AIS Ch 7

One reason why many organizations do not adequately protect their systems is because A) control problems may be overestimated by many companies. B) productivity and cost cutting cause management to forgo implementing and maintaining internal controls. C) control technology has not yet been developed. D) all of the above

B) productivity and cost cutting cause management to forgo implementing and maintaining internal controls.

A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates. A) performance evaluation B) project development plan C) steering committee D) strategic master plan

B) project development plan

Corporate policy that requires a purchasing agent and purchasing department manager to sign off on asset purchases over $1,500 is an example of A) general authorization. B) specific authorization. C) special authorization. D) generic authorization.

B) specific authorization.

The primary purpose of the Foreign Corrupt Practices Act of 1977 was A) to require corporations to maintain a good system of internal control. B) to prevent the bribery of foreign officials by American companies. C) to require the reporting of any material fraud by a business. D) All of the above are required by the act.

B) to prevent the bribery of foreign officials by American companies.

The Sarbanes-Oxley Act (SOX) applies to A) all companies with gross annual revenues exceeding $500 million. B) publicly held companies with gross annual revenues exceeding $500 million. C) all private and publicly held companies incorporated in the United States. D) all publicly held companies.

D) all publicly held companies.

Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his company's budgeting practices. It seems that, as a result of "budget handcuffs" that require managers to explain material deviations from budgeted expenditures, his ability to creatively manage his department's activities have been curtailed. The level of control that the company is using in this case is a A) boundary system. B) belief system. C) interactive control system. D) diagnostic control system.

D) diagnostic control system.

A ________ is created to guide and oversee systems development and acquisition. A) performance evaluation B) project development plan C) steering committee D) strategic master plan

D) strategic master plan

A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a A) performance evaluation. B) project development plan. C) data processing schedule. D) strategic master plan.

D) strategic master plan.

Pam is a receptionist for Dunderhead Paper Co., which has strict corporate policies on appropriate use of corporate resources. The first week of August, Pam saw Michael, the branch manager, putting pencils, pens, erasers, paper and other supplies into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework? A) Integrity and ethical values B) Risk management philosophy C) Restrict access to assets D) Methods of assigning authority and responsibility

A) Integrity and ethical values

Which of the following statements is true? A) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes. B) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check. C) Requiring two signatures on checks over $20,000 is an example of segregation of duties. D) Although forensic specialists utilize computers, only people can accurately identify fraud.

A) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.

Of the following examples of fraud, which will be the most difficult to prevent and detect? Assume the company enforces adequate segregation of duties. A) Jim issues credit cards to him and Marie, and when the credit card balances are just under $1,000, Marie writes off the accounts as bad debt. Jim then issues new cards. B) An employee puts inventory behind the dumpster while unloading a vendor's delivery truck, then picks up the inventory later in the day and puts it in her car. C) A mail room employee steals a check received from a customer and destroys the documentation. D) The accounts receivable clerk does not record sales invoices for friends or family, so they can receive free goods.

A) Jim issues credit cards to him and Marie, and when the credit card balances are just under $1,000, Marie writes off the accounts as bad debt. Jim then issues new cards.

The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the A) control activities B) organizational structure C) budget framework D) internal environment

B) organizational structure

Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework? A) Analyzing past financial performance and reporting B) Providing sufficient resources to knowledgeable employees to carry out duties C) Disciplining employees for violations of expected behavior D) Setting realistic targets for long-term performance

A) Analyzing past financial performance and reporting

________ controls prevent, detect and correct transaction errors and fraud. A) Application B) Detective C) General D) Preventive

A) Application

Which of the following duties could be performed by the same individual without violating segregation of duties controls? A) Approving accounting software change requests and testing production scheduling software changes B) Programming new code for accounting software and testing accounting software upgrades C) Approving software changes and implementing the upgraded software D) Managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices

A) Approving accounting software change requests and testing production scheduling software changes

This control framework addresses the issue of control from three vantage points: business objectives, information technology resources, and information technology processes. A) ISACA's control objectives for information and related technology B) COSO's internal control framework C) COSO's enterprise risk management framework D) none of the above

A) ISACA's control objectives for information and related technology

Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported? A) Information and communication B) Internal environment C) Event identification D) Objective setting

A) Information and communication

The risk that exists before management takes any steps to control the likelihood or impact of a risk is A) Inherent risk B) Residual risk C) Risk appetite D) Risk assessment

A) Inherent risk

A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n) A) preventive control. B) detective control. C) corrective control. D) authorization control

A) preventive control.

