CIA Exam Part 1 Sub-Unit 6

Internal auditors regularly evaluate controls. Which of the following best describes the concept of control as recognized by internal auditors? A. Management takes action to enhance the likelihood that established goals and objectives will be achieved. B. Control procedures should be designed from the "bottom up" to ensure attention to detail. C. Management regularly discharges personnel who do not perform up to expectations. D. Control represents specific procedures that accountants and internal auditors design to ensure the correctness of processing.

Answer (A) is correct. A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved (The IIA Glossary).

Which one of the following input controls or edit checks would catch certain types of errors within the payment amount field of a transaction? A. Limit check. B. Record count. C. Check digit. D. Echo check.

Answer (A) is correct. A limit, reasonableness, or range test determines whether an amount is within a predetermined limit for given information. It can only detect certain errors (i.e., those that exceed the acceptable limit).

Internal control can provide only reasonable assurance that the organization's objectives will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives is that A. The cost of internal control should not exceed its benefits. B. Management monitors performance. C. The board is active and independent. D. The internal auditor's primary responsibility is the detection of fraud.

Answer (A) is correct. A limiting factor is that the cost of internal control should not exceed its expected benefits. Thus, the potential loss associated with any exposure or risk is weighed against the cost to control it. Although the cost-benefit relationship is a primary criterion that should be considered in designing and implementing internal control, the precise measurement of costs and benefits usually is not possible.

The procedure requiring preparation of a prelisting of incoming cash receipts, with copies of the prelist going to the cashier and to accounting, is an example of which type of control? A. Preventive. B. Corrective. C. Detective. D. Directive.

Answer (A) is correct. A prelisting of cash receipts in the form of checks is a preventive control. It is intended to deter undesirable events from occurring. Because irregularities involving cash most likely take place before receipts are recorded, either remittance advices or a prelisting of checks should be prepared in the mailroom so as to establish recorded accountability for cash as soon as possible. A cash register tape is a form of prelisting for cash received over the counter. One copy of a prelisting will go to accounting for posting to the cash receipts journal, and another is sent to the cashier for reconciliation with checks and currency received.

Which of the following statements about internal control is true? A. A limitation of internal control is that management makes judgments about the extent of controls it implements. B. The establishment and maintenance of internal control are important responsibilities of the internal auditor. C. Exceptionally effective internal control is enough for the organization to achieve objectives. D. Properly maintained internal control reasonably ensures that collusion among employees cannot occur.

Answer (A) is correct. Because of inherent limitations, internal control, no matter how effective, can provide only reasonable assurance about achieving the entity's objectives. For example, when management designs and implements controls, it makes judgments about the nature and extent of (1) controls it implements and (2) the risks it assumes.

The COBIT 2019 control framework includes which governance system principle? A. Dynamic governance system. B. Controls for specific IT processes. C. Based on a conceptual model. D. Alignment with major standards.

Answer (A) is correct. COBIT 2019 expands on COBIT 5's key principles for a governance system applicable to IT governance to include six governance system principles and three governance framework principles. A COBIT 2019 governance system principle is that the governance system must be dynamic when dealing with a change in design factors (e.g., personnel, infrastructure, applications, etc.) and must be accompanied by consideration of its systemic effects.

The actions taken to manage risk and increase the likelihood that established objectives and goals will be achieved are best described as A. Control. B. Supervision. C. Quality assurance. D. Compliance.

Answer (A) is correct. Control is "any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved" (The IIA Glossary).

Which of the following is not a type of control? A. Reactive. B. Detective. C. Directive. D. Preventive.

Answer (A) is correct. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events which have occurred), or directive (to cause or encourage a desirable event to occur). "Reactive" is not a specified type of control. However, controls may be reactive in the sense that they detect an undesirable event and react to it or correct it.

An internal auditor is examining inventory control in a merchandising division with annual sales of $3,000,000 and a 40% gross profit rate. Tests show that 2% of the monetary amount of purchases do not reach inventory because of breakage and employee theft. Adding certain controls costing $35,000 annually could reduce these losses to .5% of purchases. Should the controls be recommended? A. No, because the cost of the added controls exceeds the projected savings. B. Yes, because the ideal system of internal control is the most extensive one. C. Yes, regardless of cost-benefit considerations, because the situation involves employee theft. D. Yes, because the projected saving exceeds the cost of the added controls.

Answer (A) is correct. Controls must be subject to the cost-benefit criterion. The annual cost of these inventory controls is $35,000, but the cost savings is only $27,000 {(2.0% - 0.5%) × [$3,000,000 sales × (1.0 - 0.4 gross profit rate)]}. Hence, the cost exceeds the benefit, and the controls should not be recommended.

Which of the following is not an objective of application controls? A. Establishing logical access controls over infrastructure, applications, and data. B. Maintaining a record to track the process of data from input to storage and to the eventual output. C. Confirming input data are accurate, complete, authorized, and correct. D. Processing data as intended in an acceptable time period.

