Becker questions pt.2
A company is conducting a risk analysis on a project. One task has a risk probability estimated to be 0.15. The task has a budget of $35,000. If the risk occurs, it will cost $6,000 to correct the problem caused by the risk event. What is the expected monetary value of the risk event?
$900
Controls in the information technology area are classified into the preventive, detective, and corrective categories. Which of the following is a preventive control?
Access control software.
Which of the following best describes a hot site?
Location that is equipped with necessary hardware and possibly software.
General controls in an information system include each of the following except:
Logic tests.
All of the following management activities of the Falco Insurance Group, Inc. are evidence of the ongoing monitoring of internal controls built into the company's system, except:
The CFO updates the audit committee on status of internal controls.
Management has carefully evaluated the likelihood and impact of events on its foreign operations. In the event of a 3 percent variation in exchange rate, the impact is estimated at $10 million without any action taken by management and $4 million if the company purchases a hedge instrument. The impact of the residual risk of changes in foreign currency exchange on achieving the company's business objectives is:
$4 million.
A member of the audit committee is evaluating the following risk matrix for company: (Picture not included) Using statistical risk ranking methodology, which of the following lists of risks is correctly prioritized?
3, 4, 2, 1
An internal auditor is considering a client's organizational structure as it affects the ethical climate established by company management. Each of the following considerations is valid in this regard, except:
A company that is highly centralized will have a more diverse ethical culture than a company that id decentralized.
According to COSO, which of the following activities provides an example of a top=level review as a control activity?
A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.
According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is:
A manager within the department.
Which of the following spreadsheets most likely has the highest risk of data integrity errors?
A spreadsheet into which the controller enters summary daily sales data from a printed report of an automated accounting system.
A manufacturer actively monitors a foreign country's political events whenever a supply chain disruption occurs within the country that exceeds 90 days. According to the COSO Enterprise Risk Management principles, the manufacturer is following which of the following risk-response strategies?
Accept
Able Corporation owns numerous businesses along the coast of Florida. The company's management has identified business interruption events as a potential risk resulting from storm damage caused by hurricanes. The company elects to treat the potential damage from hurricanes as part of its business model. Able's response to potential risks is known as:
Acceptance
According to COSO, the difference between inherent risk and residual risk arises because of the management's:
Actions to reduce the inherent risk.
According to COSO, the proper tone at the top helps a company to do each of the following, except:
Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors.
Which of the following configurations of elements represents the most complete disaster recovery plan?
Alternate processing site, backup, and offsite storage procedures, identification of critical applications, test of the plan.
Which of the following is a violation of segregation of duties in internal control?
An employee enters and approves purchase orders.
The strategy and objective-setting component of COSO's Enterprise Risk Management framework is supported by which of the following principles?
Analyzes business context
The governance and culture component of COSO's Enterprise Risk Management framework is supported by all the following principles except:
Analyzes business context.
An entity's recording and reporting processes are highly automated, and the information system produces much of the information used for monitoring controls. Which of the following statements is correct regarding the entity's monitoring of controls?
Any errors in the information provided by the system could lead management to incorrect conclusions regarding controls.
Which of the following types of control plans is particular to a specific process or subsystem, rather than related to the timing of its occurrence?
Application
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except:
Approval of high-dollar transactions by supervisors.
Which of the following sets of duties would not be performed by a single individual in a company with the most effective segregation of duties in place?
Approving sales returns on customers' accounts and depositing customers' checks in the bank.
Which of the following is not a goal of an Enterprise Risk Management framework (ERM)?
Avoid adverse publicity and damage to the entity's reputation.
Able Corporation owns numerous businesses along the coast of Florida. The company's management has identified business interruption events as a potential risk resulting from storm damage caused by hurricanes. Management is so fearful of the possibility of storm damage that it elects to divest the company of virtually all properties on the Florida coast. Able's response to potential risks is known as:
Avoidance
An employee obtains a blank check, makes it payable to a fictitious company, and then cashes it. Each of the following internal control procedures should prevent this threat to the expenditure cycle, except:
Bank reconciliations.
An entity doing business on the Internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information, except:
Batch processing.
Which of the following IT controls would a company appropriately use to mitigate the risk of unauthorized access to its payroll data?
Biometric devices
What is a major disadvantage to using symmetric encryption to encrypt data?
