participation. Commitment to competence. Monitoring. Organizational structure.
Monitoring. This answer is correct. Monitoring is one of the five interrelated components of internal control, not a factor of the control environment. The seven control environment factors are as follows: (1) integrity and ethical values, (2) commitment to competence, (3) human resource policies and practices, (4) assignment of authority and responsibility, (5) management's philosophy and operating style, (6) board of directors or audit committee participation, and (7) organizational structure.
Which of the following is the best description of the potential root cause of a risk? Emerging data analytic methods are unhelpful to risk assessment. Low staff morale contributes to the risk that key employees leave, creating high turnover. Lack of training increases the risk that processing errors and incidents occur. Operator processing errors will reduce the quality of manufacturing units.
Operator processing errors will reduce the quality of manufacturing units. Correct! This is a precisely stated risk (lower quality of manufactured units) that includes a potential root cause (i.e., operator processing errors).
Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Performing a comprehensive fraud risk assessment
Performing a comprehensive fraud risk assessment Correct! The company's use of a fraud risk heat map relates to performing a comprehensive fraud risk assessment.
Key risk indicators are Indicators of internal control quality. Substantively equivalent to KPIs. Predictive and usually quantitative. Used primarily by risk-aware, risk-averse entities.
Predictive and usually quantitative. Correct! KRIs are usually quantitative and are used to predict risks.
An organization relied heavily on e-commerce for its transactions. Evidence of the organization's security awareness manual would be an example of which of the following types of controls? Preventive. Detective. Corrective. Compliance.
Preventive. This answer is correct because the use of such a manual is designed to prevent breaches of security.
Which of the following statements presents an example of a general control for a computerized system? Limiting entry of sales transactions to only valid credit customers. Creating hash totals from Social Security numbers for the weekly payroll. Restricting entry of accounts payable transactions to only authorized users. Restricting access to the computer center by use of biometric devices.
Restricting access to the computer center by use of biometric devices. Restricting access to the computer center is an example of a general control.
Demanding higher performance usually requires accepting more _________. Tolerance Vision Risk Performance severity
Risk Correct! A higher performance, in most settings, requires accepting a higher level of risk.
Which of the following statements about risk appetite, tolerance, and risk indicators are true? Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at any level of the business. Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at any level of the business. Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at any level of the business.
Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at any level of the business. Correct! These are the correct descriptions of the relationship of these terms to the strategy development process.
According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions? Control activities Risk assessment Monitoring activities Information and communication
Risk assessment Correct! Risk assessment is the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives. Changes related to international exposure, acquisitions, or executive transitions create risks, which must be assessed, prioritized, and responded to.
According to the 17 COSO control principles, organizational objectives primarily relate to which fundamental component of internal control: Control activities. Control environment. Risk assessment. Monitoring.
Risk assessment. According to the COSO principles, risk assessment primarily relates to organizational objectives, risk assessment, fraud, and change management. Organizational objectives link to risk assessment since objectives help to define the risks that are to be assessed.
Riley, Ripley, and RudBack are builders of high-end (i.e., expensive) customized homes. They want to create a report on the risks that they face in their human resources function. Which level of reporting would be appropriate to this goal? Portfolio view Risk view Risk category view Risk profile view
Risk profile view Correct! The risk profile view would be at the level of a specific unit within the entity (i.e., the human resource function).
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in Risks. The law. Technology. Operating procedures.
Risks. Correct! This is the primary purpose of monitoring internal control.
The Greensburg Agriculture Products employee survey related to fraud includes this statement: "We are discouraged from sharing our computer passwords with others." This statement best relates to which of the following fraud management principles and processes? Establishing a fraud risk management program Selecting, developing, and deploying fraud controls Selecting, developing, and deploying evaluation and monitoring processes Establishing a communication program to obtain information about potential frauds
Selecting, developing, and deploying fraud controls Correct! This survey question is asking whether a specific fraud risk control is in place. The question relates to selecting, developing, and deploying fraud controls.