Answer (A) is correct. Establishing logical access controls over infrastructure, applications, and data is an IT general control. According to IIA GTAG, application controls are those that pertain to the scope of individual business processes or application systems. The objective of application controls is to ensure that (1) input data are accurate, complete, authorized, and correct; (2) data are processed as intended in an acceptable time period; (3) data stored are accurate and complete; (4) outputs are accurate and complete; and (5) a record is maintained to track the process of data from input to storage and to the eventual output.

Each of the following is a method to evaluate internal controls based on the framework set by the Committee of Sponsoring Organizations (COSO), except A. Distinguishing economy risk from industry risk and enterprise risk. B. Identifying mitigating controls to prevent losses. C. Testing to determine whether the controls are operating effectively and have prevented losses in the past. D. Evaluating internal control systems that focus first on risk identification of specific losses.

Answer (A) is correct. Evaluating internal controls based on the COSO framework does not require distinguishing economic risk from industry risk and enterprise risk. Therefore, it is NOT a method to evaluate internal controls based on the COSO framework.

A company implements an enterprise resource planning application to help improve its financial and operational reporting while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of A. Change management. B. A social event. C. Segregation of duties. D. An economic event.

Answer (A) is correct. Hiring a specialized individual to help with the transition into a new enterprise resource planning application is a way to help manage the change. Thus, this is an example of change management.

Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control? A. Incompatible duties. B. Collusion among employees. C. Faulty judgment. D. Management override.

Answer (A) is correct. Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inevitable limitation of internal control. Segregation of duties is a category of control activities.

Manual controls would most likely be more suitable than automated controls for which of the following? A. Large, unusual, or nonrecurring transactions. B. Circumstances that require a high degree of accuracy. C. High-volume transactions that require additional calculations. D. Situations with routine errors that can be predicted and corrected.

Answer (A) is correct. Manual controls may be more suitable where judgment and discretion are required, such as (1) for large, unusual, or nonrecurring transactions; (2) for circumstances where misstatements are difficult to define, anticipate, or predict; (3) in changing circumstances that require a control response outside the scope of an existing automated control; and (4) in monitoring the effectiveness of automated controls.

Management has a role in the maintenance of control. In fact, management sometimes is a control. Which of the following most likely involves managerial functions as a control? A. Monitoring performance. B. Establishment of an internal audit activity. C. Board approval of the charter of the internal audit activity. D. Maintenance of a quality assurance program.

Answer (A) is correct. Monitoring is a component of the internal control. It is a process that assesses the quality of the system's performance over time. It consists of ongoing activities built into normal operations to ensure that they continue to be performed effectively. Supervision and other ordinary management functions, consideration of communications with external parties, and the actions of internal and external auditors are examples.

A restaurant chain has over 680 restaurants. All food orders for each restaurant are required to be entered into an electronic device that records all food orders by food servers and transmits the order to the kitchen for preparation. All food servers are responsible for collecting cash for all their orders and must turn in cash at the end of their shift equal to the sales value of food ordered for their I.D. number. The manager then reconciles the cash received for the day with the computerized record of food orders generated. All differences are investigated immediately by the restaurant. Organizational headquarters has established monitoring controls to determine when an individual restaurant might not be recording all its revenue and transmitting the applicable cash to the corporate headquarters. Which one of the following is the best example of a monitoring control? A. Management prepares a detailed analysis of gross margin per store and investigates any store that shows a significantly lower gross margin. B. Cash is transmitted to corporate headquarters on a daily basis. C. All food orders must be entered on the computer, and segregation of duties is maintained between the food servers and the cooks. D. The restaurant manager reconciles the cash received with the food orders recorded on the computer.

Answer (A) is correct. Monitoring is a process that assesses the quality of internal control over time. It involves assessment by appropriate personnel of the design and operation of controls and the taking of corrective action. Monitoring can be done through ongoing activities or separate evaluations. Ongoing monitoring procedures are built into the normal recurring activities of an entity and include regular management and supervisory activities. Thus, analysis of gross margin data and investigation of significant deviations is a monitoring process.

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum? A. Change identification. B. Control revalidation/update. C. Control baseline. D. Change management.

Answer (A) is correct. Of the four steps in the monitoring-for-change continuum described in the 2009 COSO document Guidance on Monitoring Internal Control Systems, change identification is the one in which separate and ongoing evaluations can best be accomplished.

Which of the following is an example of a detective control? A. The manager is given a check log reconciliation at the close of each business day. B. The staff accountant was warned about printing a check prior to receiving authorization. - corrective C. The accounting department has a procedure for voiding and issuing replacement checks.- directive D. Checks are pre-numbered and kept in a locked cabinet. - Preventive

Answer (A) is correct. Providing the manager with a check log reconciliation at the close of each business day is a detective control. A detective control uncovers an error or irregularity that has already occurred. It is designed to detect undesirable events. Examples of detective controls include physical counts, reconciliations, reviews and comparisons, exception reports, and security cameras.

