ais chapter 10
correct statements about COBIT
-COBIT 5 integrates other frameworks and standards such as ITIL and ISO 2700 series -COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interest of stakeholders -COBIT is a generally accepted framework for IT governance and management
monitoring component of the COSO ERM framework
-the ERM components and internal control process should be monitored continuously and modified as necessary -It is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model
what is the impact of Sarbanes Oxley Act 2002 (SOX) on the accounting profession?
-under SOX, the PCAOB replaces AICPA to issue audit standards -SOX established the PCAOB to regulate and audit public accounting firms
COBIT 199
(control objectives for information and related technology) an internationally accepted set of best IT security and control practices for IT management release by the IT Governance Institute (ITGI)
Sound internal control dictates that immediately upon receiving checks from customers by mail, a responsible employee should a. Prepare a summary listing of checks received. b. Add the checks to the daily cash summary. c. Record the checks in the cash receipts journal. d. Verify that each check is supported by a pre-numbered sales invoice.
A
Which edit check compares entered data to a predetermined acceptable upper and lower limit? A) Range check B) Valid check C) Field check D) Sequence check
A
Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group? a. Validity check. b. Limit check. c. Check digit. d. Echo check.
A
Which of the following is considered an application input control? a. Edit check. b. Run control total. c. Exception report. d. Reporting distribution log.
A
Which of the following is not a COSO ERM framework objective? a. risk assessment b. compliance c. reporting d. operations e. strategic
A
Which of the following items is one of the eight components of COSO's enterprise risk management framework? A. Monitoring. B. Operations. C. Compliance. D. Reporting.
A
According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? A. Information and communication B. Risk assessment. C. Control activities. D. Internal environment.
D
Control risk should be assessed in terms of a. Types of potential fraud. b. Specific controls. c. Control environment factors. d. Financial statement assertions
D
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been: a. Monitored. b. Tested. c. Authorized. d. Implemented.
D
Proper segregation of duties calls for separation of the following functions: a. Custody, execution, and reporting. b. Authorization, payment, and recording. c. Authorization, execution, and payment. d. Authorization, recording, and custody.
D
Which is not an example of a batch total? a. record count b. financial total c. hash total d. exception total
D
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? a. Ensure proper authorization of transactions. b. Adequately safeguard assets. c. Segregation of duties. d. Independently verify the transactions.
D
Which of the following is not a component of COSO ERM? A) Event identification B) External environment C) Internal control evaluation D) B and C
D Internal environment, objective setting, event Identification, risk assessment, risk response, control activities, information and communication, and monitoring activities are the eight components in the COSO ERM framework.
Under COSO ERM framework, which of the following objectives involves parties external to the organization? A) Strategic objectives B) Compliance objectives C) Operation objectives D) Reporting objectives
D The ERM framework takes a risk-based, rather than a control-based approach to achieving the firm's objectives in four categories: Strategic, compliance, operation and reporting. The reporting objective is about the reliability of internal and external reporting. Hence, it may involve external parties.
Example of IT general controls:
IT control environment
.. provides the details for IT service management which is released by the UK Office of Government Commerce (OGC) and is the most widely accepted model for IT service management
ITIL
COBIT
a comprehensive framework for IT governance and management
COSO ERM
a framework expands from internal control to risk management that can be applied to all firms
ITIL
a framework focusing on IT infrastructure and IT service management
ISO 27000 series
a framework for information security management
COSO
a general internal control framework that can be applied to all firms
enterprise risk management 201 (ERM)
a process, affected by the entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives
Sarbanes Oxley Act of 2002 (SOX) 196
a response to business scandals such as Enron, WorldCom, and Tyco International, requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting
Information Technology Infrastructure Library (ITIL) 199
a set of concepts and practices for IT service management
IT application controls 206
activities specific to a subsystem's or an application's input, processing and output
main purpose of ISO 27000 series
address information security issues
when entering a sales transaction, use an input control to ensure the customer account number is entered accurately
application control
IT application controls
are activities specific to a subsystem's or an application's input, processing, and output.
validity checks
compares data entering the system with existing data in a reference file to ensure only valid data are entered
COSO
composed of several organizations (AAA, AICPA, FEI, IIA, and IMA); studies the causal factors that lead to fraudulent financial reporting and develops recommendations for public companies, independent auditors, the SEC and other regulators, and educational institutions to improve the quality of financial reporting through internal controls and corporate governance
Three of the seven key criteria of business requirements for information in COBIT are about security and people often call then CIA:
confidentiality integrity availability
general controls 198
pertain to enterprisewide issues such as controls over accessing the network, developing and maintaining applications, and documenting changes of programs
concurrent update control
prevent two or more users updating the same record simultaneously
output controls 207
provide output to authorized people and ensure the output is used properly
main purpose of COBIT
provides the best IT security and control practices for IT management
main purpose of ITIL
provides the concepts and practices for IT service management
IT application control ( output controls)
providing output to authorized people and ensuring the output is used properly
closed-loop verifications
retrieve and display related information to ensure accurate data entry
the process, ....., is to identify and analyze risks systematically to determine the firm's risk response and control activities. It allows a firm to understand the extent to which potential events might affect corporate objectives
risk assessment
avoiding, accepting, reducing and sharing are components of .... in ERM . 1.risk response 2.risk assessment 3.control activities 4.communication and monitoring
risk response
information technology controls involve assurance for information and help to mitigate ... associated with the use of ... . Firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects
risks; technology
range checks
test a numerical amount to ensure that it is within a predetermined range
processing controls 207
ensure that data and transactions are processed accurately
input controls 206
ensure the authorization, entry, and verification of data entering the system
reasonableness checks
ensure the logical relationship between two data values is correct
IT application control ( processing control)
ensuring that data and transactions are processed accurately
IT application control (Input controls)
ensuring the authorization, entry, and verification of data entering the system
IT general controls (ITGC) (206)
enterprise level controls over IT
Public Company Accounting Oversight Board (PCAOB) (196)
established by SOX to provide independent oversight of public accounting firms
corrective controls 198
fix problems that have been identified such as using backup files to recover corrupted data
require a policy on developing and maintaining applications
general control
require using user names and passwords to access the company's network
general control
segregation of duties (COSO)
to prevent fraud and mistakes
correct statements regarding information technology governance and corporate governance:
1. information technology governance is the responsibility of management 2.information technology governance is a subset of corporate governance
COSO ERM framework indicates that :
1.ERM provides reasonable assurance regarding the achievement of the firm's objectives 2.ERM manages risk to be within the firm's risk appetite
Four categories of COSO's ERM framework
1.strategic - high level goals, aligned with and supporting the firm's mission and vision 2.operations - effectiveness and efficiency of operations 3. reporting - reliability of internal and external reporting 4.compliance -compliance with applicable laws and regulations
corporate governance
197 a set of processes and policies in managing an organizations with sound ethics to safeguard the interests of its stakeholders
control risk
203 the threat that errors and irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system
A field check is: a. preventive control b. detective control c. corrective control d. general control e. output control
A
The framework could be used by management in its internal control assessment under requirements of SOX is the: -COSO internal framework. -COSO enterprise risk management framework. -COBIT framework. -All of the above are correct.