Due to 50% store growth year after year, monitoring internal controls at a national retail chain has come under tremendous pressure. According to COSO, which of the following responses would be appropriate under the circumstances to help restore effective monitoring? Decreasing the size of the corporate internal audit activities. Consolidating the data in the operational reports reviewed by the chief internal auditor. Shifting most of the monitoring responsibility to store managers and district managers. Having all the managers sign the corporate compliance policy on an annual basis.
Shifting most of the monitoring responsibility to store managers and district managers. Correct! Given the growth of stores, moving monitoring responsibility to those who are closer to the actual numbers is an effective action to improve effective monitoring.
AppleNCheese Food Products recently completed a systematic analysis of the political, economic, social, technological, legal, and environmental conditions that it expects in the short and the long term. This analysis most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Strategy and Objective-Setting Correct! The listed activities are the analysis of the business context, which occurs in the Strategy and Objective-Setting component of ERM.
Jiffy Grill has an ERP system. It has assigned responsibility for determining who has what access rights within the ERP system. Based on this, to whom is it most likely that Jiffy Grill has assigned this responsibility? Internal auditors. Other personnel. Management Support functions
Support functions (Correct!) This answer is correct because support functions are mostly likely to have responsibility for determining system access.
Management of Johnson Company is considering implementing technology to improve the monitoring component of internal control. Which of the following best describes how technology may be effective at improving monitoring? Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Technology can assure that items are processed accurately. Technology can provide information more quickly. Technology can control access to terminals and data.
Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Monitoring involves collecting information to determine that controls are working.
Which of the following is a general control rather than a transaction control activity? Technology development policies and procedures. Reconciliations. Physical controls over assets. Controls over standing data.
Technology development policies and procedures. Technology development policies and procedures are part of the general controls.
CFO Mar has been complicit in her public company's accounting fraud. She consults a lawyer as it becomes time for filing her firm's 10-K with the SEC. She is a little uncomfortable about what she might have to do. The lawyer will likely tell her that she will have to certify (and be potentially criminally liable for lying about) all of the following matters except: That she has reviewed the 10-K. That her CPA license is active. That she, along with the CEO, is responsible for establishing and maintaining her company's internal controls. That she has recently evaluated the effectiveness of the firm's internal controls.
That her CPA license is active. Correct. This is the one of these four choices that need not be certified. It is a fine thing if Mar is a CPA and if her license is active, but neither is required by SOX.
Which of the following events is least likely to trigger a need for substantial change in a trucking company's strategy and business objectives? The organization implements a new, innovative AI-based system to monitor and allocate trucks to drivers and routes. The organization promotes the longtime CFO to the position of CEO. Annual sales grow at twice the expected rate. Federal legislation changes the number of hours that drivers can spend on the road and the number of consecutive days that they can drive.
The organization promotes the longtime CFO to the position of CEO. Correct! An internal promotion of a longtime member of the executive team is least likely to trigger a substantial change to an organization's strategy and business objectives.
Which of the following is the best description of the potential impact of a risk? The new ZYX product is more successful than planned. However, production capacity struggles to meet increased demand, resulting in delivery delays, unhappy customers, and adverse effects on the company's reputation. The risk of denial-of-service attacks due to legacy IT systems results in leaked customer data, regulatory penalties, loss of customers, and negative press. The risk of denial-of-service attacks impacts the company's ability to retain the confidentiality of customer data. The new ZYX product is more successful than planned. However, production capacity struggles to meet increased demand, resulting in unhappy top management.
The risk of denial-of-service attacks impacts the company's ability to retain the confidentiality of customer data. Correct! This is a precisely stated risk (denial-of-service attacks) that includes a precisely stated potential impact of the risk (i.e., inability to keep customer data confidential).