A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? A. Errors in employees' overtime computation. B. Fraudulent reporting of employees' own hours. C. Recording of other employees' hours. D. Inaccurate accounting of employees' hours.

Answer (A) is correct. This internal control process is responsible for verifying that the correct employee enters the proper amount of time (s)he worked. This function is not responsible for applying pay rates to the amount of hours worked and therefore would not change any errors in overtime computations.

An auditor is concerned about management override as a limitation of internal control. Which of the following tests would best assess the validity of the auditor's concern? A. Verifying that approved spending limits are not exceeded. B. Reviewing minutes of board meetings. C. Matching purchase orders to accounts payable. D. Tracing sales orders to the revenue account.

Answer (A) is correct. To determine whether management has overridden approvals, the auditor should compare actual expenditures with budgeted amounts.

The use of financial statement analysis, quality control procedures, and employee performance evaluations are all examples of A. Concurrent controls. B. Feedback controls. C. Feedforward controls. D. Preliminary controls.

Answer (B) is correct. A feedback control operates to provide information about processes that have already occurred.

One objective of IT general controls is to A. Design controls based on the management functions of planning, organizing, directing, and controlling. B. Ensure the integrity of program and data files and of computer operations. C. Give primary consideration to authorization, validation, and error notification. D. Ensure that processing results are complete, accurate, and properly distributed.

Answer (B) is correct. According to IIA GTAG, IT general controls over information and related technologies are those that pertain to all systems components, processes, and data present in an organization's IT environment. The objectives of IT general controls are to ensure the appropriate development and implementation of applications as well as the integrity of program and data files and of computer operations. The most common IT general controls are (1) logical access controls over infrastructure, applications, and data; (2) system development life cycle controls; (3) program change management controls; (4) physical security controls over the data center; and (5) system and data backup and recovery controls.

An organization requires mutual respect among all employees. Making false, defamatory, or malicious statements about another employee is strictly prohibited. This policy is an example of controls at which level? A. Transaction-level controls. B. Entity-level governance controls. C. Process-level controls. D. Entity-level management oversight controls.

Answer (B) is correct. Entity-level governance controls are established by the board of directors at the highest level (governance level). They include organizational policies and procedures that define the entity's culture and communicate its expectations. Examples include IT policies, the code of conduct, oversight of controls, and setting the risk appetite. The requirement of mutual respect among all employees is an entity-wide policy related to the organizational code of conduct. It is therefore an entity-level governance control.

Which of the following represents an example of an inherent limitation of internal controls? A. Bank reconciliations are not performed on a timely basis. B. The CEO can override a control and request a check with no purchase order. C. Customer credit checks are not performed. D. Shipping documents are not matched to sales invoices.

Answer (B) is correct. Inherent limitations may exist and should be considered by the auditor. Human judgment can be faulty, controls can be circumvented by collusion, and management may inappropriately override controls. Thus, the CEO's requesting a check with no purchase order is possible because of an inherent limitation. It is an override of the internal control by management.

The primary responsibility for establishing and maintaining internal control rests with A. The internal auditors. B. Management. C. The controller or the treasurer. D. The external auditors.

Answer (B) is correct. Internal control is a process, effected by those charged with governance, management, and other personnel, designed to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Memo posting used by banks A. Is used as a compensatory control. B. Is used in batch processing. C. Corrects negative effects of unwanted events. D. Updates databases in online, real-time processing.

Answer (B) is correct. Memo posting is used by banks for financial transactions when batch processing is used. It posts temporary credit or debit transactions to an account if the complete posting to update the balance will be done as part of the end-of-day batch processing. Information can be viewed immediately after updating. Memo posting is an intermediate step between batch processing and real-time processing.

Which of the following control procedures does an internal auditor expect to find during an engagement to evaluate risk management and insurance? A. Required approval of all new insurance policies by the organization's CEO. B. Periodic internal review of the in-force list to evaluate the adequacy of insurance coverage. C. Policy of repetitive standard journal entries to record insurance expense. D. Cutoff procedures with regard to insurance expense reporting.

Answer (B) is correct. Obtaining insurance and periodically reviewing its adequacy are among management's responses to the findings of a risk assessment. Insurance coverage should be sufficient to ensure that the relevant assessed risks are managed in accordance with the organization's risk appetite.

An organization's directors, management, external auditors, and internal auditors all play important roles in creating a proper control environment. Senior management is primarily responsible for A. Implementing and monitoring controls designed by the board of directors. B. Establishing a proper organizational culture and specifying a system of internal control. C. Ensuring that external and internal auditors adequately monitor the control environment. D. Designing and operating a control system that provides reasonable assurance that established objectives and goals will be achieved.