Which of the following statements about internal environment isfalse? A) Management's attitudes toward internal control and ethical behavior have only minimal impact on employee beliefs or actions. B) Supervision is especially important in organizations that cannot afford elaborate responsibility reporting or are too small to have adequate segregation of duties. C) An overly complex or unclear organizational structure may be indicative of more serious problems. D) A written policy and procedures manual is an important tool for assigning authority and responsibility.

A) Management's attitudes toward internal control and ethical behavior have only minimal impact on employee beliefs or actions.

Which of the following is not one of the risk responses identified in the COSO Enterprise Risk Management Framework? A) Monitoring B) Avoidance C) Acceptance D) Sharing

A) Monitoring

Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment? A) Organizational structure B) Methods of assigning authority and responsibility C) Management philosophy and operating style D) Commitment to competence

A) Organizational structure

Which of the following is a control related to design and use of documents and records? A) Sequentially prenumbering sales invoices B) Comparing physical inventory counts with perpetual inventory records C) Reconciling the bank statement to the general ledger D) Locking blank checks in a drawer or safe

A) Sequentially prenumbering sales invoices

At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect? A) Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) B) A group of kids snuck into the theater through a back door when customers left after a show. C) The box office cashier accidentally gives too much change to a customer. D) The ticket taker admits his friends without tickets.

A) Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.)

A computer operator is allowed to work as a programmer on a new payroll software project. Does this create a potential internal control problem? A) Yes, the computer operator could alter the payroll program to increase her salary. B) Yes, this is a potential problem unless the computer operator is supervised by the payroll manager. C) No, ideal segregation of duties is not usually possible, and operators are often the best at programming changes and updates. D) No, as long as the computer operator separately accounts for hours worked in programming and in operations.

A) Yes, the computer operator could alter the payroll program to increase her salary.

Which of the following is an example of a preventive control? A) approving customer credit prior to approving a sales order B) reconciling the bank statement to the cash control account C) counting inventory on hand and comparing counts to the perpetual inventory records D) maintaining frequent backup records to prevent loss of data

A) approving customer credit prior to approving a sales order

A(n) ________ helps employees act ethically by setting limits beyond which an employee must not pass. A) boundary system B) diagnostic control system C) interactive control system D) internal control system

A) boundary system

Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his work environment. It seems that, as a result of "feminazi" interference, the suggestive banter that had been prevalent in the workplace during his youth was no longer acceptable. He even had to sit through a sexual harassment workshop! The level of control that the company is using in this case is a A) boundary system. B) belief system. C) interactive control system. D) diagnostic control system.

A) boundary system.

Independent checks on performance include all the following except A) data input validation checks. B) reconciling hash totals. C) preparing a trial balance report. D) supervisor review of journal entries and supporting documentation.

A) data input validation checks.

Store policy that allows retail clerks to process sales returns for $300 or less, with a receipt dated within the past 60 days, is an example of A) general authorization. B) specific authorization. C) special authorization. D) generic authorization.

A) general authorization.

According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for A) hiring and firing the external auditors. B) performing tests of the company's internal control structure. C) certifying the accuracy of the company's financial reporting process. D) overseeing day-to-day operations of the internal audit department.

A) hiring and firing the external auditors.

Generally in a risk assessment process, the first step is to A) identify the threats that the company currently faces. B) estimate the risk probability of negative events occurring. C) estimate the exposure from negative events. D) identify controls to reduce all risk to zero.

A) identify the threats that the company currently faces.

The COSO Enterprise Risk Management Integrated Framework identifies four objectives necessary to achieve corporate goals. Objectives specifically identified include all of the following except A) implementation of newest technologies. B) compliance with laws and regulations. C) effective and efficient operations. D) reliable reporting.

