SU1 Gleim
According to COSO, the proper tone at the top helps a company to do each of the following, except A.Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors. B.Promote a willingness to seek assistance and report problems before it is too late for corrective action. C.Create a compliance-supporting culture that is committed to enterprise risk management. D.Navigate gray areas where no specific compliance rules or guidelines exist.
A.Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors.Answer (A) is correct. Through words and actions, those at the top (the board of directors and management) communicate their attitudes toward integrity and ethical values. Tone at the top does not help a company adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors. Adherence to the budget is more closely linked to control activities.
Which of the following are factors considered in the control environment? A.All of the answers are correct. B.Organizational structure. C.Assignment of authority and responsibility. D.Integrity and ethical values.
A.All of the answers are correct.Answer (A) is correct. Five principles relate to the control environment. The principles are as follows: (1) the organization demonstrates a commitment to integrity and ethical values; (2) the board demonstrates independence from management and exercises oversight of internal control; (3) management establishes structures, reporting lines, and authorities and responsibilities; (4) the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and (5) the organization holds individuals accountable for their internal control responsibilities. Therefore, integrity and ethical values, organizational structure, and assignment of authority and responsibility are all factors considered in the control environment.
Which of the following sets of duties would not be performed by a single individual in a company with the most effective segregation of duties in place? A.Approving sales returns on customers' accounts and depositing customers' checks in the bank. B.Preparing monthly customer statements and maintaining the accounts payable subsidiary ledger. C.Posting accounts payable transactions and entering additions and terminations to payroll. D.Having custody of signed checks yet to be mailed and maintaining depreciation schedules.
A.Approving sales returns on customers' accounts and depositing customers' checks in the bank.Answer (A) is correct. The organizational structure should segregate duties and responsibilities so that an individual is not in the position both to perpetrate and conceal fraud or error. The ideal segregation of duties is authorization of the transaction (e.g., unusual credit approvals), recording of the transaction, and custody of the assets (e.g., inventory, receivables, and cash) associated with the transaction. A single individual who approves sales returns and deposits customers' checks is responsible for both authorization of the transaction and custody of the assets. Thus, this set of duties should not be performed by a single individual in a company because it would violate the segregation of duties.
An employee obtains a blank check, makes it payable to a fictitious company, and then cashes it. Each of the following internal control procedures should prevent this threat to the expenditure cycle, except A.Bank reconciliations. B.Restricted access to blank checks. C.Requiring electronic funds transfer transactions. D.Positive pay with the bank.
A.Bank reconciliations.Answer (A) is correct. Bank reconciliations detect fictitious payments after they are made rather than prevent their occurrence.
During its most recent risk assessment, Capital Investment Group discovered that the spreadsheets it uses to support certain amounts on its financial statements were highly susceptible to error. Which of the following would contribute in mitigating this risk?Input data is reconciled to source documentationThe potential for fraud is consideredChanges to formulas are tested against a manual calculation A.Both I and III. B.Both II and III. C.I and II. D.I, II, and III.
A.Both I and III.Answer (A) is correct. Reconciling input data to source documentation ensures that data inputted on the spreadsheets is accurate. Additionally, testing changes to spreadsheet formulas against a manual calculation ensures that calculated results are accurate. Thus, the effect of both these control activities is a mitigation of the identified risk (i.e., error in data on the spreadsheets).
The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? A.Both control baseline and change management. B.Neither control baseline nor change management. C.Control baseline but not change management. D.Change management but not control baseline.
A.Both control baseline and change management.Answer (A) is correct. The control baseline refers to a baseline understanding of the existing internal controls. Change management is the process of evaluating the design and implementation of the changes and establishing a new baseline. A new product line requires the manager to learn the new internal controls related to the product line. Additionally, the new design and implementation of the product line must be evaluated, and a new baseline must be established.
The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives are best described as A.Control activities. B.Control environments. C.Risk assessments. D.Monitoring activities.
A.Control activities.Answer (A) is correct. The COSO model for internal control describes control activities as the policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives.
Which of the following components of internal control includes a code of conduct? A.Control environment. B.Monitoring of controls. C.Risk assessment process. D.Control activities.
A.Control environment.Answer (A) is correct. The control environment sets the tone of an organization. A code of conduct is an element of the control environment.
Each of the following is a method to evaluate internal controls based on the framework set by the Committee of Sponsoring Organizations (COSO), except A.Distinguishing economy risk from industry risk and enterprise risk. B.Evaluating internal control systems that focus first on risk identification of specific losses. C.Identifying mitigating controls to prevent losses. D.Testing to determine whether the controls are operating effectively and have prevented losses in the past.
A.Distinguishing economy risk from industry risk and enterprise risk.Answer (A) is correct. Evaluating internal controls based on the COSO framework does not require distinguishing economic risk from industry risk and enterprise risk. Therefore, it is NOT a method to evaluate internal controls based on the COSO framework.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least? A.Errors in employees' overtime computation. B.Recording of other employees' hours. C.Inaccurate accounting of employees' hours. D.Fraudulent reporting of employees' own hours.
A.Errors in employees' overtime computation. Answer (A) is correct. This internal control process is responsible for verifying that the correct employee enters the proper amount of time (s)he worked. This function is not responsible for applying pay rates to the amount of hours worked and therefore would not change any errors in overtime computations.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls, except A.Having two officers who significantly influence management and operations. B.Establishing a corporate culture in which integrity and ethical values are highly appreciated. C.Establishing an effective and anonymous whistleblower program with which employees can feel comfortable reporting any irregularities. D.Having an effective internal auditor function.
A.Having two officers who significantly influence management and operations.Answer (A) is correct. Management override of controls occurs when the actions of management (e.g., officers) are not consistent with established control activities. Officers are expected to influence management and operations. However, when such influence is significant and concentrated in the hands of few, there is an increased risk of management override of controls.