Answer (B) is correct. Senior management is primarily responsible for establishing a proper organizational culture and specifying a system of internal control.

An internal auditor fails to discover an employee fraud during an assurance engagement. The nondiscovery is most likely to suggest a violation of the International Professional Practices Framework if it was the result of a A. Determination that any possible fraud in the area would not involve a material amount. B. Presumption that the internal controls in the area were adequate and effective. C. Failure to perform a detailed review of all transactions in the area. D. Determination that the cost of extending procedures in the area would exceed the potential benefits.

Answer (B) is correct. The internal audit activity evaluates the adequacy and effectiveness of controls (Impl. Std. 2130.A1). Moreover, the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Perf. Std. 2130). Thus, an internal auditor must not simply assume that controls are adequate and effective.

The internal audit activity's duties regarding internal control include A. Safeguarding assets. B. Promoting continuous improvement. C. Ensuring compliance with the law. D. Administering the system of controls.

Answer (B) is correct. The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement (Perf. Std. 2130).

According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization? A. Strengthening internal audit's ability to deter and report improper behavior. B. Demonstrating appropriate behavior by example. C. Removing pressures to meet unrealistic targets, particularly for short-term results. D. Specifying the competence levels for every job in an organization and translating those levels to requisite knowledge and skills.

Answer (B) is correct. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. Demonstrating appropriate behavior by example is the most effective method to transmit a message of ethical behavior throughout an organization.

One accountant is responsible for collecting cash receipts from the cashier, recording cash in the accounting system, and depositing cash in the organization's bank account. At which level is control lacking? A. Entity-level management oversight controls. B. Transaction-level controls. C. Process-level controls. D. Entity-level governance controls.

Answer (B) is correct. Transaction-level controls are designed to achieve transaction objectives and to address risks specific to transactions. Examples include application controls, exception reports, and segregation of duties. Because the same employee is responsible for cash custody and recordkeeping, segregation of duties does not exist. The organization therefore lacks transaction-level control.

When a copy of the sale invoice is not received by an organization's shipping department, an employee requests the document from the proper authority. This process is a(n) A. Detective, preventive control. B. Active, detective control. C. Passive, mitigating control. D. Directive, detective control.

Answer (B) is correct. When shipping documents are not received in the shipping department (such as copies of the sales invoice, customer order form, and bill of lading), the clerk should attempt to obtain the proper documentation from the originating organization. This type of control is detective because it detects and attempts to correct an undesirable event that has occurred. It is also active because it takes a conscious intervention by the clerk to ensure the documentation is received.

Which of the following best defines control? A. Control accomplishes objectives and goals in an accurate, timely, and economical fashion. B. Controls are statements of what the organization chooses to accomplish. C. Control is the result of proper planning, organizing, and directing by management. D. Control is provided when cost-effective measures are taken to restrict deviations to a tolerable level.

Answer (C) is correct. A control is "any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved" (The IIA Glossary). Thus, control is the result of proper planning, organizing, and directing by management.

Which of the following describes a characteristic of a control matrix? A. The data entered into an input field is compared to a table of valid values for that field. B. Transactions are accumulated for processing. C. More than one control may be needed to adequately address a single risk. D. Track the number of records processed by the system.

Answer (C) is correct. A control matrix is useful for matching controls with risks. Controls do not necessarily match risks one-to-one. Certain controls may address more than one risk, and more than one control may be needed to address a single risk.

An entity should consider the cost of a control in relationship to the risk. Which of the following controls best reflects this philosophy for a large dollar investment in heavy machine tools? A. Conducting a weekly physical inventory. B. Having all dispositions approved by the vice president of sales. C. Imprinting a controlled identification number on each tool. D. Placing security guards at every entrance 24 hours a day.

Answer (C) is correct. A controlled identification number on each tool and periodic checking allow for an effective control at reasonable cost.

Managerial control can be divided into feedforward, concurrent, and feedback controls. Which of the following is an example of a feedback control? A. Budgeting. B. Quality control training. C. Variance analysis. D. Forecasting inventory needs.

Answer (C) is correct. A feedback control measures actual performance, i.e., something that has already occurred, to ensure that a desired future state is attained. It is used to evaluate past activity to improve future performance. A variance is a deviation from a standard. Thus, variance analysis is a feedback control.

The internal audit activity of an organization is an integral part of the organization's risk management, control, and governance processes because it evaluates and contributes to the improvement of those processes. Select the type of control provided when the internal audit activity conducts a systems development analysis. A. Feedback control. B. Policies and procedures. C. Feedforward control. D. Strategic plans.

Answer (C) is correct. A feedforward control provides information on potential problems so that corrective action can be taken in anticipation, rather than as a result, of a problem.

Which of the following is the control component that reflects the attitude and actions of the board and management regarding the significance of control within the organization? A. Monitoring. B. Risk assessment. C. Control environment. D. Control activities.