Which of the following is the best risk statement in relation to executive management's role in a major IT project undertaken by a large telecommunications company? The risk that executive management disregards project communications and meetings The risk that executive management disregards project communications and meetings, resulting in inadequate oversight, because of management's inattention and lack of focus The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems The risk that executive management disregards project communications and meetings, despite frequent efforts by the project management team to inform executive management of the importance of their involvement and engagement
The risk that executive management disregards project communications and meetings, which reduces project quality and the likelihood of successful integration with other systems Correct! A well-formed, precise risk statement should include a statement of the risk (which this one does) and a statement of the impact of the risk (which this one also does). In fact, this statement includes two outcomes or consequences of the risk, (1) lower project quality and (2) a lower likelihood of successful integration with other systems.
According to COSO controls systems fail for all of the following reasons except: They are not designed or implemented properly. They are properly designed and implemented but environment changes have occurred making the controls ineffective. They are properly designed and implemented but management overrides them making them ineffective. They are properly designed and implemented but the way they operate has changed making them ineffective.
They are properly designed and implemented but management overrides them making them ineffective. This answer is correct. It is a limitation for all control systems no matter how effectively designed and implemented.
Public company CEOs and CFOs must certify that: They are responsible for establishing and maintaining their firm's internal financial controls. They have hired an excellent auditing firm and have delegated to that firm ultimate responsibility for the accuracy of financial statements. They have taken lie detector tests regarding the accuracy of the financial statements. They are subject to firm codes of ethics policing the accuracy of financial statements.
They are responsible for establishing and maintaining their firm's internal financial controls. Correct! SOX requires the CEO and CFO to certify, among other things, that they are responsible for establishing and maintaining their firm's internal financial controls. But it does not require lie detector tests, or that they promise they have hired an excellent audit firm. Or that they are subject to a code of ethics policing the accuracy of the financial statements.
According to COSO, which of the following is a compliance objective? To maintain adequate staffing to keep overtime expense within budget. To maintain a safe level of carbon dioxide emissions during production. To maintain material price variances within published guidelines. To maintain accounting principles that conform to GAAP.
To maintain a safe level of carbon dioxide emissions during production. Maintaining a safe level of carbon dioxide emissions during production is, in the U.S.A., required for compliance with law or regulation.
Employees of an entity feel peer pressure to do the right thing; management appropriately deals with signs that problems exist and resolves the issues; and dealings with customers, suppliers, employees, and other parties are based on honesty and fairness. According to COSO, the above scenario is indicative of which of the following? Strategic goals Operational excellence Reporting reliability Tone at the top
Tone at the top Correct! Remember rat-a-tat-tat (Tat—tone at the top). Tone at the top is critical to internal control; this description evidences a strong tone at the top in this organization.
According to the Sarbanes-Oxley Act of 2002, anyone who knowingly alters, destroys, covers up, or makes a false entry in any record or document with the intent to obstruct or influence the investigation of any matter within the jurisdiction of any department or agency of the United States may be fined and/or imprisoned for up to: Five years. Ten years. Fifteen years. Twenty years.
Twenty years. Correct! This is the maximum punishment for making a false entry with intent to obstruct an investigation.
Consider the following two items, which are included in a risk report received by the CEO of Kiki's Delivery Service, a global transportation and logistics company. #1: IT reports 17 incidents of denied attempts to access the system. #2: IT analysis indicates a 5% probability of a level 2 system breach within the next 3 months. Item #1 is a __________ while item #2 is a __________. key performance indicator; key risk indicator portfolio view of risk, risk profile view key risk indicator; key performance indicator risk profile view; portfolio view of risk
key performance indicator; key risk indicator Correct! The historical analysis of system breaches is a key performance indicator while the analysis of the likelihood (5% probability) and severity (level 2 breach) of the risk is a key risk indicator.
