Quiz 3 (Practice) Risk Assessment

The COSO framework describes components, organization structure, and categories of objectives. Which of the following is NOT a category of objectives? 1) Reporting 2) Monitoring 3) Operations 4) Compliance

2) Monitoring

Which of the following is NOT a definition of vulnerability? 1) Characteristics of IT resources that can be exploited for harm. 2) The theft, misuse, or misappropriation of computer hardware. 3) Characteristics of IT processes that increase the probability of the occurrence of detrimental events. 4) Weaknesses or exposures in IT assets or processes that may lead to business risk.

2) The theft, misuse, or misappropriation of computer hardware.

A firm must establish control policies, procedures, and practices that ensure the firm's business objectives are achieved and its risk mitigation strategies are carried out. True False

True

COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance in the U.S. True False

True

Corporate governance is a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. True False

True

In a computerized environment, internal controls can be categorized as general controls and application controls. True False

True

The chief executive officer is ultimately responsible for enterprise risk management. True False

True

The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving information security. True False

True

True or false: Internal control is a process. True False

True

True or false: internal control provides reasonable and absolute assurance. True False

False

Which of the following are not part of the control environment? 1) The potential for fraud 2) Management's operating style 3) Commitment to ethical values 4) Organizational structure

1) The potential for fraud

Which of the following is NOT a major element of the overall framework for vulnerability assessment and management? 1) Maintenance 2) Explanation 3) Identification 4) Remediation

2) Explanation

Which of the following is a Risk Assessment Principle? 1) The organization identifies and assesses changes that could significantly impact the system of internal control. 2) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 3) Internal control cannot prevent bad judgment or decisions, or external events that can cause an organization to fail to achieve its operational goals. 4) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

1) The organization identifies and assesses changes that could significantly impact the system of internal control.

In a large pubic corporation, evaluating internal control procedures should be responsibility of which of the following? 1) Internal audit staff who report to the board of directors. 2) Accounting management staff who report to the CFO 3) Operations management staff who report to the chief operation officer 4) Security management staff who report to the chief facilities officer

1) Internal audit staff who report to the board of directors.

In evaluating an organization's internal controls, you find that control deficiencies were recorded but not subsequently communicated to the senior manager responsible. That would be a problem with which of the 5 COSO elements? 1) Monitoring 2) Control activities 3) Control environment 4) Risk assessment

1) Monitoring

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization? 1) Providing greater management oversight of incompatible activities. 2) Disclosing lack of segregation of duties to external auditors during the annual review. 3) Replacing personnel every three or four years. 4) Requiring accountants to pass a yearly background check.

1) Providing greater management oversight of incompatible activities.

Which of the following is a Control Environment Principle? 1) The organization demonstrates a commitment to integrity and ethical values. 2) The organization selects and develops general control activities over technology to support the achievement of objectives. 3) The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4) Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.

1) The organization demonstrates a commitment to integrity and ethical values.

COSO stands for which of the following? 1) Council of Supporting Organizations 2) Committee of Supporting Organizations 3) Committee of Sponsoring Organizations 4) Council of Sponsoring Organizations

3) Committee of Sponsoring Organizations

According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? 1) Risk Assessment 2) Monitoring 3) Control Environment 4) Control Activities

3) Control Environment

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? 1) Adequately safeguard assets. 2) Ensure proper authorization of transactions. 3) Independently verify the transactions. 4) Segregation of duties.

3) Independently verify the transactions.

In evaluating an organization's internal controls, you note that there are situations where they do not collect quality information about the assignment of passwords. This would be a problem with which of the 5 COSO elements? 1) Control activities 2) Monitoring 3) Information and Communication 4) Risk assessment

3) Information and Communication

Which of the following is NOT an information security risks or attack? 1) Virus 2) Trojan horse 3) Slug 4) Worm

3) Slug

Which of the following is the best definition of SPYWARE? 1) Use of a computers camera and microphone without the users knowledge or approval. 2) Sending a network packet that appears to come from a source other than its actual source. 3) Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code. 4) Manipulating someone to take certain action that may not be in that person's best interest such as revealing confidential information or granting access to physical assets, networks, or information.

3) Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code.

Which of the following is the best definition of risk as used by COSO? 1) The possibility of losing some or all of the original investment. 2) A factor, thing, element, or course involving uncertain danger. 3) The possibility that an event will occur and adversely affect the achievement of objectives. 4) The chance that an investment's actual return will be different than expected.

3) The possibility that an event will occur and adversely affect the achievement of objectives.

The recent revision to the COSO framework provided how many principles related to the 5 COSO elements? 1) 12 2) 11 3) 5 4) 17

4) 17

Which of the following would be a control activity that could be used to mitigate the risk of uncontrollable external events? 1) Create an internal audit function 2) Ensure segregation of duties 3) Assure safeguard of records 4) Acquire insurance

4) Acquire insurance

Which of the following is NOT a goal of information security management? 1) Availability 2) Integrity 3) Confidentiality 4) Honesty

4) Honesty

One approach to assessing risks is to categorize them. Which of the following is not a category for risk assessment? 1) Strategic 2) Financial 3) Operational 4) Process

4) Process

The COSO Framework Cube describes 5 components, the organizational structure, and the categories of objectives. Which of the following are not a category of objectives? 1) Operations 2) Compliance 3) Reporting 4) Risk assessment

4) Risk assessment

Which of the following are not a general category of control activities? 1) Segregation of duties 2) Independent checks on performance 3) Adequate safeguards of assets and records 4) Strong audit committee

4) Strong audit committee

Which of the following is not a COSO principle relating to the control environment? 1) The organization demonstrates a commitment to integrity and ethical values. 2) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 3) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. 4) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

4) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors to assess and report on the design and effectiveness of internal control over financial reporting annually. True False

False

According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to establish and maintain the effectiveness of internal control. True False

False

Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide independent oversight of public accounting firms. True False

False

Internal controls guarantee the accuracy and reliability of accounting records. True False

False