Answer (C) is correct. According to the COSO model for internal control, the control environment reflects the attitude and actions of the board and management regarding the significance of control within the organization.

Specific airline ticket information, including fare, class, purchase date, and lowest available fare options, as prescribed in the organization's travel policy, is obtained and reported to department management when employees purchase airline tickets from the organization's authorized travel agency. Such a report provides information for A. Identifying costs necessary to process employee business expense report data. B. Supporting employer's business expense deductions. C. Quality of performance in relation to the organization's travel policy. D. Departmental budget-to-actual comparisons.

Answer (C) is correct. Comparison of actual performance against a standard provides information for assessing quality of performance.

According to COSO, which of the following is a compliance objective? A. To maintain accounting principles that conform to GAAP. B. To maintain adequate staffing to keep overtime expense within budget. C. To maintain a safe level of carbon dioxide emissions during production. D. To maintain material price variances within published guidelines.

Answer (C) is correct. Compliance objectives relate to adherence to laws and regulations. Maintaining a safe level of carbon dioxide emissions during production is an example.

Use of standard operating procedures as controls is most likely to be effective in an organization that has which of the following characteristics? A. A diverse product mix. B. An entrepreneurial focus. C. An aversion to risk. D. Effective leadership.

Answer (C) is correct. Controls are actions taken to manage risks, and a precondition to the existence of any control is an organization's desire to manage risks. The more risk averse an organization, the more likely its members will comply with controls. Accordingly, the use of standard operating procedures as controls is most likely to be effective in an organization that is risk averse.

An adequate and effective system of internal control provides reasonable assurance that objectives will be achieved. Controls may be preventive, detective, or directive. Which of the following is a detective control for the procurement function? A. The procurement function is organizationally separate from receiving, disbursing, and accounting. B. Review and approval of each procurement action is required prior to the final issuance of a purchase order. C. Goods received are counted and compared with quantities on purchase order and receiving reports. D. Prenumbered standard purchase order forms include all relevant terms required to be used in all applicable instances.

Answer (C) is correct. Detective controls are designed to detect and correct undesirable events that have occurred. Accounting for all goods received and comparing quantities on purchase orders and receiving reports is an example.

Internal control is a function of management, and effective control is based upon the concept of charge and discharge of responsibility and duty. Which of the following is one of the overriding principles of internal control? A. Responsibility for accounting activities and duties must be assigned only to employees who are bonded. B. Responsibility for the accounting duties must be borne by the audit committee of the company. C. Responsibility for the performance of each duty must be fixed. D. Responsibility for accounting and financial duties should be assigned to one responsible officer.

Answer (C) is correct. Effective internal control may be obtained by decentralization of responsibilities and duties. Fixing the responsibility for each performance or duty makes it easier to trace problems to the person(s) responsible and hold them accountable for their actions.

An organization's policies and procedures are part of its overall system of internal controls. The control function performed by policies and procedures is A. Application control. B. Feedback control. C. Feedforward control. D. Implementation control.

Answer (C) is correct. Feedforward controls anticipate and prevent problems. Policies and procedures serve as feedforward controls because they provide guidance on how an activity should be performed to best ensure that an objective is achieved.

The operations manager of a company notified the chief financial officer of that organization 60 days in advance that a new, expensive piece of machinery was going to be purchased. This notification allowed the chief financial officer to make an orderly liquidation of some of the company's investment portfolio on favorable terms. What type of control was involved? A. Feedback. B. Concurrent. C. Feedforward. D. Strategic.

Answer (C) is correct. Feedforward controls provide for the active anticipation of problems so that they can be avoided or resolved in a timely manner. Another example is the quality control inspection of raw materials and work-in-process to avoid defective finished goods.

Which of the following is an inherent limitation in internal control? A. Incompatible duties. B. Lack of an audit committee. C. Faulty human judgment. D. Lack of segregation of duties.

Answer (C) is correct. Human judgment is faulty, and controls may fail because of human error.

An auditor is planning an audit of a company's recently implemented electronic data interchange (EDI) system for purchasing and billing. Which of the following controls over the accuracy of raw-material purchases would be least important in this environment? A. Controls contained within the EDI vendor software. B. Adequate audit trails. C. Management review of individual transactions. D. Computer system controls.

Answer (C) is correct. Management review of individual transactions (a manual control) is less important in an EDI system than automated controls applicable to all transactions.

Management's aggressive attitude toward financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when A. The audit committee is active in overseeing the entity's financial reporting policies. B. Internal auditors have direct access to the board of directors and entity management. C. Management is dominated by one individual who is also a shareholder. D. External policies established by parties outside the entity affect its accounting practices.