Consider the following two descriptions: They help an entity create and maintain reliable data. They include models, policies, rules, or standards that determine which data is collected and how it is stored, arranged, integrated, and used in systems and in the organization. In relation to COSO's ERM framework related to leveraging information systems, statement 1 relates to ______________ while statement 2 relates to ____________________. data and information governance; processes and controls data and information governance; data management architecture processes and controls; data and information governance processes and controls; data management architecture
processes and controls; data management architecture Correct! Statement 1 is related to processes and controls (which help an entity create and maintain reliable data). Statement 2 is related to data management architecture, which refers to the fundamental design of the technology and related data.
In ERM, ______ focuses on the development of strategy and goals while _____ focuses on the implementation of strategy and variation from plans. tolerance; triggers key indicators; risk appetite risk appetite; tolerance internal control; portfolio view of risk
risk appetite; tolerance Correct! Risk appetite is the amount of risk an organization accepts in pursuit of a strategy and value. Risk appetite is focused on strategy and goals. Tolerance sets the boundaries of acceptable performance; it is related to strategy implementation and variation from plans.
Data from ______________ is typically structured, while data from ________ is typically unstructured. board meeting minutes; a governmental water scarcity report that is used by a beverage company staffing increases or decreases due to restructuring; email about decision making and performance. emerging interest in a new product from a competitor; an entity's risk tolerance marketing reports from website tracking services; government-produced geopolitical reports and studies
staffing increases or decreases due to restructuring; email about decision making and performance. Correct! Staffing data are typically structured; email is unstructured (text).
Management of Warren Company has decided to respond to a particular risk by hedging the risk with futures contracts. This is an example of risk Avoidance. Acceptance. Reduction. Sharing.
Sharing. Hedging involves sharing the risk with another party.
Match the statements below with the associated categories in ERM: We will improve the quality of life of ... We will be known for outstanding ... We will treat our customers and employees with respect ... 1 core values, 2 risk appetite, 3 mission 1 strategy, 2 values, 3 vision 1 tolerance, 2 mission, 3 appetite 1 mission, 2 vision, 3 core values
1 mission, 2 vision, 3 core values Correct! "Improving the quality of life" is appropriate for a mission statement since many of such statements include the verb "improving." "We will be known for outstanding ..." is a vision statement since the desire to be known for something is often a vision statement aspiration. "We will treat our customers and employees with respect" is a statement of behavior and is therefore best characterized as a statement of core values.
An international manufacturing company has the following three statements in its enterprise risk management documents. Please identify the concepts in the COSO ERM framework that these statements best represent. The annual acceptable number of factory accidents will be between zero and four. We will not invest in cybercurrencies, e.g., bitcoin. We commit to investing at least 15% of the capital budget in emerging artificial intelligence projects. 1. risk floor, 2. risk ceiling, 3. risk range 1. risk range, 2. risk ceiling, 3. risk floor 1. target risk, 2. risk ceiling, 3. risk range 1. risk floor, 2. risk ceiling, 3. target risk
1. risk range, 2. risk ceiling, 3. risk floor Correct! Statement 1 states a range of risks and hence is a risk range. Statement 2 identifies an activity (investing in cybercurrencies) that is considered too risky and hence is a risk ceiling. Statement 3 identifies a minimum level of risk that is consistent with the organization's risk tolerance; hence, it is a risk floor.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence? Preventive. Corrective. Application. Detective.
Application. This answer is correct because application controls apply to a particular application or process.
Which statement is not one of the objectives of internal control as included in the definition of internal control developed by the Committee of Sponsoring Organizations (COSO)? Asset safeguarding. Compliance. Financial reporting. Operations.
Asset safeguarding. This answer is correct. Auditing standards include objectives to provide reasonable assurance regarding the achievement of objectives in three categories: (1) reliability of financial reporting, (2) effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
Which of the following statements of risk appetite related to factory floor accidents is acceptable? "Low" " < 3 per year" Neither Both "Low" but not " < 3 per year." " < 3 per year" but not "Low."