Both sender and receiver must have the private key before this encryption method will work.
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or quality assurance function. This is considered a deficiency in which of the following areas?
Change control.
Which of the following controls would most likely ensure that an entity can reconstruct its financial records?
Cloud-based backup copies of financial records.
To maintain effect segregation of duties within the information technology function, an application programmer should have which of the following responsibilities?
Code approved changes to a payroll program.
Which of the following terms refers to a site that has been identified and maintained by the organization as a data processing disaster recovery site but has not been stocked with equipment?
Cold
The fraud triangle includes each of the following, except:
Collusion
According to COSO's Enterprise Risk Management Framework, which of the following is an essential element of the governance and culture?
Commitment to core values
Which of the following types of business planning focuses on how a company can most effectively restore business operations following a disaster?
Continuity planning.
A threat to an information system with a Toal potential dollar-loss impact of $7 million has been discovered. The risk of loss to the identified threat is currently 10 percent. The following four proposed controls are under consideration to mitigate the risk of the loss: (Picture not included) Based on a cost-benefit analysis, which control provides the greatest net benefit?
Control Y
A company has established and communicated baseline expectations for performance to all employees. The company's action demonstrates a focus on which of the following components of the COSO Internal Control framework?
Control environment
Which of the following areas of responsibility would normally be assigned to a computer programmer?
Creating a computer program based on a design.
The core values of an entity most closely correlate with its:
Culture
If an organizer wants to securely send confidential information by scrambling plaintext found in the message into ciphertext to make it unreadable for anyone other than the recipient, it is implementing:
Data encryption.
Which of the following information technology (IT) departmental responsibilities should be delegated to separate individuals?
Data entry and application programming.
All of the following are different types of reporting risk that an accountant must recognize as threats to accuracy of reports, except:
Data integrity risk.
COSO's enterprise risk management framework encompasses each of the following, except:
Decreasing inherent risk appetite.
Kamp Sporting Goods seeks to establish a code of conduct that will communicate the "tone at the top" to all employees. The contents of the code will likely include all of the following, except:
Definitions of common sense approaches to software piracy to ensure that the company is competitive.
An internal audit manager requested information detailing the amount and type of training that the IT department's staff received during the last year. According to COSO, the training records would provide documentation for which of the following principles?
Demonstrating a commitment to retain competent individuals in alignment with objectives.
What is the role of the systems analyst in an IT environment?
Designing systems, preparing specifications for programmers, and serving as intermediary between users and programmers.
Review of the audit log is an example of which of the following types of security control?
Detective
A company's accounts payable clerk obtained the payroll supervisor's computer password. The clerk then used the password to obtain unauthorized access tot he company's payroll files. Any of the following can be used to prevent such unauthorized access to the payroll files, except:
Digital signature.
A company switches all processing to an alternative site, and staff members report to the alternative site, and staff members report to the alternative site to verify that they are able to connect to all major systems and perform all core business processes from the alternative site. Which of the following best identifies the activities performed by the staff
Disaster recovery planning.
Each of the following is a limitation of enterprise risk management (ERM), except:
ERM can provide absolute assurance with respect to objective categories.
According to COSO, management should be concerned with the effectiveness of the monitoring processes of an entity regarding internal controls over financial statement preparation for each of the following reasons, except:
Effective monitoring assists those charged with governance to ensure that the entity meets its operating and financial expectations.
During the process of electronically transmitting data, which of the following IT controls would provide the most assurance that unauthorized disclosure of sensitive information would be prevented?
Encryption
According to COSO, establishing, maintaining, and monitoring an effective internal control system can do each of the following, except:
Ensure an entity's financial survival.
When risk is evaluated, which of the following risk responses is generally considered a sharing response?
Entering into syndication agreements.
According to COSO, which of the following issues should lead to the greatest concern regarding the effectiveness of an entity's internal control?
Errors from control failures that were not detected timely by the routine monitoring procedures.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least?
Errors in employee's overtime computation
A company has a significant e-commerce presence and self-hosts its web site. To assure continuity in the event of a natural disaster, the firm should adopt which of the following strategies?
Establish off-site mirrored web server.
According to COSO what is the first ongoing monitoring step in evaluating the effectiveness of an internal control system?
Establishing a control baseline
The Enterprise Risk Management Integrated Framework states that an organization must identify events, both positive and negative, as part of its risk management program. Which of the following is true with regard to events?
