BEC Unit 2
Absent a specific provision in its articles of incorporation, a corporation's board of directors has the power to do all of the following except A)Amend the articles of incorporation. B)Repeal the bylaws. C)Fix compensation of directors. D)Declare dividends.
A)Amend the articles of incorporation.
Which of the following sets of duties would not be performed by a single individual in a company with the most effective segregation of duties in place? A)Approving sales returns on customers' accounts and depositing customers' checks in the bank. B)Having custody of signed checks yet to be mailed and maintaining depreciation schedules. C)Preparing monthly customer statements and maintaining the accounts payable subsidiary ledger. D)Posting accounts payable transactions and entering additions and terminations to payroll.
A)Approving sales returns on customers' accounts and depositing customers' checks in the bank.
Limitations of ERM may arise from all of the following except: A)Failure to achieve objectives. B)Cost-benefit considerations. C)Faulty human judgment. D)Collusion.
A)Failure to achieve objectives.
A firm has adopted ERM practices and has begun to establish operating structures for day-to-day operations. This activity is consistent with a principle of which component of ERM? A)Governance and culture. B)Strategy and objective-setting. C)Information, communication, and reporting. D)Review and revision.
A)Governance and culture.
Enterprise risk management A)Involves the identification of events with negative impacts on organizational objectives. B)Guarantees achievement of organizational objectives. C)Requires establishment of risk and control activities by internal auditors. D)Includes selection of the best risk response for the organization.
A)Involves the identification of events with negative impacts on organizational objectives.
The cyber risk management team is not A)Responsible for managing cyber risks at all levels of the entity. B)Composed of managers from different departments. C)Led by chief information executives. D)Responsible to report to the board of directors.
A)Responsible for managing cyber risks at all levels of the entity.
According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions? A)Risk assessment. B)Information and communication. C)Monitoring activities. D)Control activities.
A)Risk assessment.
An entity determined that its variable interest rate on borrowing will increase significantly in the near future. Consequently, the entity hedged its variable rate by locking in a fixed rate for the relevant period. According to COSO, this decision is which type of response to risk? A)Sharing. B)Avoidance. C)Acceptance. D)Reduction.
A)Sharing.
According to COSO, which of the following activities provides an example of a top-level review as a control activity? A)Computers owned by the entity are secured and periodically compared with amounts shown in the records. B)A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved. C)Verification of status on a medical claim determines whether the charge is appropriate for the policy holder. D)Reconciliations are made of daily wire transfers with positions reported centrally.
B)A comprehensive marketing plan is implemented, and management reviews actual performance to determine the extent to which benchmarks were achieved.
According to COSO, the proper tone at the top helps a company to do each of the following, except A)Promote a willingness to seek assistance and report problems before it is too late for corrective action. B)Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors. C)Navigate gray areas where no specific compliance rules or guidelines exist. D)Create a compliance-supporting culture that is committed to enterprise risk management.
B)Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors.
According to the COSO ERM framework, which of following best describes the difference between strategy and business objectives? A)Strategy is the plan to achieve business objectives. B)Business objectives are the steps to achieve strategy. C)Strategy is the organization's core purpose, and business objectives are what the organization aspires to achieve over time. D)Business objectives are broader in scope than strategy.
B)Business objectives are the steps to achieve strategy.
Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control? A)The benefits expected to be derived from effective internal control usually do not exceed the costs of such control. B)Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion. C)The competence and integrity of client personnel provide an environment conducive to control and provides assurance that effective control will be achieved. D)Procedures designed to assure the execution and recording of transactions in accordance with proper authorizations are effective against fraud perpetrated by management.
B)Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.
According to COSO, establishing, maintaining, and monitoring an effective internal control system can do each of the following, except A)Provide protection for an entity's resources. B)Ensure an entity's financial survival. C)Promote an entity's compliance with laws and regulations. D)Help an entity achieve performance targets.
B)Ensure an entity's financial survival.
