systems ch 11
A firm must establish control policies, procedures, and practices that ensure the firm's business objectives are achieved and its risk mitigation strategies are carried out. T/F
T
COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance in the U.S. T/F
T
Corporate governance is a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. T/F
T
In a computerized environment, internal controls can be categorized as general controls and application controls. T/F
T
Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. T/F
T
Segregation of duties reduces the risk of errors and irregularities in accounting records. T/F
T
The chief executive officer is ultimately responsible for enterprise risk management. T/F
T
The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving information security. T/F
T
A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent product B. Which of the following controls most likely would detect this error? A. Validity check B. Record count C. Hash total D. Parity check
A
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following response to the risk? A. Risk reduction. B. Prospect theory. C. Risk sharing. D. Risk acceptance.
A
According to COSO which of the following is not a component of internal control? A. Control risk. B. Control activities. C. Monitoring. D. Control environment.
A
In a computerized environment, internal controls can be categorized into which of the following? A. General controls and application controls. B. Detective controls and protective controls. C. Network controls and transaction controls. D. Preventive controls and mandatory controls.
A
In addition to focusing on controls, COBIT 5 expands its scope by incorporating which of the following broad perpsectives? A. How IT brings value to the firm. B. How IT can automate specific business processess. C. IT networking requirements. D. IT cost reductions.
A
Reconciliation of cash accounts may be referred to as what type of control? A. Detective. B. Preventive. C. Adjustive. D. Non-routine.
A
The COSO ERM framework encourages a review of risks as they apply to achieving firms' objectives. Which of the following is not one of the listed categories of objectives to be considered? A. Environment. B. Operations. C. Strategic. D. Compliance.
A
The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related to: A. Accounting practice. B. Attestation. C. Auditing. D. Quality control over attestation and/or assurance.
A
Which of the following most likely would not be considered as an inherent limitation of the effectiveness of a firm's internal control? A. Incompatible duties. B. Management override. C. Mistakes in judgment. D. Collusion among employees.
A
According to COSO ERM, which of the following is not one of the bases that should be used to analyze the risks of an identified event? A. Inherent risk. B. Organizational risk. C. Residual risk. D. Control risk.
B
According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? A. Information and communication B. Internal environment. C. Risk assessment. D. Control activities.
B
An entity's ongoing monitoring activities often include A. Periodic audits by the audit committee. B. Reviewing the purchasing function. C. The audit of the annual financial statements. D. Control risk assessment in conjunction with quarterly reviews.
B
Ethical principals are derived from all of the following except: A. Personal attitudes on issues of right and wrong. B. Cost benefit analysis. C. Cultural values. D. Societal traditions.
B
In a large pubic corporation, evaluating internal control procedures should be responsibility of: A. Accounting management staff who report to the CFO. B. Internal audit staff who report to the board of directors. C. Operations management staff who report to the chief operation officer. D. Security management staff who report to the chief facilities officer.
B
In the event identification component of the COSO ERM framework, management must classify events into which of the following? A. Weaknesses and vulnerabilities. B. Risks and opportunities. C. Risks and rewards. D. Controls and vulnerabilities.
B
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been: A. Authorized. B. Implemented. C. Tested. D. Monitored.
B
Proper segregation of duties calls for separation of the following functions: A. Authorization, execution, and payment. B. Authorization, recording, and custody. C. Custody, execution, and reporting. D. Authorization, payment, and recording.
B
Review of the audit log is an example of which of the following types of security control? A. Governance. B. Detective. C. Preventive. D. Corrective.
B
The internal control provisions of SOX apply to which companies in the United States? A. All companies. B. SEC registrants. C. All issuer (public) companies and non issuer (nonpublic) companies with more than $100,000,000 of net worth. D. All nonissuer companies.
B
Tracing shipping documents to pre-numbered sales invoices provides evidence that A. No duplicate shipments or billings occurred. B. Shipments to customers were properly invoiced. C. All goods ordered by customers were shipped. D. All pre-numbered sales invoices were accounted for.
B
Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group? A. Check digit. B. Validity check. C. Echo check. D. Limit check.
B
Which of the following is considered an application input control? A. Run control total. B. Edit check. C. Reporting distribution log. D. Exception report.
B
Which of the following provides the advantage of incorporating other widely accepted standards and frameworks? A. ITIL. B. COBIT 5. C. COSO 2013. D. ISO 27000.
B
Which of the following represents an inherent limitation of internal controls? A. Bank reconciliations are not performed on a timely basis. B. The CEO can request a check with no purchase order. C. Customer credit check not performed. D. Shipping documents are not matched to sales invoices.
B
Which of the following statement is correct regarding internal control? A. A well-designed internal control environment ensures the achievement of an entity's control objectives. B. An inherent limitation to internal control is the fact that controls can be circumvented by management override. C. A well-designed and operated internal control environment should detect collusion perpetrated by two people. D. Internal control in a necessary business function and should be designed and operated to detect errors and fraud.
B
According to AS 5, control risk should be assessed in terms of A. Specific controls. B. Types of potential fraud. C. Financial statement assertions. D. Control environment factors.
C
All of the following are examples of internal control procedures except A. Using pre-numbered documents B. Reconciling the bank statement C. Customer satisfaction surveys D. Insistence that employees take vacations
C
COBIT 5 takes the view that all IT processes should provide clear links between all of the following except: A. IT processes. B. IT controls. C. IT components. D. IT governance requirements.