Both Correct! Yes. Risk appetite may be stated either in words (e.g., "low") or in numbers (" < 3 per year"). Hence, both statements of risk are acceptable.
The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? Control baseline but not change management Change management but not control baseline Neither control baseline nor change management Both control baseline and change management
Both control baseline and change management Correct! This is a substantial change; hence it will affect both the assessment of the control baseline and assessment of changes in that baseline (i.e., "change management").
According to COSO, the use of ongoing and separate evaluations to establish a new baseline after changes have been made can best be accomplished in which of the following stages of the monitoring-for-change continuum? Control baseline. Change identification. Change management. Control revalidation/update.
Change management. The change management stage involves evaluating the design and implementation of changes and establishing a new baseline.
Which of the following is not a limitation of an enterprise risk management system? Risk relates to the future that is uncertain. Collusion among two or more individuals can result in enterprise risk management failure. Companies cannot avoid risk. Enterprise risk management is subject to management override.
Companies cannot avoid risk. This answer is correct. This is a fact that results in the need to have enterprise risk management.
COSO's enterprise risk management framework encompasses each of the following, except Enhancing risk response decisions. Decreasing inherent risk appetite. Improving deployment of capital. Seizing opportunities.
Decreasing inherent risk appetite. Correct! COSO's enterprise risk management framework does not include a goal of decreasing inherent risk appetite. Instead, the organization's realized risk is assessed compared to its desired risk appetite.
Griswold Corp. is planning a data analytics program to manage the risk of vendor fraud in purchasing. Which of the following activities would occur last in this process? Determine the risk of management override of controls over purchases. Determine reporting procedures for vendor anomalies. Screen data to remove html tags from harvested vendor data. Validate scraped data to match to existing vendor files.
Determine reporting procedures for vendor anomalies. Correct! Determining reporting procedures is a part of the last (fifth) step of designing a data analytics plan. This procedure is part of determining escalation procedures when a problem is identified in data analysis.
Which of the following is not a limitation of internal control? Human judgment in decision making may be faulty. External forces may attack the system. Management may override internal control. Controls may be circumvented by collusion.
External forces may attack the system. (Correct!) This answer is the best answer because this is a business risk; it is not a limitation of internal control.
Adventureland, a start-up Pittsburgh theme park, has a series of meetings with its investors, management, and employees to help identify its risk culture. This initiative most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Governance and Culture Correct! Governance is the identification and allocation of roles, authorities, and responsibilities among stakeholders, including identifying the organization's risk culture. This is exactly the activity described in this scenario.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls except Establishing an effective and anonymous whistleblower program with which employees can feel comfortable reporting any irregularities. Establishing a corporate culture in which integrity and ethical values are highly appreciated. Having two officers who significantly influence management and operations. Having an effective internal auditor function.
Having two officers who significantly influence management and operations. Correct! Having two officers who significantly influence management and operations will not mitigate (i.e., reduce the likelihood) of a management override of controls. Hence, this is the correct answer.
Which of the following is an important threat to accountability in an organization's ERM practices? Excessive communication Hypocrisy (i.e., when management says one thing and does another) Escalation Deviations
Hypocrisy (i.e., when management says one thing and does another) Correct! Setting an appropriate tone at the top of both talking and acting consistent with organizational values is important to establishing accountability.
Which of the following is not a principle related to the component of the control environment? Demonstrate a commitment to integrity and ethical values. Demonstrate a commitment to attract, develop and retain competent individuals. Identify and assess changes that could significantly impact the system of internal control. Hold individuals accountable for their internal control responsibilities.
Identify and assess changes that could significantly impact the system of internal control. To identify and assess changes that could significantly impact the system of internal control is a principle of the risk assessment component.
In the COSO (2011) "cube" model, each of the following are components of internal control except Monitoring. Control activities. Operations control. Risk assessment.
Operations control. Operations control is not a component of internal control in the COSO model.
