BEC: Corporate Governance MCQs
In a large public corporation, evaluating internal control procedures should be the responsibility of A Accounting management staff who report to the CFO B Internal audit staff who report to the board of directors C Operations management staff who report to the chief operations officer D Security management staff who report to the chief facilities officer
B
Which of the following activities is least relevant to internal control over financial reporting? A Information processing B Employee development C Physical controls D Segregation of duties
B
Which of the following is a violation of segregation of duties in internal control? A. An employee adds vendors and makes changes to a vendor master file. B An employee enters and approves purchase orders. C An employee matches invoices to purchase orders and receiving reports and applies coding of account distributions. D An employee receives goods from vendors and signs off on the deliveries.
B
According to COSO, an executive's deliberate misrepresentation to a banker who is considering whether to make a loan to an enterprise is an example of which of the following internal control limitations? A Costs versus benefits B Management override C Breakdown D Collusion
B (breakdown reflects on the competence of individuals who are prone to human failures such as a simple error or mistake)
A manufacturer actively monitors a foreign country's political events whenever a supply chain disruption occurs within the country that exceeds 90 days. According to the COSO Enterprise Risk Management principles, the manufacturer is following which of the following risk-response strategies? A Share. B Avoid. C Accept. D Reduce.
C
Risk responses often dictate how aggressive an organization will be in its strategic business objectives. All of the follow about risk responses are true, except: A Risks are prioritized by severity in the context of risk appetite. B The organization selects risk responses and manages risk within a portfolio of projects/programs. C Risk transfer will always ensure that the organization is not vulnerable to outside forces. D Key stakeholders, including the BOD and senior management, are almost always involved in the risk selection process.
C
To determine the effectiveness of identification and communication of important information relative to financial disclosures, the chief executive officer and the chief financial officer typically meet with Key people in each business unit The audit committee A I only B II only C Both I and II D Neither I nor II
C
Which of the following is necessary to be an audit committee financial expert criteria specified in the Sarbanes- Oxley Act of 2002? A A limited understanding of generally accepted auditing standards B Education and experience as a certified financial planner C Experience with internal accounting controls D Experience in the preparation of tax return
C
Which of the following is the least important factor in determining the size of a sample for testing internal control over financial reporting? A The nature of the control B The frequency of the control C The physical location where the control is tested D The prior experience with the control
C
Each of the following is a limitation of enterprise risk management (ERM), except A ERM deals with risk, which relates to the future and is inherently uncertain. B ERM operates at different levels with respect to different objectives. C ERM can provide absolute assurance with respect to objective categories. D ERM is as effective as the people responsible for its functioning.
C Enterprise risk management (ERM) is how a company deals with risk, which relates to the future and is inherently uncertain. ERM operates at different levels with respect to different objectives, and is only as effective as the people responsible for its functioning. Given these limitations, ERM cannot provide absolute assurance with respect to objective categories.
Controls that generally prevent errors and misstatements from entering into the computer system are known as A. Processing controls B Output controls C Preventive controls D Detective controls
C Preventive controls prevent errors and misstatements from entering into the computer system. Processing controls and output controls ensure that the system processes transactions and produces output as designed, but are not involved in preventing or detecting errors and misstatements. Detective controls occur after a transaction is recorded in the system.
The process of managing risk across an entity is known as A Risk strategy B Risk avoidance C Enterprise risk management D Risk appetite
C The process of managing risk across an entity is known as enterprise risk management. Risk strategy is how an entity aligns its risk with its risk appetite. Risk avoidance is one risk strategy; it involves choosing not to engage in an activity. An entity's risk appetite is the degree of risk or uncertainty it is willing to accept.
An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made is referred to as: A. Independence B. Objectivity C. Proficiency D. Due Professional Care
B
According to COSO, establishing, maintaining, and monitoring an effective internal control system can do each of the following, except A Ensure an entity's financial survival. B Promote an entity's compliance with laws and regulations. C Help an entity achieve performance targets. D Provide protection for an entity's resources
A
Validating company-level controls generally includes the following steps except A Testing application controls B Periodic discussions with key management, corroborated with inspection of documents C Reviewing codes of conduct, human resources policies, conflict of interest policies, including monitoring and handling of exceptions D Reviewing company planning and budgeting report
A
Which of the following is least likely a factor in determining the size of a sample designed to test internal controls over financial reporting? A Geographical location where the control is tested B Positive self-assessments received from process owners C Quality of control environment and company-level monitoring D Extent of recent change
A
According to COSO, the difference between inherent risk and residual risk arises because of management's A Actions to reduce the inherent risk B Actions to reduce the residual risk C Inability to reduce the inherent risk D Inability to share the residual risk
A Inherent risk exists in every organization. Inherent risk is the risk that remains if management does nothing to mitigate the likelihood or impact of a negative event. Subsequently, residual risk is the risk to an organization once management takes action to reduce the likelihood or impact of a negative event. Therefore, residual risk is a leftover risk after management decides to take action to reduce inherent risk.