Which of the following factors are included in an entity's control environment? A.Integrity and ethical values, assignment of authority, and human resource practices. B.Organizational structure, management philosophy, and monitoring. C.Risk assessment, assignment of responsibility, and human resource practices. D.Competence of personnel, segregation of duties, and fraud risk assessment.
A.Integrity and ethical values, assignment of authority, and human resource practices.Answer (A) is correct. Five principles relate to the control environment. The principles are as follows: (1) the organization demonstrates a commitment to integrity and ethical values; (2) the board demonstrates independence from management and exercises oversight of internal control; (3) management establishes structures, reporting lines, and authorities and responsibilities; (4) the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and (5) the organization holds individuals accountable for their internal control responsibilities. Therefore, integrity and ethical values, assignment of authority, and human resource practices are factors considered in the control environment.
The internal audit activity of a large not-for-profit organization is reviewing the following results of senior management's latest enterprise-wide risk assessment:Fictitious vendors:Probability possible, impact majorInternet intrusion:Probability likely, impact majorExecutive nepotism:Probability remote, impact criticalFraudulent fundraising:Probability possible, impact minorBased on management's assessment, where should the chief audit executive devote the most internal audit resources? A.Internet intrusion. B.Fraudulent fundraising. C.Fictitious vendors. D.Executive nepotism.
A.Internet intrusion.Answer (A) is correct. With a combination of major impact and likely occurrence, Internet intrusion has the greatest overall risk exposure and thus should receive the majority of limited internal audit resources.
Which of the following components of control contribute most to a strong control environment? A.Management adheres to control policies. B.Duties are clearly defined and separated. C.Policy manuals provide a clear understanding of internal controls. D.Controls are assessed through ongoing activities and evaluations.
A.Management adheres to control policies.Answer (A) is correct. The control environment is the foundation for all other control components. It provides discipline and structure, sets the tone of the organization, and influences the control consciousness of employees. Management is primarily responsible for establishing and maintaining control. Thus, by adhering to internal control policies, management sets the tone for the importance of internal controls and builds a strong control environment.
Management's aggressive attitude toward financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when A.Management is dominated by one individual who is also a shareholder. B.Internal auditors have direct access to the board of directors and entity management. C.The audit committee is active in overseeing the entity's financial reporting policies. D.External policies established by parties outside the entity affect its accounting practices.
A.Management is dominated by one individual who is also a shareholder.Answer (A) is correct. Management's philosophy and operating style is one factor affecting the control environment as described in the COSO model for internal control. Such characteristics as management's attitudes and actions toward financial reporting and its emphasis on meeting budget, profit, and other goals have a significant influence on the control environment, especially when management is dominated by one or a few individuals. When incentives or pressures are present to achieve certain performance goals, the auditor should heighten his or her concern about the possibility of fraud.
Which of the following presents the greatest control risk? A.Management's disregard of its responsibility to maintain an adequate internal control environment. B.The internal auditor's computer-assisted audit techniques. C.Related-party transactions were consummated on terms equivalent to arm's-length transactions. D.Management permitting the CPA to perform substantive procedures before year end.
A.Management's disregard of its responsibility to maintain an adequate internal control environment.Answer (A) is correct. Essential elements in preventing fraud include setting the correct tone at the top and instilling a strong ethical culture. However, management's disregard of this responsibility may raise doubts about the auditability of the financial statements and the integrity of management and thus presents the greatest control risk.
Which of the following is not an example of management override? A.Posting adjusting entries after year-end analyses have indicated changes in the overall economic environment. B.Changing accounting estimates without following normal procedures. C.Approving loans to clients with credit scores below those required by company policy. D.Extending payment periods for certain vendors beyond those allowed by company policy.
A.Posting adjusting entries after year-end analyses have indicated changes in the overall economic environment.Answer (A) is correct. Making adjustments based on new findings (e.g., changes in the overall economic environment) does not necessarily constitute management override. Rather, it may be an example of management intervention necessary to cope with special circumstances that otherwise may not be appropriately recorded.
Risks are measured as the product of A.Probability and impact. B.Volatility and impact. C.Volatility and duration. D.Likelihood and duration.
A.Probability and impact.Answer (A) is correct. Risks are measured in terms of (1) the probability (risk) that an event will have an impact on the achievement of objectives and (2) the magnitude (impact) in terms of monetary (e.g., financial loss) and nonmonetary (e.g., safety) values.
Of the following reasons to establish internal control, which is the most comprehensive? A.Provide reasonable assurance that the objectives of the organization are achieved. B.Safeguard the resources of the organization. C.Ensure the accuracy, reliability, and timeliness of information. D.Encourage compliance with organizational objectives.
A.Provide reasonable assurance that the objectives of the organization are achieved.Answer (A) is correct. The COSO model broadly defines internal control as a "process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations."
Which of the following is the correct prioritization of risks, considering limited resources in the internal audit activity? A.Risk C, Risk A, Risk B, Risk D. B.Risk B, Risk C, Risk A, Risk D. C.Risk C, Risk A, Risk D, Risk B. D.Risk A, Risk B, Risk C, Risk D.
A.Risk C, Risk A, Risk B, Risk D.Answer (A) is correct. Risk is the possibility of an event's occurrence that could have an impact on the achievement of objectives. Risk is measured in terms of impact and probability. Prioritizing is needed to make decisions for applying resources to engagements based on the relative significance of their risk and exposure estimates. The best order of priority listed (highest to lowest) is (1) Risk C (likely-critical), (2) Risk A (possible-major), (3) Risk B (remote-major), and (4) Risk D (remote-minor).