A chemical company was revealed to be involved in the illegal disposal of chemical waste after its private information was stolen in a cyber attack. Which of the following threat actors is most likely behind the cyber attack? A)Company insiders. B)Hacktivists C)Nation-states and spies. D)Organized criminals.
B)Hacktivists
Management's aggressive attitude toward financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when A)Internal auditors have direct access to the board of directors and entity management. B)Management is dominated by one individual who is also a shareholder. C)The audit committee is active in overseeing the entity's financial reporting policies. D)External policies established by parties outside the entity affect its accounting practices.
B)Management is dominated by one individual who is also a shareholder.
A retail company is developing a cyber risk management program. In analyzing its business context, which of the following IT-related factors should be considered? A)Incidents of system failures in the previous year. B)The capacity of the systems and the need for expansion. C)Competence of employees to handle current needs. D)The need for developing a new transaction system.
B)The capacity of the systems and the need for expansion.
To which party should minor incidents of cybersecurity breaches be reported? A)The board of directors. B)The cyber risk management team. C)Departmental managers. D)Executive management.
B)The cyber risk management team.
According to the COSO Enterprise Risk Management Framework, each of the following is considered by management as part of a risk assessment, except A)Inherent risk. B)Unknown risk. C)Actual residual risk. D)Target residual risk.
B)Unknown risk.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should A)Review and accept the information security risk assessments in a staff meeting. B)Visibly participate in a global information security campaign. C)Refer to the organization's U.S. human resources policies on privacy in a company newsletter. D)Allocate additional budget resources for external audit services.
B)Visibly participate in a global information security campaign.
During its most recent risk assessment, Capital Investment Group discovered that the spreadsheets it uses to support certain amounts on its financial statements were highly susceptible to error. Which of the following would contribute in mitigating this risk? I Input data is reconciled to source documentation II The potential for fraud is considered III Changes to formulas are tested against a manual calculation I and II. I, II, and III. Both II and III. Both I and III.
Both I and III.
The materials manager of a warehouse is given a new product line to manage with new inventory control procedures. Which of the following sequences of the COSO internal control monitoring-for-change continuum is affected by the new product line? A)Control baseline but not change management. B)Neither control baseline nor change management. C)Both control baseline and change management. D)Change management but not control baseline.
C)Both control baseline and change management.
When choosing a communication channel to manage cyber risks, which of the following is not a factor considered? A)Nature. B)Urgency. C)Cost. D)Sensitivity.
C)Cost.
According to the COSO, benefits of effective enterprise risk management include each of the following except A)Increasing the range of opportunities. B)Improving resource deployment. C)Decreasing inherent risk appetite. D)Enhancing enterprise resilience.
C)Decreasing inherent risk appetite.
An internal audit manager requested information detailing the amount and type of training that the IT department's staff received during the last year. According to COSO, the training records would provide documentation for which of the following principles? A)Developing general control activities over technology to support the achievement of objectives. B)Exercising oversight of the development and performance of internal control. C)Demonstrating a commitment to retain competent individuals in alignment with objectives. D)Holding individuals responsible for their internal control responsibilities in the pursuit of objectives.
C)Demonstrating a commitment to retain competent individuals in alignment with objectives.
Each of the following is a limitation of enterprise risk management (ERM), except A)ERM deals with risk, which relates to the future and is inherently uncertain. B)ERM operates at different levels with respect to different objectives. C)ERM can provide absolute assurance with respect to objective categories. D)ERM is as effective as the people responsible for its functioning.
C)ERM can provide absolute assurance with respect to objective categories.
According to COSO, the benefits of enterprise risk management (ERM) include all of the following except A)Improved resource allocation. B)Decreased performance variability. C)Elimination of all risks. D)Improved risk identification and management.
C)Elimination of all risks.
According to COSO, what is the first ongoing monitoring step in evaluating the effectiveness of an internal control system? A)Identifying changes in internal control that have taken place. B)Reevaluating the design and implementation to establish a new baseline. C)Establishing a control baseline. D)Periodically revalidating operations where no known change has occurred.