Answer (C) is correct. Management's philosophy and operating style is one factor affecting the control environment as described in the COSO model for internal control. Such characteristics as management's attitudes and actions toward financial reporting and its emphasis on meeting budget, profit, and other goals have a significant influence on the control environment, especially when management is dominated by one or a few individuals. When incentives or pressures are present to achieve certain performance goals, the auditor should heighten his or her concern about the possibility of fraud.

Within the COSO Internal Control - Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? A. Information and communication. B. Risk assessment. C. Monitoring. D. Control environment.

Answer (C) is correct. Monitoring is the process of assessing the quality of the system's performance over time. It is designed to ensure that internal controls continue to operate effectively.

Inherent limitations in internal control must be considered in evaluating its effectiveness in preventing or detecting errors and fraud. Inherent limitations or the effects of them do not include A. The inability to provide more than reasonable assurance. B. Simple error. C. Incompatible functions performed by the same person. D. Faulty human judgment in decision making.

Answer (C) is correct. No matter how well designed and operated, internal control can provide only reasonable assurance that entity objectives will be achieved. The likelihood of achievement is affected by such inherent limitations as faulty human judgment in decision making, simple error or mistake, collusion, and management override. The performance of incompatible functions, however, is a failure to separate duties properly, not an inevitable limitation of internal control. The separation of functional responsibilities is an important category of control activities.

Of the following, the controls that are often difficult for internal auditors to evaluate because of the lack of criteria or standards are A. Preventive controls. B. Financial controls. C. Operating controls. D. Corrective controls.

Answer (C) is correct. Operating controls are those used in the management processes of directing and controlling and are based on comparison of results with standards. As an activity becomes less mechanical, however, standards become more difficult to determine. Control standards for security, for example, are less easily developed than for the output per hour of a machine because the degree of security achieved is not readily measurable.

Which of the entity objectives address effectiveness and efficiency? A. Compliance objectives. B. Strategic objectives. C. Operations objectives. D. Reporting objectives.

Answer (C) is correct. Operations objectives address effectiveness and efficiency.

The requirement that purchases be made from suppliers on an approved vendor list is an example of a A. Monitoring control. B. Corrective control. C. Preventive control. D. Detective control.

Answer (C) is correct. Preventive controls are actions taken prior to the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers.

Which of the following would be a preventive control? A. Comparing a bank deposit slip with the total cash received as noted on a prelisting sheet prepared in the mail room. B. Reviewing the sequence of prenumbered documents. C. Approving customer credit prior to shipping merchandise. D. Scanning the general ledger for accounts with unusually high or low balances.

Answer (C) is correct. Preventive controls deter the occurrence of unwanted events. In contrast, detective controls alert the proper people after an unwanted event. Approving customer credit prior to shipping prevents merchandise from being shipped on credit to customers who are likely to default on making future payment.

The PCAOB's AS 2201 states that internal controls may be preventive or detective. Which of the following controls is preventive? A. Preparing bank reconciliations. B. Using batch totals. C. Requiring two persons to open mail. D. Reconciling the accounts receivable subsidiary file with the control account.

Answer (C) is correct. Preventive controls have the objective of preventing errors or fraud that could result in a misstatement of the financial statements. Detective controls have the objective of detecting errors and fraud that have already occurred that could misstate the financial statements. Assigning two individuals to open mail is an attempt to prevent misstatement of cash receipts.

Which of the following input controls are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field? A. Format checks. B. Validity checks. C. Sequence checks. D. Range checks.

Answer (C) is correct. Sequence checks are based on the logic that processing efficiency is greatly increased when files are sorted on some designated field. If the system discovers a record out of order, it may indicate that the files were not properly prepared for processing.

Which of the following are included in the control environment described in the COSO internal control framework? A. Risk assessment, assignment of responsibility, and human resource practices. B. Competence of personnel, backup facilities, laws, and regulations. C. Integrity and ethical values, assignment of authority, and human resource policies. D. Organizational structure, management philosophy, and planning.

Answer (C) is correct. The control environment is a set of standards, processes, and structures that includes Integrity and ethical values Commitment to competence Board of directors or audit committee Management's philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices

The likelihood of achieving control objectives is affected by which limitation inherent to internal control? A. The internal auditor's primary responsibility is the detection of fraud. B. Management monitors internal control. C. The cost of internal control should not exceed its benefits. D. Management assesses controls.

Answer (C) is correct. The cost of an entity's internal control should not exceed the benefits that are expected to be derived. Although the cost-benefit relationship is a primary criterion that should be considered in designing internal control, the precise measurement of costs and benefits usually is not possible.

Which of the following is not implied by the definition of control? A. Measurement of progress toward goals. B. Uncovering of deviations from plans. C. Assignment of responsibility for deviations. D. Indication of the need for corrective action.

Answer (C) is correct. The elements of control include (1) establishing standards for the operation to be controlled, (2) measuring performance against the standards, (3) examining and analyzing deviations, (4) taking corrective action, and (5) reappraising the standards based on experience. Thus, assigning responsibility for deviations found is not part of the control function.