A change control process would likely not include which of the following? Change request form. Approval process. Outsourcing. Documentation.
Outsourcing. (Correct!) A change control process should include the use of change request forms, an approval process for changes, and appropriate documentation; however, outsourcing is not part of the design for a recommended change control process.
The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework? Governance and Culture Performance Strategy and Objective-Setting Information, Communication, and Reporting
Performance Correct! The listed activity concerns risk prioritization, which occurs in the performance component of ERM, not in the governance and culture component. This component is concerned with risk identification and assessment, which helps an organization achieve its strategy and business objectives.
Which of the following organizations was established by the Sarbanes-Oxley Act of 2002 to control the auditing profession? Information Systems Audit and Control Foundation (ISACF) IT Governance Institute (ITGI) Public Company Accounting Oversight Board (PCAOB) Committee of Sponsoring Organizations (COSO)
Public Company Accounting Oversight Board (PCAOB) Correct! SOX did create the PCAOB to govern the audit profession.
__________ is a financial performance measure while ___________ is an operating performance measure. Profitability; regulatory compliance Discreteness; employment skill delivery Data velocity; data integrity Revenue; production yield
Revenue; production yield Correct! Revenue is a financial performance measure while production yield is an operating performance measure.
An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which of the following is the organization most likely to do? Review its internal control procedures. Investigate new technologies to improve product performance. Revise its tolerance and decrease its risk appetite Review its ERM practices.
Review its ERM practices. Correct! The organization should review its ERM practices to better understand why it misestimated the risks related to the new product.
Which of the following is not a component in the COSO framework for internal control? Control environment. Segregation of duties. Risk assessment. Monitoring.
Segregation of duties. Segregation of duties is an aspect of control activities, which is the component.
Jim is responsible for setting system access parameters in Kentucky Fried Opossums' ERP system. Each month, he reviews any issues related to setting access parameters and writes a report about them. This type of monitoring is: Continuous. Self. Oversight. Supervisory.
Self. (Correct!) This is self-assessment or self-monitoring.
Layton Company has implemented an enterprise risk management system and has responded to a particular risk by purchasing insurance. Such a response is characterized by COSO's Enterprise Risk Management Framework as: Avoidance. Sharing. Acceptance. Reduction.
Sharing. This answer is correct. Sharing involves reducing risk likelihood or impact by transferring or sharing a portion of the risk.
Management of Johnson Company is considering implementing technology to improve the monitoring of internal control. Which of the following best describes how technology may be effective at improving internal control monitoring? Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. Technology can ensure that items are processed accurately. Technology can provide information more quickly. Technology can control access to terminals and data.
Technology can identify conditions and circumstances that indicate that controls have failed or risks are present. (Correct!) This answer is correct because monitoring involves collecting information to determine that controls are working.
The following statement is adapted from the annual report of a large corporation: "Overall responsibility for overseeing the management of risks, compliance with our risk management framework and risk appetite lies with _______." The CEO The board of directors Management The risk management team
The board of directors Correct! The ultimate responsibility for these ERM components rests with the board of directors.
Which of the following statements is correct regarding the requirements of the Sarbanes-Oxley Act of 2002 for an issuer's board of directors? Each member of the board of directors must be independent from management influence, based on the member's prior and current activities, economic and family relationships, and other factors. The board of directors must have an audit committee entirely composed of members who are independent from management influence. The majority of members of the board of directors must be independent from management influence. The board of directors must have a compensation committee, a nominating committee, and an audit committee, each of which is composed entirely of independent members.
The board of directors must have an audit committee entirely composed of members who are independent from management influence. Correct! SOX requires that a public company's entire audit committee be independent.
Which of the following internal control components includes the factor of management's philosophy and operating style? Control activities. The control environment. Risk assessment. Monitoring.
The control environment. This answer is correct. Management's philosophy and operating style is a factor of the control environment.