There are two staff members in the purchasing department of Mayflower Manufacturing Co., each of whom is authorized to prepare, authorize, and issue inventory purchase orders up to $3,000. However, no one is assigned to review purchase orders before they are sent to vendors. Which of the following best matches a resulting risk to a control activity designed to mitigate that risk? A.Risk of inventory shortages - a payables clerk matches invoices to purchase orders and receiving reports before amounts are paid. B.Risk of inventory valuation errors - an inventory receiving clerk evaluates, documents, and reports to management unusual inventory movement. C.Risk of inventory obsolescence - a controller reviews exception reports of all inventory purchases with a price more than 10% above current average costing. D.Risk of inventory valuation errors - an inventory clerk documents and tracks all inventory levels.
A.Risk of inventory shortages - a payables clerk matches invoices to purchase orders and receiving reports before amounts are paid.Answer (A) is correct. A risk of inventory shortages may result from diverted shipments (i.e., shipping inventory to an impermissible address), which can be mitigated by a control that requires invoices to be matched to receiving reports prepared by the receiving department.
Due to 50% store growth year after year, monitoring internal controls at a national retail chain has come under tremendous pressure. According to COSO, which of the following responses would be appropriate under the circumstances to help restore effective monitoring? A.Shifting most of the monitoring responsibility to store managers and district managers. B.Having all the managers sign the corporate compliance policy on an annual basis. C.Decreasing the size of the corporate internal audit activities. D.Consolidating the data in the operational reports reviewed by the chief internal auditor.
A.Shifting most of the monitoring responsibility to store managers and district managers.Answer (A) is correct. Store managers and district managers are geographically closer to the stores and can frequently visit stores to conduct monitoring activities. Therefore, effective monitoring of internal controls can be restored by changing the evaluators.
Internal control can provide only reasonable assurance that the entity's objectives and goals will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives is that A.The cost of internal control should not exceed its benefits. B.Management monitors performance. C.The audit committee is active and independent. D.The internal auditor's primary responsibility is the detection of fraud.
A.The cost of internal control should not exceed its benefits.Answer (A) is correct. A limiting factor is that the cost of internal control should not exceed the benefits that are expected to be derived. Thus, the potential loss associated with any exposure or risk is weighed against the cost to control it. Although the cost-benefit relationship is a primary criterion that should be considered in designing and implementing internal control, the precise measurement of costs and benefits usually is not possible.
Which of the following best describes the business model? A.The objectives of the business. B.Multiple layers encompassing organizational governance. C.Identification and documentation of business processes. D.Activities related to the business's core objectives.
A.The objectives of the business.Answer (A) is correct. The business model consists of the organization's objectives and how the business processes achieve those objectives. The objectives include vision, mission, and corporate strategy.
While performing an audit of the financial statements of a company for the year ended December 31, Year 1, the auditor notes that the company's sales increased substantially in December Year 1, with a corresponding decrease in January Year 2. In assessing the risk of fraudulent external financial reporting or misappropriation of assets, what should be the auditor's initial indication about the potential for fraud in sales revenue? A.There is a broad indication of external financial reporting fraud. B.There is an indication of embezzling receipts. C.There is a broad indication of misappropriation of assets. D.There is an indication of theft of the entity's assets.
A.There is a broad indication of external financial reporting fraud.Answer (A) is correct. The types of fraud relevant to the auditor include misstatements arising from fraudulent external financial reporting. These are intentional misstatements or omissions to deceive users, such as altering accounting records or documents, misrepresenting or omitting significant information, and misapplying accounting principles. Fraud also includes misappropriation of assets. These result from, for example, (1) theft of physical assets, (2) embezzlement (e.g., stealing collections of receivables), (3) an action that causes payment for items not received, or (4) using entity assets for personal reasons. The substantial increase in sales revenue at year end followed by a substantial decrease in January is a broad indicator of a failure to apply cut-off procedures, i.e., external financial reporting fraud.
Internal controls are likely to fail for any of the following reasons, except A.They are designed and implemented properly, and their design changes as processes change. B.They are not designed and implemented properly at the outset. C.They are designed and implemented properly, but their operation changes in some way. D.They are designed and implemented properly as static controls, but the environment in which they operate changes.
A.They are designed and implemented properly, and their design changes as processes change.Answer (A) is correct. After the internal control is designed and implemented, the inherent design of the control will not change. Therefore, internal controls are not likely to fail because their design changes. However, internal controls may fail due to (1) established objectives not suitable for internal control, (2) failures due to human judgment and errors, (3) breakdowns and employee misunderstanding, (4) management override, (5) collusion, and (6) external events.
Employees of an entity feel peer pressure to do the right thing; management appropriately deals with signs that problems exist and resolves the issues; and dealings with customers, suppliers, employees, and other parties are based on honesty and fairness. According to COSO, the above scenario is indicative of which of the following? A.Tone at the top. B.Strategic goals. C.Operational excellence. D.Reporting reliability.
A.Tone at the top.Answer (A) is correct. Senior management sets the tone at the top and has primary responsibility for establishing proper ethical culture. Resolving issues among employees and dealing with parties in an honest and fair manner are examples of management establishing proper ethical culture.
The bottom-up approach to understanding a business model A.Traces subprocesses to key processes. B.Is more likely to be used by larger businesses. C.Begins by determining the business's objectives. D.Is likely to overlook critical business processes.
A.Traces subprocesses to key processes.Answer (A) is correct. The bottom-up approach begins by examining all business processes at the activity level. Once these subprocesses are identified, both the larger business processes (i.e., key processes) and related key business objectives are identified.
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives related to A.Compliance. B.All of the answers are correct. C.Operations. D.Reporting.
B.All of the answers are correct.Answer (B) is correct. The COSO model for internal control establishes control objectives for operations, reporting, and compliance.
Which of the following is a violation of segregation of duties in internal control? A.An employee adds vendors and makes changes to a vendor master file. B.An employee enters and approves purchase orders. C.An employee matches invoices to purchase orders and receiving reports, and applies coding of account distributions. D.An employee receives goods from vendors and signs off on the deliveries.