Event identification occurs after the development of objectives.
The external auditors for the Horace Company assess the achievement of internal control objectives each year and communicate the assessment to management and the board. Communication by the external auditor illustrates which principle of the information and communication component of the Committee of Sponsoring Organizations' Integrated Framework?
External Communication
Which of the following positions best describes the nature of the Board of Directors of XYZ Co.'s relationship to the company?
Fiduciary
A company that retains a CPA with the appropriate knowledge, skills, and abilities to prepare timely and effective financial reporting is applying the ideas from which principle of effective internal controls over financial reporting?
Financial reporting competencies
Which of the following risks can be minimized by requiring all employees accessing the information system to use passwords?
Firewall vulnerability
The system of user identification and authentication that prevents unauthorized users from gaining access to network resources is called a:
Firewall.
A company's performance guidelines sets a lower of 3 percent unfavorable material usage variance for its production facility. In applying the COSO Enterprise Risk Management framework, which of the following principles most closely aligns with the establishment of this performance guideline?
Formulating business objectives.
A digital signature is used primarily to determine that a message is:
From an authentic sender.
Which of the following statements best describes the importance of segregation of duties?
Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud.
According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which of the following components of enterprise risk management addresses an entity's commitment to core values?
Governance and Culture
As an organization commits to attracting, developing, and retaining capable individuals, it is supporting which of the following component of COSO's Enterprise Risk Management framework?
Governance and culture
Which of the following pairs of techniques best provides for roughly the same level of assurance about the enforceability of a digitally signed transaction as an inked signature provides for a paper-based transaction?
Hashing and asymmetric encryption
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls, except:
Having two officers who significantly influence management and operations.
The Daphne Corporation evaluates employees with responsibilities for financial reporting for fulfillment of those responsibilities for compensation and promotion purposes. The company's policies support the idea that:
Human Resources practices should be designed to facilitate effective internal control over financial reporting.
Which of the following statements is (are) correct for access controls? I. Access controls limit access to program documentation, data files, programs, and computer hardware. II. Passwords should consist of works that can be found in a common dictionary and should be of a maximum length so that they can be easily remembered. III. A backdoor is a means of access to a program or system that bypasses normal security mechanisms. Backdoors should be maintained so that there can be quick access to the system or program for emergency situations.
I only is correct.
Which of the following procedures is most important to include in the disaster recovery plan for an information technology department?
Identification of critical applications
The performance component of the COSO's Enterprise Risk Management framework is supported by which of the following principles?
Identifies risks
Hidelt Company uses data encryption for certain key data in its application systems. Which of the following statements is correct with respect to data encryption?
In asymmetric encryption, a public key is used to encrypt messages. A private key is normally used to decrypt the message at the other end.
Which of the following is an essential detective element of any IT control system for a management information system (MIS)?
Incident alert reporting
According to COSO, an effective approach to monitoring internal control involves each of the following steps, except:
Increasing the reliability of financial reporting and compliance with applicable laws and regulations.
Which method of backup involves copying only the data items that have changed since the last backup?
Incremental
An organization has decided to implement a backup system that involves copying only the data items that have changed since the last backup. What type of backup is this system called?
Incremental backup
Company management completes event identification and analyzes the associated risks. The company wishes to assess its risk in the absence of any actions management might take to alter either the risk's likelihood or impact. According to COSO, which of the following types of risk does this situation represent?
Inherent Risk
Which of the following strategies involving systems design is most likely to provide the best result from the standpoint of ensuring effective control procedures?
Integrating general and application control procedures into the components as part of the basic design.
In a large public corporation, evaluation internal control procedures should be the responsibility of:
Internal audit staff who report to the board of directors.
In an e-commerce environment that requires that the information technology (IT) system be available on a continuous basis, more emphasis will be placed on which of the following aspects of the planning than in a traditional organization?
Maintain redundant systems for instant availability to assure the flow of transactions.
According to COSO, which of the following identifies the group directly responsible for the implementation and development of the enterprise risk management framework?
Management
According to COSO, an executive's deliberate misrepresentation to a banker who is considering whether to make a loan to an enterprise is an example of which of the following internal control limitations?
Management override
Within the COSO Internal Control--Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?
