AIS Chapter 13
To support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests five components of internal control including:
Control environment Control activities Risk assessment Information and communication.
COBIT defines the overall IT control framework, and ____________ provides the details for IT service management which is released by the UK Office of Government Commerce (OGC) and is the most widely accepted model for IT service management.
Field 1: ITIL
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Four of the seven key criteria of business requirements for information in COBIT are similar to COSO control objectives: effectiveness, efficiency, confidentiality, availability, _______________ and _____________.
Field 1: compliance Field 2: reliability, reliable, or integrity
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Three of the seven key criteria of business requirements for information in COBIT are about security and people often call them CIA: confidentiality, _____________ and ________________
Field 1: integrity Field 2: availability
One of the COSO ERM framework components, ____________ _____________ , encompasses the tone of a firm, influences the risk consciousness of its people, and sets the basis for how risk is viewed and addressed by the firm.
Field 1: internal Field 2: environment
The application controls are grouped into three categories to ensure information processing integrity: input, _____________ and output controls.
Field 1: processing or process
The COSO 2.0 (COSO 2013) framework indicates that an effective internal control system should consist of three categories of objectives: operations objectives, ______________ objectives, and _________________ objectives.
Field 1: reporting Field 2: compliance
Match the following data entry controls with their definitions.
Field checks--- ensure the characters in a field are of the proper type Validity checks--- compare data entering the system with existing data in a reference file to ensure only valid data is are entered Size checks---- ensure the data fit into the size of a field Completeness checks--- ensure all required data are entered for each record
Define each type of controls properly. Instructions
General controls ----Internal controls pertain to enterprise wide issues Application controls--Internal controls specific to a subsystem or an application Preventive controls----Internal controls deter problems before they arise Detective controls ----Internal controls find problems when they arise Corrective controls ----Internal controls fix problems that have been identified
Which of the following professional organizations have a code of ethics?
ISACA IIA AICPA IMA
Which of the following is an example of IT general controls (ITGC)?
IT control environment
While COBIT defines the overall IT control framework, another framework, _____________ provides the details for IT service management and adopts a life-cycle approach to IT services, focusing on practices for service strategy, service design, service transition, service operation, and continual service improvement.
ITIL
The IT Infrastructure Library (ITIL) is a de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL adopts a _______________-_______________ approach to IT services.
Life-cycle
Given your understanding of COSO ERM framework, select factors regarding internal environment.
a firm's risk management philosophy and risk appetite a firm's human resource policies/practices and development of personnel a firm's organizational structure, board of directors and the audit committee a firm's integrity and ethical values
Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances and risk appetite. The four options to respond to risks are: reducing, sharing, avoiding, and _______________ risks.
accepting
Management selects risk responses according to the entity's risk tolerances and risk _______________.
appetite
IT controls are a subset of a firm's internal controls and are categorized as IT general and _______________ controls.
application
When entering a sales transaction, use an input control to ensure the customer account number is entered accurately
application control
Identify physical control activities based on the COSO internal control framework.
authorization - to ensure transactions are valid segregation of duties - to prevent fraud and mistakes supervision - to compensate imperfect segregation of duties accounting documents and records - to maintain audit trails and accuracy of the financial data. access control - to ensure only authorized personnel have access to physical assets and information independent verification - to double-check for errors and misrepresentations
Corrective controls fix problems that have been identified, such as using __________ files to recover corrupted data.
backup
IT Governance Institute (ITGI) developed a control framework for the governance and management of enterprise IT. This framework, _______________ , provides management with an understanding of risks associated with IT and bridges the gap between business among risks, control needs, and technical issues.
cobit
Detective
controls find problems when they arise.