Controls that are designed to provide management with assurance of the realization of specified minimum gross margins on sales are A. Output controls. B. Preventive controls. C. Directive controls. D. Detective controls.

Answer (C) is correct. The objective of directive controls is to cause or encourage desirable events to occur, e.g., providing management with assurance of the realization of specified minimum gross margins on sales.

Controls should be designed to ensure that A. The internal audit activity's guidance and oversight of management's performance is accomplished economically and efficiently. B. Management's plans have not been circumvented by worker collusion. C. Operations are performed efficiently. D. Management's planning, organizing, and directing processes are properly evaluated.

Answer (C) is correct. The purpose of control processes is to support the organization in the management of risks and the achievement of its established and communicated objectives. The control processes are expected to ensure, among other things, that operations are performed efficiently and achieve established results.

A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should A. Review and accept the information security risk assessments in a staff meeting. B. Allocate additional budget resources for external audit services. C. Visibly participate in a global information security campaign. D. Refer to the organization's U.S. human resources policies on privacy in a company newsletter.

Answer (C) is correct. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. By visibly participating in a global information security campaign, management's commitment to the security of company information is evident to all team members.

Which of the following is an inherent limitation of internal control? A. Segregation of duties. B. Employee evaluation. C. Collusion. D. Judgmental sampling.

Answer (C) is correct. Two or more people may collude, or management may override the internal control.

Online input controls most likely include A. Hash totals. B. A user review. C. A validity check. D. An audit trail.

Answer (C) is correct. Validity checks compare the data entered in a given field with a table of valid values for that field. For example, the vendor number on a request to cut a check must match the table of current vendors, and the invoice number must match the approved invoice table.

Which of the following statements is correct regarding corporate compensation systems and related bonuses? A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control. Compensation systems are not part of an organization's control system and should not be reported as such. An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses. A.2 and 3 only. B.3 only. C.1 only. D.2 only.

Answer (C) is correct.The control environment includes, among other things, the element of human resource policies and practices. Thus, hiring, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions must be considered by management.

As part of a total quality control program, a firm not only inspects finished goods but also monitors product returns and customer complaints. Which type of control best describes these efforts? A. Production control. B. Inventory control. C. Feedforward control. D. Feedback control.

Answer (D) is correct. A feedback control measures actual performance, something that has already occurred, to ensure that a desired future state is attained. It is used to evaluate the past to improve future performance. Inspecting finished goods, monitoring product returns, and evaluating complaints are post-action controls intended to eliminate deviations in future cycles of the process under control.

A customer intended to order 100 units of product Z96014, but incorrectly ordered nonexistent product Z96015. Which of the following controls most likely would detect this error? A. Redundant data check. B. Record count. C. Hash total. D. Check digit verification.

Answer (D) is correct. Check digit verification is used to identify incorrect identification numbers. The digit is generated by applying an algorithm to the ID number. During input, the check digit is recomputed by applying the same algorithm to the entered ID number.

The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives describes A. Control environments. B. Monitoring. C. Risk assessments. D. Control activities.

Answer (D) is correct. Control activities are the policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives.

According to The IIA Glossary appended to the Standards, which of the following are most directly designed to ensure that risks are contained? A. Risk management processes. B. Governance processes. C. Internal audit activities. D. Control processes.

Answer (D) is correct. Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.

Which of the following is a feedback control? A. Measuring performance against a standard. B. Preventive maintenance. C. Close supervision of production-line workers. D. Inspection of completed goods.

Answer (D) is correct. Feedback controls obtain information about completed activities. They permit improvement in future performance by learning from past mistakes. Thus, corrective action occurs after the fact. Inspection of completed goods is an example of a feedback control.

Under the COBIT 2019 framework, which of the following statements is true? A. A governance system should focus on covering the IT function end to end. B. A focus area includes the threat landscape, technology adoption strategy, and enterprise strategy and goals. C. Providing stakeholder value is a governance framework principle. D. Variant components for a governance system are designed for a specific context within a focus area.

Answer (D) is correct. Governance system components can be generic or variant. Generic components are applied in principle to any circumstances. Variant components are designed for a given purpose or context in a focus area.

Which of the following factors would most likely be considered an inherent limitation to an entity's internal control? A. The complexity of the information processing system. B. The lack of management incentives to improve the control environment. C. The ineffectiveness of the board of directors. D. Human judgment in the decision making process.

Answer (D) is correct. Human judgment is faulty, and controls may fail because of simple error or mistake. For example, design changes for an automated order entry system may be faulty because the designers did not understand the system or because programmers did not correctly code the design changes. Errors also may arise when automated reports are misinterpreted by users. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.