B.An employee enters and approves purchase orders.Answer (B) is correct. Segregation of duties divides responsibility for recording of transactions, authorization (e.g., unusual credit approvals), and custody of assets (e.g., inventory, receivables, and cash) associated with the transactions. The duties of entering (recording) and approving (authorizing) purchase orders should be segregated to prevent fraud.
Which of the following best describe the interrelated components of internal control with respect to managing fraud? A.Organizational structure, management philosophy, and planning. B.Control environment, fraud risk assessment, control activities, information and communication, and monitoring. C.Risk assessment process, backup facilities, responsibility accounting, and natural laws. D.Assignment of authority and responsibility, management philosophy, and organizational structure.
B.Control environment, fraud risk assessment, control activities, information and communication, and monitoring.Answer (B) is correct. Internal control has five components: (1) the control environment, (2) fraud risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The control environment (1) sets the tone of an organization, (2) influences control consciousness, and (3) provides a foundation for the other components. A fraud risk assessment includes (1) identifying and prioritizing fraud risk factors, (2) determining whether existing controls apply, (3) testing operating effectiveness of fraud prevention, and (4) documenting and reporting the fraud risk assessment. Control activities are policies and procedures for business processes. Information and communication practices promote the fraud risk management program and the organization's position on risk. Monitoring evaluates antifraud controls.
Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control? A.The competence and integrity of client personnel provide an environment conducive to control and provides assurance that effective control will be achieved. B.Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion. C.Procedures designed to assure the execution and recording of transactions in accordance with proper authorizations are effective against fraud perpetrated by management. D.The benefits expected to be derived from effective internal control usually do not exceed the costs of such control.
B.Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.Answer (B) is correct. One of the inherent limitations of internal control is that it can be circumvented by collusion among persons both within and outside the entity. Thus, a control based on segregation of duties will be ineffective if a person in a position to commit fraud colludes with a person who can conceal it.
According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization? A.Specifying the competence levels for every job in an organization and translating those levels to requisite knowledge and skills. B.Demonstrating appropriate behavior by example. C.Strengthening internal audit's ability to deter and report improper behavior. D.Removing pressures to meet unrealistic targets, particularly for short-term results.
B.Demonstrating appropriate behavior by example.Answer (B) is correct. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. Demonstrating appropriate behavior by example is the most effective method to transmit a message of ethical behavior throughout an organization.
Fraud management programs A.Involve only senior management of a business. B.Have tangible and intangible components. C.Conclude by responding to frauds. D.Reduce the likelihood of misstatements, omissions, or errors.
B.Have tangible and intangible components.Answer (B) is correct. An effective fraud management program includes tangible (e.g., company ethics policies and procedures) and intangible (e.g., fraud awareness) components.
Which of the following terms describes the type of business activity that indirectly creates value for the business's customers? A.Projects. B.Management and support processes. C.Operating processes. D.Reporting processes.
B.Management and support processes.Answer (B) is correct. Management and support processes are the activities that supervise and support the business. These processes are required for the success of the business, but they do not directly create customer value.
Within the COSO Internal Control - Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively? A.Control environment. B.Monitoring. C.Information and communication. D.Risk assessment.
B.Monitoring.Answer (B) is correct. Monitoring is the process of assessing the quality of the system's performance over time. It is designed to ensure that internal controls continue to operate effectively.
Piper Corp. reviewed the mix of preventive and detective control activities over its cash disbursements process and discovered a high proportion of preventive control activities. If Piper desires to establish additional detective control activities, which of the following control activities should it consider? A.Setting authorization limits for disbursements. B.Regularly comparing reported results to budgets and other benchmarks. C.Having different personnel initiate, approve, and record cash movements. D.Requiring dual signatures for disbursements in excess of a specified limit.
B.Regularly comparing reported results to budgets and other benchmarks. Answer (B) is correct. Control activities that compare reported results to budgets and other benchmarks generally represent detective control activities because they alert an entity to events after they have occurred.
Which of the following is a business risk? A.Country risk. B.Reporting risk. C.Credit risk. D.Liquidity risk.
B.Reporting risk.Answer (B) is correct. The four general types of business risk are (1) strategic risks, (2) compliance risks, (3) reporting risks, and (4) operational risks. External reporting risks include those related to financial statements, tax filings, and valuations. Internal reporting risks include those related to internal control, budgeting, and key performance indicators (KPIs).
The process of assessing and controlling risks to achieve an organization's goals is A.Risk assessment. B.Risk management. C.Risk. D.Risk monitoring.
B.Risk management.Answer (B) is correct. Risk management assesses and controls risks to achieve an organization's goals. Management must focus on risks at all levels of the entity and take the necessary action to manage them. All risks that could affect achievement of objectives must be considered.
An adequate system of internal controls is most likely to detect a fraud perpetrated by a A.Group of employees in collusion. B.Single employee. C.Single manager. D.Group of managers in collusion.
B.Single employee.Answer (B) is correct. Segregation of duties and other control processes serve to prevent or detect a fraud committed by an employee acting alone. One employee may not have the ability to engage in wrongdoing or may be subject to detection by other employees in the course of performing their assigned duties. However, collusion may circumvent controls. For example, comparison of recorded accountability for assets with the assets known to be held may fail to detect fraud if persons having custody of assets collude with record keepers.
According to COSO, which of the following differences relevant to the risk-assessment process is most likely to exist between a large entity and a small entity? A.An owner-manager of a small entity will not normally learn about risks arising from external factors through direct contact with customers, suppliers, and other outsiders, whereas in large entities this process is part of the entity's primary way of identifying new risk. B.The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel. C.The risk-assessment process in a small entity is more structured than in a large one because of the nature of some of the internal control components in a small entity. D.Risk assessment in a small entity, as opposed to that in a large entity, can be problematic to implement because the in-depth involvement of the CEO and other key managers is a conflict of interest that must be addressed separately in the internal control assessment process.