C
Each of the following types of controls is considered to be an entity-level control, except those: A. Relating to the control environment. B. Pertaining to the company's risk assessment process. C. Regarding the company's annual stockholder meeting. D. Addressing policies over significant risk management practices
C
Management philosophy and operating style would have a relatively less significant influence on a firm's control environment when A. The internal auditor reports directly to the controller. B. Management is dominated by one individual. C. Accurate management job descriptions delineate specific duties. D. The audit committee does not have regular meetings.
C
Sound internal control dictates that immediately upon receiving checks from customers by mail, a responsible employee should A. Add the checks to the daily cash summary. B. Verify that each check is supported by a pre-numbered sales invoice. C. Prepare a summary listing of checks received. D. Record the checks in the cash receipts journal.
C
The ISO 27000 Series of standards are designed to address which of the following? A. Corporate governance. B. Internal controls. C. Information security issues. D. IT value.
C
The Sarbanes-Oxley Act (SOX) was passed as a response to which of the following events? A. The savings & loan scandals of the 1980s. B. The bust of dot-com bubble companies such as pets.com and Webvan. C. Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco. D. Securities manipulation and insider trading in the 1930s.
C
The overall attitude and awareness of a firm's top management and board of directors concerning the importance of internal control is often reflected in its A. Computer-based controls. B. System of segregation of duties. C. Control environment. D. Safeguards over access to assets.
C
Which of the following best describes why firms choose to create codes of ethics? A. Because most people will not behave ethically without a written set of guidelines. B. Codes of ethics protect firms against lawsuits that may be filed due to corporate fraud. C. They allow firms to create a formal set of expectations for employees who may have different sets of personal values. D. Companies must have a written code of ethics in order to conduct interstate commerce in the U.S.
C
Which of the following is not a component of internal control as defined by COSO? A. Control environment. B. Control activities. C. Inherent risk D. Monitoring.
C
Which of the following is not one of the key COBIT 5 principles for governance and amangement of enterprise IT? A. Enabling a holistic approach. B. Meeting stakeholder needs. C. Separating management from shareholders. D. Applying an integrated framework.
C
Which of the following is not one of the responses to risk presented in COSO ERM? A. Share the risk. B. Accept the risk. C. Delegate the risk. D. Reduce the risk.
C
Which of the following items is one of the eight components of COSO's enterprise risk management framework? A. Operations. B. Reporting. C. Monitoring. D. Compliance.
C
An auditor assesses control risk because it A. is relevant to the auditor's understanding of the control environment. B. provides assurance that the auditor's materiality levels are appropriate. C. indicates to the auditor where inherent risk may be the greatest. D. affects the level of detection risk that the auditor may accept.
D
Controls in the information technology area are classified into preventive, detective, and corrective categories. Which of the following is preventive control? A. Contingency planning. B. Hash total. C. Echo check. D. Access control software.
D
The IT Infrastructure Libarary (ITIL) is considered a de facto standard in which of the following regions? A. Asia and Australia. B. North America. C. The UK. D. Europe.
D
The framework to be used by management in its internal control assessment under requirements of SOX is the: A. COSO internal framework. B. COSO enterprise risk management framework. C. COBIT framework. D. All of the above are correct.
D
When considering internal control, an auditor should be aware of reasonable assurance, which recognizes that A. Internal control may be ineffective due to mistakes in judgment and personal carelessness. B. Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability. C. Establishing and maintaining internal control is an important responsibility of management. D. The cost of an entity's internal control should not exceed the benefits expected to be derived.
D
Which of the following best describes what is meant by corporate governance? A. The organizational structure and responsibilities of the executive team and board of directors of a corporation. B. Regulatory bodies, such as the SEC and PCAOB, that govern the behavior of corporations. C. The ability of a corporation's management team to meet earnings forecasts over an extended period of time.. D. Management's processes, policies, and ethical approach to safeguarding stakeholder interests.
D
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? A. Segregation of duties. B. Ensure proper authorization of transactions. C. Adequately safeguard assets. D. Independently verify the transactions.
D
Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission? A. Hash total. B. Parity check. C. Encryption. D. Check digit.
D
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization? A. Disclosing lack of segregation of duties to external auditors during the annual review. B. Replacing personnel every three or four years. C. Requiring accountants to pass a yearly background check. D. Providing greater management oversight of incompatible activities.
D
Which of the following is an example of a validity check? A. The computer ensures that a numerical amount in a record does not exceed some predetermined amount. B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out. E. The computer flags any transmission for which the control field value did not match that of an existing file record. C. After data for a transaction are entered, the computer sends certain data back to the terminal for comparison with data originally sent.
E
According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to establish and maintain the effectiveness of internal control. T/F
F
Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide independent oversight of public accounting firms. T/F
F
Internal controls guarantee the accuracy and reliability of accounting records. T/F
F
Processing controls are IT general controls. T/F
F
Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages auditors to start from the basic/bottom of financial records to identify the key controls. T/F
F
The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors to assess and report on the design and effectiveness of internal control over financial reporting annually. T/F
F
The risk of a company's internal auditing processes failing to catch the misstated dollar amount of revenue on the company's income statement is classified as inherent risk. T/F
F