A) implementation of newest technologies.

Go-Go Corporation, a publicly traded company, has three brothers who serve as President, Vice President of Finance and CEO. This situation A) increases the risk associated with an audit. B) must be changed before your audit firm could accept the audit engagement. C) is a violation of the Sarbanes-Oxley Act. D) violates the Securities and Exchange Act.

A) increases the risk associated with an audit.

One of the objectives of the segregation of duties is to A) make sure that different people handle different parts of the same transaction. B) ensure that no collusion will occur. C) make sure that different people handle different transactions. D) achieve an optimal division of labor for efficient operations.

A) make sure that different people handle different parts of the same transaction.

The COSO Enterprise Risk Management Integrated Framework stresses that A) risk management activities are an inherent part of all business operations and should be considered during strategy setting. B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities. C) risk management is the sole responsibility of top management. D) risk management policies, if enforced, guarantee achievement of corporate objectives.

A) risk management activities are an inherent part of all business operations and should be considered during strategy setting.

Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Folding Squid Technologies A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process. B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit. C) selected the company's Chief Financial Officer to chair the audit committee. D) did not mention to auditors that the company had experienced significant losses due to fraud during the past year.

B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.

River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance? A) $50,000 B) $650,000 C) $650 D) $50

B) $650,000

What is not a corrective control procedure? A) Identify the cause of a problem. B) Deter problems before they arise. C) Correct resulting errors or difficulties. D) Modify the system so that future problems are minimized or eliminated

B) Deter problems before they arise.

When undertaking risk assessment, the expected loss is calculated like this. A) Impact times expected loss B) Impact times likelihood C) Inherent risk times likelihood D) Residual risk times likelihood

B) Impact times likelihood

What is one reason why AIS threats are increasing? A) LANs and client/server systems are easier to control than centralized, mainframe systems. B) Many companies do not realize that data security is crucial to their survival. C) Computer control problems are often overestimated and overly emphasized by management. D) Many companies believe that protecting information is a strategic requirement.

B) Many companies do not realize that data security is crucial to their survival.

The risk that remains after management implements internal controls is A) Inherent risk B) Residual risk C) Risk appetite D) Risk assessment

B) Residual risk

Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions is an example of a ________ control. A) corrective; detective B) detective; corrective C) preventive; corrective D) detective; preventive

B) detective; corrective

A(n) ________ measures company progress by comparing actual performance to planned performance. A) boundary system B) diagnostic control system C) interactive control system D) internal control system

B) diagnostic control system

Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter A) unintentional errors. B) employee fraud or embezzlement. C) fraud by outsiders. D) disgruntled employees.

B) employee fraud or embezzlement.

The process that a business uses to safeguard assets, provide accurate and reliable information, and promote and improve operational efficiency is known as A) a phenomenon. B) internal control. C) an AIS threat. D) a preventive control.

B) internal control.

River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits have an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. Based on cost-benefit analysis, what is the most that the business should pay for the insurance? A) $500 B) $650 C) $600 D) $50

C) $600

River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss without insurance? A) $50,000 B) $650,000 C) $650 D) $50

C) $650

This control framework's intent includes helping the organization to provide reasonable assurance that objectives are achieved and problems are minimized, and to avoid adverse publicity and damage to the organization's reputation. A) ISACA's control objectives for information and related technology B) COSO's internal control framework C) COSO's enterprise risk management framework D) none of the above

C) COSO's enterprise risk management framework

________ controls are designed to make sure an organization's control environment is stable and well managed. A) Application B) Detective C) General D) Preventive

C) General

Which of the following is not a reason for the increase in security problems for AIS? A) Confidentiality issues caused by interlinked inter-company networks B) Difficult to control distributed computing networks C) Increasing efficiency resulting from more automation D) Increasing numbers of information systems and users

C) Increasing efficiency resulting from more automation

Which attribute below is not an aspect of the COSO ERM Framework internal environment? A) Enforcing a written code of conduct B) Holding employees accountable for achieving objectives C) Restricting access to assets D) Avoiding unrealistic expectations