B.The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel.Answer (B) is correct. Because senior management of a small entity typically has a wider span of control and greater direct interaction with personnel than senior management of a large entity, the CEO of a small entity is more likely to be involved in the day-to-day operations of the business than the CEO of a large entity. Therefore, the CEO of the small entity is more likely to be aware of internal factors that may pose risks at all levels of the business.
Which of the following statements about internal control is correct? A.Exceptionally effective internal control is enough for the auditor to eliminate substantive procedures on a significant account balance. B.The cost-benefit relationship is a primary criterion that should be considered in designing internal control. C.Internal control should provide reasonable assurance that collusion among employees cannot occur. D.The establishment and maintenance of internal control are important responsibilities of the internal auditor.
B.The cost-benefit relationship is a primary criterion that should be considered in designing internal control.Answer (B) is correct. Internal control reflects the quantitative and qualitative estimates and judgments of management in evaluating the cost-benefit relationship. The cost of internal control should not exceed its benefits. Although the cost-benefit relationship is a primary criterion in designing controls, precise measurement of costs and benefits is usually impossible.
According to COSO, which of the following activities provides an example of a top-level review as a control activity? A.Computers owned by the entity are secured and periodically compared with amounts shown in the records. B.Reconciliations are made of daily wire transfers with positions reported centrally. C.A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. D.Verification of status on a medical claim determines whether the charge is appropriate for the policy holder.
C.A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.Answer (C) is correct. Control activities are policies and procedures that help ensure that management directives to mitigate risks are carried out. Whether automated or manual, they are applied (1) at all levels of the entity, (2) within various stages of business processes, and (3) to the technology environment. Control activities are selected and developed for application at different levels. Transactional control activities are typically applied at lower levels. Business performance or analytical reviews are typically applied at higher levels of the organization. Senior management guides the development and performance of control activities at the entity level. Therefore, management review of actual performance and comparing the performance with the comprehensive marketing plan to determine whether benchmarks were achieved is an example of a top-level review as a control activity.
Income smoothing is A.A form of asset misappropriation. B.Not a fraud. C.A form of fraudulent financial reporting. D.An illegal act.
C.A form of fraudulent financial reporting.Answer (C) is correct. Fraudulent financial reporting is an intentional act to deceive the users of the financial reports. Income smoothing uses accounting methods to shift revenues and expenditures among different periods to reduce variability in income. Thus, income smoothing is an intentional intercession in the financial reporting process.
Which of the following statements is correct regarding internal control? A.Internal control is a necessary business function and should be designed and operated to detect all fraud and error. B.A well-designed and operated internal control environment should detect collusion. C.An inherent limitation of internal control is that controls can be circumvented by management override. D.A well-designed internal control environment ensures the achievement of an entity's control objectives.
C.An inherent limitation of internal control is that controls can be circumvented by management override.Answer (C) is correct. Because of its inherent limitations, internal control can be designed and implemented to provide only reasonable assurance that the entity's objectives are met. Human judgment is faulty, and controls may fail because of human error. Furthermore, manual or automated controls can be circumvented by collusion, and management may inappropriately override internal control.
Which of the following factors most likely would heighten an auditor's concern about the risk of fraudulent external financial reporting? A.Low growth and profitability as compared with other entities in the same industry. B.Financial management's participation in the initial selection of accounting principles. C.An overly complex organizational structure involving unusual lines of authority. D.Large amounts of liquid assets that are easily convertible into cash.
C.An overly complex organizational structure involving unusual lines of authority.Answer (C) is correct. Certain risk factors are related to misstatements arising from fraudulent external financial reporting. One of the risk factors relating to the opportunity to commit fraud is an overly complex organizational structure involving numerous or unusual legal entities or managerial lines of authority.
According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum? A.Control baseline. B.Control revalidation/update. C.Change identification. D.Change management.
C.Change identification.Answer (C) is correct. Of the four steps in the monitoring-for-change continuum described in the 2009 COSO document Guidance on Monitoring Internal Control Systems, change identification is the one in which separate and ongoing evaluations can best be accomplished.
A company implements an enterprise resource planning application to help improve its financial and operational reporting while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of A.Segregation of duties. B.A social event. C.Change management. D.An economic event.
C.Change management.Answer (C) is correct. Hiring a specialized individual to help with the transition into a new enterprise resource planning application is a way to help manage the change. Thus, this is an example of change management.
Which of the following is an inherent limitation of internal control? A.Segregation of duties. B.Judgmental sampling. C.Collusion. D.Employee peer review.
C.Collusion.Answer (C) is correct. Two or more people may collude, or management may override internal control.
Which of the following is the control component that reflects the attitude and actions of the board and management regarding the significance of control within the organization? A.Monitoring. B.Control activities. C.Control environment. D.Risk assessment.
C.Control environment.Answer (C) is correct. According to the COSO model for internal control, the control environment reflects the attitude and actions of the board and management regarding the significance of control within the organization.
Control activities do not encompass A.Physical controls. B.Supervisory controls. C.Control revalidation. D.Performance reviews.
C.Control revalidation.Answer (C) is correct. The COSO model describes control activities as policies and procedures that help ensure that management directives are carried out. They are intended to ensure that necessary actions are taken to address risks to achieve the entity's objectives. Control activities have various objectives and are applied at various organizational and functional levels. However, control revalidation is part of the monitoring component.
Which of the following is not a component of internal control? A.Information and communication. B.The control environment. C.Control risk. D.Monitoring.
C.Control risk.Answer (C) is correct. The five components of internal control described in COSO's Internal Control -- Integrated Framework are control environment, risk assessment, control activities, information and communication, and monitoring.