Monitoring
An organization requires both a password and a numerical key generated on a smartphone for its users to log in to the intranet. This is referred to as:
Multifactor authentication.
The Gotham Corporation regularly produces budget vs. actual data for its managers. The company is particularly sensitive to personal costs, and division variances of greater than five percent for any period are promptly investigated to determine if budgeted positions have not been filled or if there has been extraordinary overtime. Timely exception resolution of this character illustrates the information and communication principles typically associated with:
Obtain and Use Information
A company that maintains a strong internal audit function that reports directly to the Board of Directors is applying the ideas from which principle of effective internal control over financial reporting?
Organizational structure
The ability of an entity to withstand the impact of large-scale events refers to:
Organizational sustainability.
Which of the following is true regarding Public Key Infrastructure (PKI)?
PKI refers to the system and processes used to issue and manage asymmetric keys and digital certificates.
Which of the following items is one of the five components of COSO's Enterprise Risk Management framework?
Performance
An organization has installed an uninterrupted power supply at its facility. This can most accurately be categorized as what type of control?
Physical control
According to COSO, which of the following is included in the assess-and-report phase of an effective approach to monitoring internal controls?
Prioritize findings.
The Treadway Commission was established to study factors that lead to fraudulent financial reporting. The Treadway Commission was established by:
Private sponsoring organizations.
A company's financial reporting system has a process management feature to provide workflow control. This feature allows the division accounting staff to input and review data and send the data to the company's corporate office for final review and approval. What security access, if any, should be granted to the division accounting staff once the data has even sent to the corporate office for approval?
Read but not write.
Able Corporation owns numerous businesses along the coast of Florida. The company's management has identified business interruption events as a potential risk resulting from storm damage caused by hurricanes. The company elects to balance its portfolio of risk with property investments on the coasts of other states and in Flordia's interior. Able's response to potential risks is known as:
Reduction
Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management's response to the risk. According to COSO, which of the following types of risk does this situation represent?
Residual risk
Which of the following statements presents an example of a general control for a computerized system?
Restricting access to the computer center by use of biometric devices.
Which of the following activities would likely detect computer-related fraud?
Reviewing the systems-access log.
Which of the following represents the procedure managers use to identify whether the company has information that unauthorized individuals want, how these individuals could obtain the information, the value of the information, and the probability of unauthorized access occurring?
Risk assessment
According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which of the following components of the internal control integrated framework addresses an entity's financial reporting objectives?
Risk assessment.
Which of the following statements regarding risk management is incorrect?
Risk control includes everything that could go wrong throughout the project plan.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?
Risk reduction
According to the COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in:
Risks
In which of the following locations should a copy of the accounting system data backup of year-end information be stored?
Secure off-site location.
ITGC Inc begins some of its IT employees in a position that deals with user access controls and exposes them to the organization's network infrastructure. After six months, ITGC moves those employees into a position in which they design software programs based on user needs. These employee responsibilities best reflect the following job roles, respectively:
Security administrator; system analyst
Computing Corp. just hired Janice Thompson as its new security administrator. This role will allow Janice to grant access to the system for the appropriate personnel. Janice is also a talented computer programmer, and because Computing Corp. needs a new programmer, it has agreed to pay Janice more to take on that role as well. This violates what type of control?
Segregation of duties
Which of the following statements best characterizes the function of a physical access control?
Separates unauthorized individuals from computer resources.
The internal auditor who works in enterprise risk management (ERM) performs each of the following activities, except:
Setting the risk appetite of the organization.
Able Corporation owns numerous businesses along the coast of Florida. The company's management has identified business interruption events as a potential risk resulting from storm damage caused by hurricanes. The company elects to not only insure its properties but to "buy down" standard deductibles with additional premium. Able's response to potential risks is known as:
Sharing
Due to 50 percent store growth year after year, monitoring internal controls at a national retail chain has come under tremendous pressure. According to COSO, which of the following responses would be appropriate under the circumstances to help restore effective monitoring?
Shifting most of the monitoring responsibility to store managers and district managers.
Auburndale Corporation has a corporate compliance program that allows employees the option of anonymously reporting violations of laws, rules, regulations, policies or other issues of abuse through a hotline. Reported issues are reviewed by the internal audit and either immediately forwarded to the CEO or summarized and reported to the CEO each month. The program also provides opportunities to report through supervisory channels and includes a biannual training class that all employees must complete. The corporate compliance program demonstrates that:
Sound integrity and ethical values are developed and understood and set the standard of conduct for financial reporting.