Frequently, in an organization with a dual board of directors' structure, The management committee oversees strategy while the governing board oversees operations. The management board oversees operations while the governing board oversees strategy. The under-board oversees operations while the over-board oversees strategy. The management board manages the risk portfolio while the chief risk officer coordinates risk.
The management board oversees operations while the governing board oversees strategy. Correct! In a dual board of directors' organization, the management board usually oversees operations while the supervising board oversees strategy.
The Buy N Large Company is a diversified, multinational consumer and wholesale products company. Which of the following is least likely to be a consideration in defining the company's risk appetite related to sustainability and climate change risk? The resources (e.g., financial and human) available to manage the risks. The method of communicating the risks to internal stakeholders. The risk profile. The risk capability.
The method of communicating the risks to internal stakeholders. Correct! The method of communicating the risks to internal stakeholders is unlikely to influence the company risk appetite related to sustainability and climate change risk.
Which of the following is not a risk of a strategy of a car rental company? Customer accident and damage incidents may be higher than expected. Customers may choose only low-margin cars and options. The organization has a well-defined plan to achieve its mission and vision and apply its core values. Cars may be stolen.
The organization has a well-defined plan to achieve its mission and vision and apply its core values. Correct! This is the definition of strategy, not a risk of a strategy.
In a risk-aware organization, The organizational culture is independent of management. The organizational culture will be risk averse. Investments in unproven technologies will be minimized. The organizational culture is closely linked to the organization's strategy, objectives, and business context.
The organizational culture is closely linked to the organization's strategy, objectives, and business context. Correct! In a risk-aware organization, the culture will be created by a close and careful analysis of the organization's strategy, objectives, and business context.
According to the COSO internal control framework, if an organization outsources certain activities within the business to an outside party: Responsibility also transfers to the outside party. The responsibilities never transfer to the outsourced party. The responsibilities only transfer if the outside party explicitly agrees to accept responsibility. The organization is no longer accountable for the outsourced activities.
The responsibilities never transfer to the outsourced party. (Correct!) Activities of an organization may be outsourced, but the responsibilities never transfer to the outsourced party. Management is never relieved of ultimate responsibility or accountability.
An entity reviews its ERM practices. Which question is the organization least likely to investigate as a part of this review? What is the relationship between our strategy and objectives? How did the entity perform? Are we taking sufficient risks to attain desired performance? Were risk estimates accurate?
What is the relationship between our strategy and objectives? Correct! A review of ERM practices primarily focuses on realized versus targeted risk. This question is tangential to investigating realized versus targeted risks.
Lott's Pot, Pots, and Pottery, located in Colorado, hosts parties where customers sample high-end cannabis products (by smoking, eating candy, or in aerial diffusers) while making pots and pottery (clever idea, right?). In assessing the company's business strategy, which of the following risks would be least important? Does our business strategy align with our mission? Does our business strategy align with our core values? Do we understand the risks of our strategy? Will we achieve the goals that we have set?
Will we achieve the goals that we have set? Correct! According to COSO, assessing whether the organization will achieve its goals is the least important risk, of those listed, in the assessment of strategy.
While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or levels with the entity. incident, root cause root cause, incident portfolio, profile profile, portfolio
portfolio, profile Correct! The portfolio view of risk is from the entity-wide perspective while the profile view of risk is from the level of units or levels within the entity.
McDowell's fast food (motto: our hamburger buns got no sticky, icky sesame seeds!) determines that its financial performance for the recently ended year evidences a different risk profile than that which was expected. In response to this finding, the company should: expand its risk tolerance. revise its mission, vision, and core values. review its strategy and business objectives. reassess the costs and benefits of risk analysis.
review its strategy and business objectives. Correct! The company's review of ERM practices needs to focus on understanding why the risk profile differed from the expected risk profile. Reviewing the strategy and business objectives will be helpful to understanding why the risk profile differed from expected.