According to COSO, the presence of a written code of conduct provides for a control environment that can A.Ensure that competent evaluators are implementing and monitoring internal controls. B.Verify that information systems are providing persuasive evidence of the effectiveness of internal controls. C.Encourage teamwork in the pursuit of an entity's objectives. D.Override an entity's history and culture.
C.Encourage teamwork in the pursuit of an entity's objectives.Answer (C) is correct. The ultimate purpose of a written code of conduct, as well as every COSO component and principle, is to assist the entity in achieving its objectives.
According to COSO, establishing, maintaining, and monitoring an effective internal control system can do each of the following, except A.Help an entity achieve performance targets. B.Provide protection for an entity's resources. C.Ensure an entity's financial survival. D.Promote an entity's compliance with laws and regulations.
C.Ensure an entity's financial survival.Answer (C) is correct. According to COSO, the three categories of objectives are (1) operation objectives, which relate to achieving the entity's mission, improving performance, and safeguarding the company's assets; (2) reporting objectives, which relate to the preparation of financial and nonfinancial reports for the organization and stakeholders; and (3) compliance objectives, which relate to the adherence to applicable laws, rules, and regulations. The three objectives do not include ensuring an entity's financial survival.
According to COSO, what is the first ongoing monitoring step in evaluating the effectiveness of an internal control system? A.Periodically revalidating operations where no known change has occurred. B.Reevaluating the design and implementation to establish a new baseline. C.Establishing a control baseline. D.Identifying changes in internal control that have taken place.
C.Establishing a control baseline.Answer (C) is correct. A solution for managing the causes of ineffective internal control systems is the monitoring for change continuum. The continuum has four steps. The control baseline is the first step and is a starting point that includes an understanding of the internal control system's design and whether controls have been implemented to achieve the organization's internal control objectives.
An organization's directors, management, and internal auditors all have important roles in creating a proper control environment. Senior management is primarily responsible for A.Ensuring that external and internal auditors adequately monitor the control environment. B.Designing and operating a control system that provides reasonable assurance that established objectives and goals will be achieved. C.Establishing a proper ethical culture. D.Implementing and monitoring controls designed by the board of directors.
C.Establishing a proper ethical culture.Answer (C) is correct. The COSO model treats internal control as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of entity objectives. The control environment component of internal control reflects the attitude and actions of the board and management regarding the significance of control within the organization. It sets the organization's tone and influences the control consciousness of its personnel. Moreover, the control environment provides discipline and structure for the achievement of the primary objectives of internal control. The control environment includes, among other elements, integrity and ethical values. Thus, standards should be effectively communicated, e.g., by management example. Management also should remove incentives and temptations for dishonest or unethical acts.
Regulations, licenses and permits, and litigation are examples of A.External operational risks. B.Internal reporting risks. C.External compliance risks. D.Internal strategic risks.
C.External compliance risks.Answer (C) is correct. The general types of business risks are (1) strategic risks, (2) compliance risks, (3) reporting risks, and (4) operational risks. Each of the risks can be further organized into external and internal risks. External compliance risks include regulations, licenses and permits, and litigation.
According to COSO, an effective approach to monitoring internal control involves each of the following steps, except A.Establishing a foundation for monitoring. B.Designing and executing monitoring procedures that are prioritized based on risks to achieve organizational objectives. C.Increasing the reliability of financial reporting and compliance with applicable laws and regulations. D.Assessing and reporting the results, including following up on corrective action where necessary.
C.Increasing the reliability of financial reporting and compliance with applicable laws and regulations.Answer (C) is correct. Increasing the reliability of financial reporting and compliance with applicable laws is a reporting and a compliance objective, not a part of the three-component model for monitoring.
The business process that would prevent the business from achieving one of its objectives if the business process were not performed is a A.Key performance indicator. B.Project. C.Key process. D.Time-intensive process.
C.Key process.Answer (C) is correct. A key process is a business process that would prevent the business from achieving one of its objectives if the business process were not performed.
Which of the following is a false statement comparing management override and management intervention? A.Only management intervention is documented and disclosed. B.Management override differs from management intervention in terms of legitimacy. C.Neither management override nor management intervention is desirable for financial statement users. D.Management override and management intervention are departures from controls.
C.Neither management override nor management intervention is desirable for financial statement users.Answer (C) is correct. Management override is management circumvention of an entity's controls for an illegitimate purpose, such as personal gain or profit manipulation. Management intervention departs from controls but is necessary to cope with special circumstances that otherwise may not be appropriately recorded. Thus, management intervention may increase the usefulness of financial statements to users.
To help improve business operations, an accountant obtains an understanding of the organization's business model using the top-down approach. The accountant must A.Examine all the business processes at the activity level. B.Implement easily measurable and observable processes. C.Perform an analysis of the key processes. D.Identify why the activity or process exists.
C.Perform an analysis of the key processes.Answer (C) is correct. The top-down approach begins by determining the business's overarching objectives and then requires analysis of the key processes critical to achieving those objectives.
According to COSO, which of the following is included in the assess-and-report phase of an effective approach to monitoring internal controls? A.Prioritize risks. B.Identify controls. C.Prioritize findings. D.Tone at the top.
C.Prioritize findings.Answer (C) is correct. Monitoring assesses the quality of internal control performance over time to ensure that controls continue to operate effectively. The assess and report phase consists of (1) prioritizing findings, (2) reporting results to the appropriate level, and (3) following up on corrective action. Because the organization should evaluate and communicate control deficiencies in a timely manner, it is necessary to prioritize findings found during ongoing and separate evaluations.
Which step in the risk management process assesses the actions to manage identified risks? A.Risk assessment. B.Risk context identification. C.Risk monitoring. D.Risk response.
C.Risk monitoring.Answer (C) is correct. Risk monitoring is the last step in the risk management process. It involves (1) tracking identified risks, (2) evaluating current risk response plans (risk management actions), (3) monitoring residual risks, and (4) identifying new risks.