Which of the following is an operating control for a research and development department? A. All research and development costs are charged to expense in accordance with the applicable accounting principles. B. Research and development expenditures are reviewed by an independent person. C. Research and development personnel are hired by the payroll department. D. The research and development budget is properly allocated between new products, product maintenance, and cost reduction programs.

Answer (D) is correct. Operating controls are those applicable to production and support activities. Because they may lack established criteria or standards, they should be based on management principles and methods. The appropriate allocation of R&D costs to new products, product maintenance, and cost reduction programs is an example. This is in contrast to the expensing of R&D costs, which is required by the rules of external financial reporting.

Controls may be classified according to the function they are intended to perform, for example, as detective, preventive, or directive. Which of the following is a directive control? A. Monthly bank statement reconciliations. B. Recording every transaction on the day it occurs. C. Dual signatures on all disbursements over a specific amount. D. Requiring all members of the internal audit activity to be CIAs.

Answer (D) is correct. Requiring all members of the internal audit activity to be CIAs is a directive control. The control is designed to cause or encourage a desirable event to occur. The requirement enhances the professionalism and level of expertise of the internal audit activity.

Controls provide assurance to management that desired actions will be accomplished when objectives are established in writing and A. Internal reviews as to the propriety and effectiveness of the objectives are undertaken on a periodic basis by the internal audit activity. B. Policies and procedures for activities are set out in manuals for use by properly trained personnel. C. Are communicated to employees in writing and are updated by operating personnel as conditions change. D. Standards are adopted, results are compared with the standards, and corrective actions are undertaken.

Answer (D) is correct. The elements of control include (1) establishing standards for the operation to be controlled, (2) measuring performance against the standards, (3) examining and analyzing deviations, (4) taking corrective action, and (5) reappraising the standards based on experience. These elements of control provide reasonable assurance to management that established objectives and goals will be achieved.

When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that Reporting is reliable Compliance is achieved The extent of achievement of strategic and operations objectives is known A. 1 and 3 only. B. 1 and 2 only. C. 2 and 3 only. D. 1, 2, and 3.

Answer (D) is correct. When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that (1) reporting is reliable, (2) compliance is achieved, and (3) the extent of achievement of strategic and operations objectives is known.

Each of the following statements is correct regarding the existence and implementation of codes of conduct except A. The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading. B. Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior. C. The codes of conduct are periodically acknowledged by all employees. D. The codes of conduct must be in writing and displayed in public areas, such as a break room.

Answer (D) is correct. While it may be beneficial to have a code of conduct in writing, the code does not need to be displayed in all public areas. It should, however, be accessible to employees should they need to refer to it.

Which of the following is a false statement about the COBIT 2019 framework? A. A governance framework should reflect relevant compliance standards. B. The COBIT Performance Management model uses capability levels and maturity levels to measure performance. C. Governance and management activities and structures can be combined to support a holistic approach. D. A governance system design may be unique to a particular organization.

C. Governance and management activities and structures can be combined to support a holistic approach. Answer (C) is correct. Governance distinct from management is one of the six principles for a governance system. Governance tasks should be differentiated from management tasks. Accordingly, governance and management activities and structures cannot be combined.

Internal auditors need to determine the extent to which management has established adequate control criteria. For this purpose, which of the following actions may be appropriate? Determining whether objectives have been accomplished Using management's adequate control criteria in their evaluation Working with management to develop appropriate control evaluation criteria A. 1 only. B. 1 and 2 only. C. 2 only. D. 1, 2, and 3.

D. 1, 2, and 3.

Which of the following are elements of the control environment? A. Human resource policies and practices. B. Organizational structure. C. Management's philosophy and operating style. D. All of the answers are correct.

D. All of the answers are correct.

An employee steals money from his company's bank deposits, then makes up for the stolen cash with cash from the next day's deposits. If there is not enough cash the next day, the employee has to wait another day to make up for the deposit. And the cycle continues. This can go undetected for months. Which of the following controls could the organization implement as a preventive control to address this situation? A. The accounting supervisor is notified when the checking account amount drops below a certain level. B. Daily, the accounting staff at the organization's main office reconcile the amount deposited with the cash register tape from the day's sales. C. Weekly, a manager at the main office checks deposit validation dates received from the bank with the sales deposit records. D. Deposit slips and deposit bags have sequential numbers. The manager is required to write the deposit bag number on the deposit slip. The reason for any voided deposit slips or bags is to be documented.

D. Deposit slips and deposit bags have sequential numbers. The manager is required to write the deposit bag number on the deposit slip. The reason for any voided deposit slips or bags is to be documented.

Internal controls are designed to provide reasonable assurance that A. The internal auditing department's guidance and oversight of management's performance is accomplished economically and efficiently. B. Management's planning, organizing, and directing processes are properly evaluated. C. Management's plans have not been circumvented by worker collusion. D. Material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.

D. Material errors or fraud will be prevented, or detected and corrected, within a timely period by employees in the course of performing their assigned duties.