What is the most accurate description of the overall difference between the 2004 ERM-Integrated Framework and the 2017 ERM-Integrating with Strategy & Performance? A. The need for better alignment with the Internal Control-Integrated Framework, as the 2004 publication did not address integration B. The 2017 publication sets out core definition and principles for senior levels of management involved in designing and implementing enterprise risk management practices. C. The 2017 publication supersedes both Internal Control-Integrated Framework and ERM-Integrated Framework. D. The 2017 publication addresses the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment
D
Under Section 302 of the Sarbanes-Oxley Act, the chief executive officer and chief financial officer are responsible for all of the following requirements except A Implement and maintain internal controls B Evaluate and present conclusions on the effectiveness of internal controls C Disclose all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting that are likely to adversely affect the company's ability to record, process, summarize, and report financial information. D Appointment, compensation, and oversight of the external auditors.
D (this is done by the audit committee) The chief executive officer and chief financial officer are responsible for internal controls, the evaluation of internal controls, and the disclosure of significant deficiencies and material weaknesses in internal controls.
A company's officer who is not a director is authorized to perform which of the following duties? A Terminate the company's external audit firm B Remove a director for failure to exercise reasonable supervision C Declare dividends to shareholders D Enter into a contract with a vendor of computers for the company
D A = performed by the audit committee B = an officer cannot remove a director C = performed by board of directors
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except: A Follow-up of customer and vendor complaints regarding amounts due and owed B Periodic analysis of variances between expectations and actual results C Comparisons of information from various sources within the company D Approval of high-dollar transactions by supervisors
D A, B, C are normal monitoring activities that the company should perform on a regular basis Monitoring is an on-going framework and includes the following: On-going Monitoring; Separate Evaluations; Reporting Deficiencies. The purpose of the monitoring component of the COSO Framework is to ensure that internal controls are operating effectively.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk? A Risk reduction B Prospect theory C Risk sharing D Risk acceptance
A There are four ways an entity can deal with risk: 1) risk sharing, such as through joint ventures. 2) risk acceptance, which is accepting the project or activity as is, with the belief that current levels of risk are manageable and acceptable. 3) Risk avoidance, where an entity declines to proceed with the project. 4) risk reduction, where an entity takes certain actions in order to reduce the level of risk
What is one misconception about enterprise risk management as it pertains to an organization? A. Enterprise risk management is a specific function or a department within an organization, usually with its own leadership team that communicates effectively with all other practice areas. B Enterprise risk management is embedded in the culture of an organization, and enhances its capabilities and practices by integrating with strategy-setting. C In order to manage risk properly and create real value in an organization, enterprise risk management must be a top initiative for any organization looking to gain competitive advantage. D Principles applied through effective enterprise risk management is visible at all levels of the organization and across all functions.
A. ERM is not a specific department or function. Rather, it is an actionable framework embedded in all practice areas, with the BOD and management setting the tone and is integrating with strategy-setting. ERM is used to manage risk properly and create real value in an organization and its principles applied through effective enterprise risk management is visible at all levels of the organization and across all functions.
An issuer's board of directors would ordinarily participate in each of the following activities, except A Establishing long-term strategy and objectives to which their information technology system should be aligned. B Supervising and monitoring the quality control testing upon the installation of a new information technology system. C Ensuring that suitable information technology resources and skills are available to meet the company's strategic objectives. D Maintaining awareness of current technology used by the organization to assure its efficiency and effectiveness for financial reporting.
B An issuer's board of directors is entrusted with the responsibility of creating a conducive environment in the organization to support the adoption of technology. As such, it is expected to create and enforce strategies to align the organizational goals with IT goals. Resources are to be made available while also making the stakeholders, both internal and external, aware of current technology. However, supervising and monitoring the quality control testing upon installation does not fall under the purview of the board. Such an activity rests with the steering committee appointed by such board. The said committee is responsible to undertake this activity along with the designated Information Technology personnel of the organization.
The components of risk management include all of the following except A Setting a foundational basis for how risk is viewed and addressed throughout the entity B Focusing solely on internal events, over which the entity has control, that may affect the achievement of an entity's objectives C Establishing a process to support and align objectives with the entity's mission D Considering the likelihood and magnitude of the impact of risks
B Risk management needs to focus not only on internal events but also on external events which may affect the achievement of an entity's objective
Which of the following is not an element of enterprise risk management? A. Rigorously identifying and selecting among alternative risk responses, including risk avoidance, risk reduction, risk sharing, and risk acceptance B Identifying and managing cross-enterprise risks C Identifying potential events and established responses to reduce operational surprises and losses D Ignoring overall capital needs and capital allocation
D. (you dont ignore this)