When the risk identified involves a high probability of the occurrence of an adverse event and a low magnitude of loss, the business A.Must develop action plans to constantly monitor, assess, and manage the risk. B.May ignore the risk. C.Should develop action plans to lower the likelihood of loss. D.Should develop action plans to manage the risk event if it occurs.
C.Should develop action plans to lower the likelihood of loss.Answer (C) is correct. Businesses can function in the presence of risks with low significance and a high probability of an adverse event. But action plans should be developed to lower the chances that an adverse event will occur.
According to COSO, which of the following is a compliance objective? A.To maintain adequate staffing to keep overtime expense within budget. B.To maintain material price variances within published guidelines. C.To maintain a safe level of carbon dioxide emissions during production. D.To maintain accounting principles that conform to GAAP.
C.To maintain a safe level of carbon dioxide emissions during production.Answer (C) is correct. Compliance objectives relate to adherence to laws and regulations. Maintaining a safe level of carbon dioxide emissions during production is an example.
A benefit of the bottom-up approach to understanding a business model is A.The analysis itself is performed rather quickly. B.Identifying activities that supervise and support the business. C.Working with each area of the business to identify its processes. D.Ease of use by small and large businesses.
C.Working with each area of the business to identify its processes.Answer (C) is correct. A benefit of the bottom-up approach relative to the top-down approach is that the people responsible for the activities help identify and document them.
Which of the following factors are included in an entity's control environment? AuditCommitteeParticipationIntegrityand EthicalValuesOrganizationalStructure A. Audit Committee Participation Yes Integrity and Ethical Values Yes Organizational Structure No B. Audit Committee Participation No Integrity and Ethical Values Yes Organizational Structure Yes C. Audit Committee Participation Yes Integrity and Ethical Values No Organizational Structure Yes D. Audit Committee Participation Yes Integrity and Ethical Values Yes Organizational Structure Yes
D. Audit Committee Participation Yes Integrity and Ethical Values Yes Organizational Structure Yes Answer (D) is correct. Five principles relate to the control environment. The principles are as follows: (1) the organization demonstrates a commitment to integrity and ethical values; (2) the board demonstrates independence from management and exercises oversight of internal control; (3) management establishes structures, reporting lines, and authorities and responsibilities; (4) the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; and (5) the organization holds individuals accountable for their internal control responsibilities. Therefore, audit committee participation, integrity and ethical values, and organizational structure are all factors included in an entity's control environment.
A company headquartered in the United States has operations in 27 countries. The company purchased a subsidiary to expand operations into another country last year. According to COSO, which of the following provides the strongest mechanism for monitoring control in this new foreign venture? A.Management has oversight over litigation and foreign regulation. B.An accounting and control manual is being distributed. C.Ethics and fraud training is being conducted. D.An internal audit is being performed.
D.An internal audit is being performed.Answer (D) is correct. Monitoring assesses the quality of internal control performance over time to ensure that controls continue to effectively manage existing risks. Internal auditors evaluate the adequacy and effectiveness of controls in responding to risks in the entity's oversight, operations, and information systems.
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except A.Periodic analysis of variances between expectations and actual results. B.Follow-up of customer and vendor complaints regarding amounts due and owed. C.Comparisons of information from various sources within the company. D.Approval of high-dollar transactions by supervisors.
D.Approval of high-dollar transactions by supervisors.Answer (D) is correct. Approval of high-dollar transactions by supervisors is an example of an authorization control, which is a component of control activities, not monitoring activities.
An internal audit manager requested information detailing the amount and type of training that the IT department's staff received during the last year. According to COSO, the training records would provide documentation for which of the following principles? A.Exercising oversight of the development and performance of internal control. B.Developing general control activities over technology to support the achievement of objectives. C.Holding individuals responsible for their internal control responsibilities in the pursuit of objectives. D.Demonstrating a commitment to retain competent individuals in alignment with objectives.
D.Demonstrating a commitment to retain competent individuals in alignment with objectives.Answer (D) is correct. A principle related to the control environment component of the COSO internal control framework is the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Methods of demonstrating this commitment include training records. Therefore, training records provide documentation that an organization complies with this principle.
Which of the following activities by small business clients best demonstrates management integrity in the absence of a written code of conduct? A.Reporting regularly to the board of directors about operations and finances. B.Documenting internal control procedures using flowcharts rather than narratives. C.Developing and maintaining formal descriptions of accounting procedures. D.Emphasizing a strong ethical culture through oral communication and management example.
D.Emphasizing a strong ethical culture through oral communication and management example.Answer (D) is correct. A small business may not have a written code of conduct. However, it may have a culture emphasizing integrity and a strong ethical culture by means of oral communication and management example.
Which of the following is an inherent limitation in internal control? A.Lack of an audit committee. B.Incompatible duties. C.Lack of segregation of duties. D.Faulty human judgment.
D.Faulty human judgment.Answer (D) is correct. Human judgment is faulty, and controls may fail because of human error.
Nextgen, Inc., installed an access management application to assess sensitive access and segregation-of-duty risks and conflicts during the development of security roles and the assignment of those roles to end users. To achieve this purpose, which of the following features should the application include? I The ability to define processes and transactions that should not be combined or assigned to the same end user II The ability to prevent assignment of any access that conflicts with defined restrictions III The ability to recommend a mitigating control activity if user access conflicts with defined restrictions A.Both I and II. B.Both II and III. C.I only. D.I, II, and III.
D.I, II, and III.Answer (D) is correct. The application should have the ability to define restrictions, prevent access in accordance with restrictions, and recommend a mitigating control activity if granting access would override a restriction.
Routine Nonroutine Directly relates to core objectives I II Indirectly relates to core objectives III IV Which of the above combinations describes an operating process as a type of business activity?A.II.B.IV.C.III.D.I.