The processes of making sure changes to programs and applications are authorized and documented are called change _______________ controls. Changes should be tested prior to implementation so they do not affect system availability and reliability.
management
During the "Objective Setting" process, firms set specific objectives based on their _______________ and _______________.
mission vision
In the COSO ERM framework, _______________ is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
monitoring
Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to achieving the firm's objectives. There are two categories of control activities: _______________ controls and _______________ controls
physical IT
Requiring a signed source document before recording a transaction is a _______ control.
preventive
Require authorization before recording transactions
preventive control
During the objective setting stage, management should have a _______________ in place to set strategic, operations, reporting, and compliance objectives.
process
Internal control is a _______________ consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.
process
According to the COSO 2.0 framework, reporting objectives are about the __________ of a firm's internal and external financial reporting.
reliability
Internal and external events affecting achievement of a firm's objectives must be identified. When using COSO ERM framework, management must distinguish between _______________ and _______________ after identifying all possible events.
risks opportunities
Information technology controls involve processes that provide assurance for information and help to mitigate _______________ associated with the use of _______________. Firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects.
risks technology
The COSO ERM framework categorizes objectives in the following four categories: _______________, operations, reporting, and compliance.
strategic
The COSO ERM framework indicates that an effective internal control system should consist of four categories of objectives: _______________ objectives, operations objectives, _______________ objectives, and _______________ objectives.
strategic reporting compliance
True or false: Each company should use only one of the control/governance frameworks in corporate and IT governance.
False Reason: Companies may choose to use multiple frameworks in corporate and/or IT governance.
What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?
SOX established the PCAOB to regulate and audit public accounting firms. Under SOX, the PCAOB replaces AICPA to issue audit standards.
Organizations derive their code of _______________ from cultural values, societal traditions, and personal attitudes on issues of right and wrong.
ethics
In the COSO ERM framework component _______________ _______________, firms identify events affecting achievement of their objectives.
event identification
Require using user names and passwords to access the company's network
general control
We define corporate _______________ as a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders.
governance
The risk assessment process starts with _______________ the risks.
identifying
Provide the process of risk assessment in correct sequence (i.e., seven steps). The last step is to base on the results of the cost/benefit analysis, determine whether to reduce the risk by implementing a control, or to accept, share, or avoid the risk.
1. Identify risk to the firm 2. Estimate the likelihood of each risk occurring 3. Estimate the impact 4. Identify controls to mitigate the risk 5. Estimate the costs and benefits of implementing the controls 6. Perform a cost/benefit analysis for each risk and corresponding controls
Identify professional organizations that the accounting profession is involved in.
AICPA ------ This organization is for public accountants. IMA---- This organization is for management accountants. IIA------ This organization is for internal auditors. ISACA---- This organization is for information systems auditors.
Choose the main purpose for each framework. Instructions
COBIT ---- provides the best IT security and control practices for IT management ITIL ---- provides the concepts and practices for IT service management ISO 27000 series ----address information security issues
Select correct statements about the COBIT framework.
COBIT is a generally accepted framework for IT governance and management. COBIT 2019 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders. COBIT 2019 includes the main points of COSO ERM 2017.
Match the following control or governance frameworks with their main purposes.
COSO - A general internal control framework that can be applied to all firms COSO ERM - A framework expands from internal control to risk management that can be applied to all firms COBIT - A comprehensive framework for IT governance and management ITIL - A framework focusing on IT infrastructure and IT service management ISO 27000 series - A framework for information security management
What is a concurrent update control?
Concurrent update controls prevent two or more users updating the same record simultaneously.
Select the principle related to governance and culture in the COSO ERM 2017 framework.
Demonstrate commitment to core values
Select the principles related to performance in the COSO ERM 2017 framework.
Develop portfolio view Prioritize risks
Which of the five domains of COBIT 2019 is about IT governance?
EDM (Evaluate, Direct, and Monitor)
COSO ERM framework indicates that:
ERM manages risk to be within the firm's risk appetite. ERM provides reasonable assurance regarding the achievement of the firm's objectives.
COSO stands for Committee of Sponsoring Organizations. It composes of five organizations: ____, ____, ____, IMA, and AICPA.
FEI AAA IIA
True or false: The control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices and is required by PCAOB to be used for SOX section 404 audit.
False
True or false: The most recent control framework designed by COSO is called control objectives for information and related technology (COBIT).
False
True or false: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management.
False Reason: COSO is one of the generally accepted internal control frameworks for enterprises. COBIT is a generally accepted framework for IT governance and management.