The Carlton Corporation publishes an Employee Handbook that contains employee responsibilities for moral behavior including a code of conduct. Each year, employees must acknowledge their receipt of the handbook, their understanding of the code, and if they have any awareness of non-compliance within the company. The policies would indicate:
Sound integrity and ethical values are developed and understood and set the standard of conduct for financial reporting.
Splendora Corporation, a corporation headquartered in Texas, is in the energy business. Since large amounts of money are involved, Splendora needs to have tight security for its data and application systems. Which of the following statements about its security does not indicate weakness in the security?
Splendora has a mechanism to disable accounts when an employee leaves the company.
Which of the following procedures would an entity most likely include in its disaster recovery plan?
Store duplicate copies of files in a location away from the computer center.
The mission and vision of an organization most closely correlate with an entity's:
Strategy
As an organization defines its risk appetite, it is supporting which of the following components of COSO's Enterprise Risk Management framework?
Strategy and objective-setting
An issuer's board of directors would ordinarily participate in each of the following activities, except:
Supervising and monitoring the quality-control testing upon the installation of a new information technology system.
An organization houses its network servers at a facility within a known floodplain. It decided to raise the floors in the room where the network servers reside to avoid flood damage. This is an example of what type of control?
System availability control
When implementing or developing a new software system, the first job role to start the process is most likely which of the following?
Systems analyst
As a matter of policy, all correspondence to or from regulatory auditors received by the management of the Barclay Corporation is provided to the Barclay Corporation audit committee and the corporation's full board as needed. It assesses entity-wide controls, management much conclude:
The Board of Directors understands and exercises oversight responsibility related to financial reporting and related internal control.
Which of the following is not a true statement of user access?
The Information Officer does not need to know about position promotions, demotions, or lateral moves.
The Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations (COSO) is best defined as:
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
A company has in place an authentication system that requires users to enter a log-on name and password. In an effort to strengthen this method of authentication, the company's chief information officer (CIO) asked the technology steering committee to recommend a biometric control for the authentication process. Which of the following committee recommendations best meets the requirement of the CIO?
The installation of fingerprint scanners on all workstations.
Generally, an organization will not operate beyond the limits of its risk appetite. Risk appetite has generally been exceeded when:
The likelihood and impact of negative events significantly exceed residual risks.
A company's purchasing department creates purchase orders based on electronic requests sent by operations. These requests are approved by operations, and no further approvals are required to place a purchase order. Purchasing clerks key the order information, including vendor names and prices, into the purchasing system based on the electronic requests. Which of the following is the best control to ensure that orders are entered accurately?
The purchasing system compares vendor information and prices entered by the clerks to master vendor and pricing data and rejects variances.
According to the COSO Enterprise Risk Management-Integrated Framework, uncertainty in enterprise risk management refers to:
The state of not knowing how or if potential events may manifest.
Internal controls are likely to fail for any of the following reasons, except:
They are designed and implemented properly, and their design changes as processes changes.
What is the primary objective of data security controls?
To ensure that storage media are subject to authorization prior to access, charge, or destruction.
The Committee on Sponsoring Organizations prepared the internal Control Integrated Framework:
To help businesses assess internal control.
Which of the following describes the primary purpose of a disaster recovery plan?
To specify the steps required to resume operations.
According to the COSO Enterprise Risk Management-Integrated Framework, each of the following is considered by management as part of a risk assessment, except:
Unknown risk
When a client's accounts payable computer system was relocated, the administrator provided support through a virtual private network (VPN) connection to a server. Subsequently, the administrator left the company. No changes were made to the accounts payable system at that time. Which of the following situations represents the greatest security risk?
User accounts are not removed upon termination of employees.
The successful and profitable launch of a new product line by an entity represents:
Value creation.
Arbor Fashions launched a line of accessories to accompany its successful line of blouses and slacks. The company's accessory line was unsuccessful and was discontinued six months after launch. The failure of Arbor's new product line represents:
Value erosion.
A company's ability to maintain market share with high customer satisfaction and sustained profitability is an example of:
Value preservation.
Baker Corp. paid a dividend to its shareholders following the achievement of record products. Dividend distributions represent:
Value realization.