C) Restricting access to assets

The amount of risk a company is willing to accept in order to achieve its goals and objectives is A) Inherent risk B) Residual risk C) Risk appetite D) Risk assessment

C) Risk appetite

Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies. A) Foreign Corrupt Practices Act of 1977 B) The Securities Exchange Act of 1934 C) The Sarbanes-Oxley Act of 2002 D) The Control Provision of 1998

C) The Sarbanes-Oxley Act of 2002

At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect? A) Some customers presented tickets purchased on a previous day when there wasn't a ticket taker at the theater entrance (so the tickets didn't get torn.) B) A group of kids snuck into the theater through a back door when customers left after a show. C) The box office cashier accidentally gives too much change to a customer. D) The ticket taker admits his friends without tickets.

C) The box office cashier accidentally gives too much change to a customer.

The COSO Enterprise Risk Management Framework includes eight components. Which of the following is not one of them? A) control environment B) risk assessment C) compliance with federal, state, or local laws D) monitoring

C) compliance with federal, state, or local laws

Safeguarding assets is one of the control objectives of internal control. Which of the following is not one of the other control objectives? A) providing accurate and reliable information B) promoting operational efficiency C) ensuring that no fraud has occurred D) encouraging adherence to management policies

C) ensuring that no fraud has occurred

A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention. A) boundary system B) diagnostic control system C) interactive control system D) internal control system

C) interactive control system

The SEC and FASB are best described as external influences that directly affect an organization's A) hiring practices. B) philosophy and operating style. C) internal environment. D) methods of assigning authority.

C) internal environment.

Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities. A) event B) activity C) process D) system

C) process

The audit committee of the board of directors A) is usually chaired by the CFO. B) conducts testing of controls on behalf of the external auditors. C) provides a check and balance on management. D) does all of the above.

C) provides a check and balance on management.

Which of the following is not one of the important aspects of the Sarbanes-Oxley Act? A) The creation of the Public Company Accounting Oversight Board B) New rules for auditors and management C) New roles for audit committees D) New rules for information systems development

D) New rules for information systems development

River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss with insurance? A) $50,000 B) $650,000 C) $650 D) $50

D) $50

Which of the following is accomplished by corrective controls? A) Identify the cause of the problem. B) Correct the resulting errors. C) Modify the system to prevent future occurrences of the problem. D) All of the above are accomplished by corrective controls.

D) All of the above are accomplished by corrective controls.

Accountants must try to protect the AIS from threats. Which of the following would be a measure that should be taken? A) Take a proactive approach to eliminate threats. B) Detect threats that do occur. C) Correct and recover from threats that do occur. D) All of the above are proper measures for the accountant to take.

D) All of the above are proper measures for the accountant to take.

The audit committee is responsible for A) overseeing the internal control structure. B) overseeing the financial reporting process. C) working with the internal and external auditors. D) All of the above are responsibilities.

D) All of the above are responsibilities.

Which of the following would be considered a "red flag" for problems with management operating style if the question were answered "yes"? A) Does management take undue business risks to achieve its objectives? B) Does management attempt to manipulate performance measures such as net income? C) Does management pressure employees to achieve results regardless of the methods? D) All of the above statements would raise "red flags" if answered "yes."

D) All of the above statements would raise "red flags" if answered "yes."

With a limited work force and a desire to maintain strong internal control, which combination of duties would result in the lowest risk exposure? A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal B) Approving a sales return on a customer's account and depositing customers' checks in the bank C) Updating the general ledger and working in the inventory warehouse D) Entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal

D) Entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal

Which of the following is not one of the eight interrelated risk and control components of COSO Enterprise Risk Management Framework? A) Internal environment B) Monitoring C) Risk response D) Event assessment

D) Event assessment

Which of the following suggests a weakness in a company's internal environment? A) The audit committee regularly meets with the external auditors. B) The Board of Directors is primarily independent directors. C) The company has an up-to-date organizational chart. D) Formal employee performance evaluations are prepared every three

D) Formal employee performance evaluations are prepared every three years.