D.I.Answer (D) is correct. Routine activities that directly relate to the business's core objectives are operating processes.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control? A.Management override. B.Faulty judgment. C.Collusion among employees. D.Incompatible duties.
D.Incompatible duties.Answer (D) is correct. Internal control has inherent limitations. The performance of incompatible duties, however, is a failure to assign different people the functions of authorization, recording, and asset custody, not an inherent limitation of internal control. Segregation of duties is a category of control activities.
When evaluating whether a key performance indicator (KPI) provides an indication of how well processes and related activities are executed, which of the following is not a criterion? A.Clarity. B.Measurability. C.Relevance. D.Invariance.
D.Invariance.Answer (D) is correct. A KPI should have an acceptable or allowable range. An invariant KPI may lead to inflexibility in performance measurement.
Which of the following must be identified as a potential fraud risk? A.Collusion. B.Improper revenue recognition. C.Falsification of documentation. D.Management override of controls.
D.Management override of controls.Answer (D) is correct. Assessing the risk of management override is part of the assessment of fraud risk. The board of directors or audit committee oversees this assessment.
Which of the following is considered a fraudulent activity? A.A mistake in gathering or processing accounting data from which financial statements are prepared. B.A mistake in the application of accounting principles relating to amount, classification, manner of presentation, or disclosure. C.An incorrect accounting estimate arising from oversight or misinterpretation of facts. D.Misappropriation of assets.
D.Misappropriation of assets.Answer (D) is correct. Fraud is an intentional act involving the use of deception that results in misstatement of the financial statements. Two types of fraud that are relevant to the auditor are (1) misstatements arising from fraudulent external financial reporting and (2) misstatements arising from misappropriation of assets.
The business process includes which business activities? A.The business model. B.Corporate strategy. C.Internal control. D.Operating processes.
D.Operating processes.Answer (D) is correct. A business process is a set of related activities and tasks combined to achieve a desired outcome. Typically, it is a series of tasks that culminate in a product, service, or business goal. Business processes consist of the following business activities: (1) operating processes, (2) projects, and (3) management and support processes. Operating processes are the activities related to the business's core objectives. For service companies, operating processes are the activities that provide services to satisfy customers' needs. For manufacturing companies, operating processes are the activities that produce and sell products to customers.
Which of the following control policies or procedures would be the least effective in mitigating the risk of inventory misappropriation? A.Different personnel will be responsible for recording and approving inventory transactions. B.Inventory records will be reconciled monthly. C.The person responsible for maintaining custody of inventory has no other responsibilities. D.Periodic physical counts of inventory will be performed by the payroll clerk.
D.Periodic physical counts of inventory will be performed by the payroll clerk.Answer (D) is correct. Controls should be executed by persons with appropriate skills and experience. Although performing periodic physical counts of inventory is an effective control to mitigate inventory misappropriation, a payroll clerk will generally not possess the appropriate skills and experience to execute this control.
Risk is measured in terms of A.Financial loss. B.Safety value. C.Risk appetite. D.Probability and impact.
D.Probability and impact.Answer (D) is correct. Risk is measured in terms of probability and impact. The probability that a risk will occur ranges from nearly 0% to nearly 100% certainty. The magnitude of the impact varies in terms of monetary (financial loss) and nonmonetary (safety) values.
Which of the following is one of the general types of business risks? A.External risks. B.Avoidance risks. C.Transfer risks. D.Reporting risks.
D.Reporting risks.Answer (D) is correct. The four general types of business risks include strategic risks, compliance risks, reporting risks, and operational risks. They may be external or internal.
According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions? A.Information and communication. B.Monitoring activities. C.Control activities. D.Risk assessment.
D.Risk assessment.Answer (D) is correct. Significant changes resulting from international exposure, acquisitions, or executive transitions represent potential risks to achievement of objectives. Under the risk assessment component of COSO, the organization identifies and assesses all risks to the achievement of its objectives and determines the appropriate risk response (i.e., whether to accept, avoid, reduce, or share the risk).
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in A.Operating procedures. B.Technology. C.The law. D.Risks.
D.Risks.Answer (D) is correct. Monitoring assesses the quality of internal control performance over time to ensure that controls continue to effectively manage existing risks.
When documenting internal control, the independent accountant sometimes uses process mapping, which can best be described as a A.Pictorial presentation of the flow of instructions in a client's internal computer system. B.Graphic illustration of the flow of operations that is used to replace the accountant's internal control questionnaire. C.Diagram that clearly indicates an organization's internal reporting structure. D.Symbolic representation of a system or series of sequential processes.
D.Symbolic representation of a system or series of sequential processes.Answer (D) is correct. Visual depictions are helpful in understanding business processes and how they are integrated into the business model. They identify potential improvements of processes and document and confirm appropriate internal controls. Process mapping is a simple form of flowcharting used to depict a business process.
Which of the following represents an example of an inherent limitation of internal controls? A.Customer credit checks are not performed. B.Shipping documents are not matched to sales invoices. C.Bank reconciliations are not performed on a timely basis. D.The CEO can override a control and request a check with no purchase order.
D.The CEO can override a control and request a check with no purchase order.Answer (D) is correct. Inherent limitations may exist and should be considered by the auditor. Human judgment can be faulty, controls can be circumvented by collusion, and management may inappropriately override controls. Thus, the CEO's requesting a check with no purchase order is possible because of an inherent limitation. It is an override of the internal control by management.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should A.Review and accept the information security risk assessments in a staff meeting. B.Refer to the organization's U.S. human resources policies on privacy in a company newsletter. C.Allocate additional budget resources for external audit services. D.Visibly participate in a global information security campaign.
D.Visibly participate in a global information security campaign.Answer (D) is correct. Through words and actions, management communicates its attitude toward integrity and ethical values. In this way, management sets the tone at the top. By visibly participating in a global information security campaign, management's commitment to the security of company information is evident to all team members.