All of the above are correct.
Controls that are designed to prevent, detect or correct errors in transactions as they are processed through a specific subsystem are referred to as: a. general controls b. application controls c. physical controls d. two of the above are correct
B
Which of the following is considered a control environment factor by the COSO definition of internal control? A) Control objectives B) Integrity and ethical values C) Reasonable assurance D) Risk assessment
B
Which of the following statements is correct? a. SOX requires all public companies to use the COSO ERM framework to meet the requirements of Section 404. b. regarding IT control and governance, the COBIT framework is most commonly adopted by companies in the US. c. ITIL is the best internal control framework for the high tech industry d. ISO 27000 series are best practices for IT service management
B
prenumbering of source documents helps to verify that a. multiple types of source documents have a unique identifier b. all transactions have been recorded because the numerical sequence serves as control c. no inventory has been misplaced d. document have been used in order
B
Which duties should be completed by different people to achieve strong separation of duties? A) Journalizing and posting B) Receivables and payables C) Authorization, custody and recordkeeping D) Document numbering and document completion
B Separation of duties requires segregation of authorization, custody and recordkeeping.
Based on SOX, which of the following sections is about internal controls? a. 302 b.401 c.404 d. 906
C
Bill is responsible for custody of the finished goods in the warehouse. If his company wishes to maintain strong internal control, which of the following responsibilities are incompatible with his primary job? A) He is responsible for the company's fix asset control ledger. B) He is responsible for receiving of goods into the warehouse. C) He is responsible for the accounting records for all the receipts and shipments of goods from the warehouse. D) He is responsible for issuing goods for shipment.
C
When considering internal control, an auditor should be aware of reasonable assurance, which recognizes that a.Establishing and maintaining internal control is an important responsibility of management. b. Internal control may be ineffective due to mistakes in judgment and personal carelessness. c. The cost of an entity's internal control should not exceed the benefits expected to be derived. d. Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.
C
Which is least likely to be provided by an application control? A) Accuracy B) Completeness C) Reliability D) Authorization
C
the computer sums the first four digits of a customer number to calculate the value of the fifth digit and then compares that calculation to the number typed ruing data entry. This is an example of a a. field check b. parity check c. check digit verification d.batch total
C
... defines the overall IT control framework
COBIT
physical controls 207
mainly manual but could involve the physical use of computing technology
Backup is a preventive control. T/F
F
SOX requires companies to use COSO or COSO ERM as the framework in evaluating internal controls T/F
F
A major reason of internal controls implemented for an information system is to provide perfect assurance that the goals of each business process are achieved.A major reason of internal controls implemented for an information system is to provide perfect assurance that the goals of each business process are achieved. T/F
FALSE
T/F Each company should use only one of the control/governance frameworks in corporate and IT governance
FALSE
the control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security control practices and is required by PCAOB to be used for SOX section 404 audit
FALSE
The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors to assess and report on the design and effectiveness of internal control over financial reporting annually. True False
False
Batch Processing is the aggregation of several business events over a set period of time with eventual processing of the related data (periodic processing). T/F
TRUE
Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. True False
True
Processing controls are IT general controls. True False
True
Segregation of duties reduces the risk of errors and irregularities in accounting records. True False
True
... controls find problems when they arise
detective
preventative controls 198
deter problems before they arise
Four of the seven key criteria of business requirements for information in COBIT are similar to COSO control objectives:
effectiveness efficiency compliance reliability
cost/benefit analysis 205
important in determining whether to implement an internal control
International Organization for Standardization (ISO) 27000 series is designed to address ... ... issues
information security
IT controls 205
involve processes that provide assurance for information and help to mitigate risk associated with the use of technology
residual risk 203
the product of inherent risk and control risk ( residual risk = inherent risk x control risk )
inherent risk 203
the risk related to the nature of the business activity itself
International Organization for Standardization (ISO) 27000 series (199)
this series contains a range of individual standards and documents specifically reserved by ISO for information technology
supervision (COSO)
to compensate imperfect segregation of duties
independent verification (COSO)
to double check for errors and misrepresentations
authorization ( COSO)
to ensure transactions are valid
access control (COSO)
to enure only authorized personnel have access to physical assets and information
accounting document and records (COSO)
to maintain audit trails and accuracy of the financial data