Please match the control components with the principles in the COSO 2013 framework. Instructions
Information and Communication ---- The organization communicates with external parties regarding matters affecting the functioning of internal control. Control Activities ----The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. Risk Assessment ----The organization identifies and assesses changes that could significantly impact the system of internal control. Control Environment ---The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Monitoring Activities ---The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Select correct statement regarding information technology governance and corporate governance.
Information technology governance is the responsibility of management. Information technology governance is a subset of corporate governance.
Match the following definitions with the different types of risks.
Inherent risk---the risk related to the nature of the business activity itself Control risk---- the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system Residual risk---- the product of inherent risk and control risk
Identify the purposes of IT application controls in three categories: input controls, processing controls and output controls.
Input controls--- ensuring the authorization, entry, and verification of data entering the system Processing controls --- ensuring that data and transactions are processed accurately Output controls--- providing output to authorized people and ensuring the output is used properly
Select the correct statement(s) regarding the concepts on internal control defined under COSO 2.0.
Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.
What is enterprise risk management (ERM)?
It aims to provide reasonable assurance regarding the achievement of objectives. It is applied in strategy setting and across the enterprise. It involves a company's board of directors, management, and other personnel in the process.
What are the purposes of the standards of ISO 27000 series?
It is designed to address information security issues.
_____ controls provide output to authorized people and ensure the output is used properly.
Output
Choose proper examples of detective controls.
Prepare monthly trial balances. Prepare monthly bank reconciliations.
_______________ controls require compliance with preferred procedures to deter undesirable issues from happening.
Preventive
PCAOB stands for
Public Company Accounting Oversight Board
Match the following data entry controls with their definitions.
Range checks = test a numerical amount to ensure that it is within a predetermined range Validity checks = compares data entering the system with existing data in a reference file to ensure only valid data is are entered Closed-loop verifications = retrieve and display related information to ensure accurate data entry Reasonableness checks = ensure the logical relationship between two data values is correct
Define the following batch totals.
Record count ---- the total records in the batch Financial total --- the sum of a field containing dollar values Hash total---- the sum of a numeric field, such as employee number, which normally would not be the subject of arithmetic operations
To support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests five components of internal control including:
Risk assessment Information and communication Monitoring activities
Please match the control components with the principles in the COSO 2013 framework.
Risk assessment---The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Control environment---- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Monitoring---- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Control activities---- The organization selects and develops general control activities over technology to support the achievement of objectives. Information and communication---- The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
ITIL organizes IT service management into five high-level categories. Define each category.
Service strategy - the strategic planning of IT service management capabilities and the alignment of IT service and business strategies Service design - the design and development of IT services and service management processes Service transition - the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service Service operation - the effective and efficient delivery and support of services, with a benchmarked approach for an event, problem, and access management Continual service improvement - ongoing improvement of the service and the measurement of process performance required for the service
Select a correct statement on the monitoring component of the COSO ERM framework.
The ERM components and internal control process should be monitored continuously and modified as necessary. It is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
Select a correct statement regarding control frameworks.
The original COSO internal control integrated framework was created more than 20 years ago.
What are the main purposes of corporate governance?
To promote accountability and transparency in a firm's operations To protect the interests of a firm's stakeholders To encourage the efficient use of the resources a firm has
True or false: Integrity and individual ethics are formed through a person's life experience.
True
True or false: The internal environment of the COSO ERM framework provides the discipline and structure for all other components of enterprise risk management. It is the most critical component in the framework.
True
Using a backup file to recover corrupted data.
corrective control
Prepare monthly bank reconciliations
detective control
The AICPA has indicated that issues on information security are critical to certified public accountants (CPAs) as one of the top 10 technologies that accounting professionals must learn. International Organization for Standardization (ISO) 27000 series is designed to address ___________ ____________ issues.
information security
The ISO 27000 series of standards are designed to address _______________ _______________ issues.
information security
IT application controls are activities specific to a subsystem's or an application's _______________, processing, and output.
input
Most mistakes in an accounting information systems occur while entering data. Control efforts are focused on _______________ rather than processing and output activities.
input