C)Establishing a control baseline.
Which component of the COSO ERM framework involves assigning value to information, technology, and systems? A)Information, communication, and reporting. B)Governance and culture. C)Performance. D)Review and revision.
C)Performance.
According to COSO's ERM framework, which view of risk is fully integrated? A)Risk profile view. B)Risk view. C)Portfolio view. D)Risk category view.
C)Portfolio view.
Which of the following risk responses is not effective in managing cyber risks? A)Risk reduction. B)Risk sharing. C)Risk avoidance. D)Risk acceptance.
C)Risk avoidance.
The premise of enterprise resource management (ERM) is that an organization exists to provide value for its A)Customers. B)Shareholders. C)Stakeholders. D)Employees.
C)Stakeholders.
A member of the board of directors of Central Communications Co. is offered a license by a third party to operate a cellular phone system. The director does not present this offer to the board of directors for approval but informally mentions it to a fellow board member, who does not think it will be a problem. The director buys the license. Which of the following statements is correct regarding the director's actions? A)The director breached a duty of care by failing to use prudent business judgment. B)The director breached the duty of due diligence. C)The director breached a duty of loyalty by usurping a corporate opportunity. D)The director acted properly in purchasing the license.
C)The director breached a duty of loyalty by usurping a corporate opportunity.
Which of the following is a violation of segregation of duties in internal control? A)An employee adds vendors and makes changes to a vendor master file. B)An employee matches invoices to purchase orders and receiving reports, and applies coding of account distributions. C)An employee receives goods from vendors and signs off on the deliveries. D)An employee enters and approves purchase orders.
D)An employee enters and approves purchase orders.
According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum? A)Control baseline. B)Control revalidation/update. C)Change management. D)Change identification.
D)Change identification.
Which of the following components are supporting aspects of the COSO ERM framework? A)Governance and culture; review and revision. B)Performance; review and revision. C)Strategy and objective-setting; performance. D)Governance and culture; information, communication, and reporting.
D)Governance and culture; information, communication, and reporting.
According to COSO, the component of enterprise risk management (ERM) that best relates to continuous improvement is A)Strategy and objective-setting. B)Monitoring. C)Information, communication, and reporting. D)Review and revision.
D)Review and revision.
The performance component of the COSO ERM framework addresses an entity's A)Performance targets and tolerances. B)Performance results and consideration of risks. C)Ability to leverage technology. D)Risk identification, assessment, and prioritization methods.
D)Risk identification, assessment, and prioritization methods.
A retail company is developing a cyber risk management program. In analyzing its business context, which of the following IT-related factors should be considered? A)Competence of employees to handle current needs. B)The need for developing a new transaction system. C)Incidents of system failures in the previous year. D)The capacity of the systems and the need for expansion.
D)The capacity of the systems and the need for expansion.
According to COSO, ERM is best defined as A)A process that takes a control-based approach to an organization. B)A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. C)A serial process in which one component affects only the next component. D)The culture, capabilities, and practices that organizations rely on to manage risk in creating, preserving, and realizing value.
D)The culture, capabilities, and practices that organizations rely on to manage risk in creating, preserving, and realizing value.
The components of enterprise risk management (ERM) should be present and functioning. What does "present" mean? I Components exist in the design of ERM. II Components exist in the implementation of ERM. III Components continue to operate to achieve strategy and business objectives. II only. I and II. I only. I, II, and III.
I and II.
Nextgen, Inc., installed an access management application to assess sensitive access and segregation-of-duty risks and conflicts during the development of security roles and the assignment of those roles to end users. To achieve this purpose, which of the following features should the application include? I The ability to define processes and transactions that should not be combined or assigned to the same end user II The ability to prevent assignment of any access that conflicts with defined restrictions III The ability to recommend a mitigating control activity if user access conflicts with defined restrictions Both I and II. I only. Both II and III. I, II, and III.
I, II, and III.