ch.7
According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is
A manager within the department.
An entity has many employees who access a database with numerous access points. The database contains sensitive information about the customers of the entity. Access controls prevent employees from entry to those areas of the database for which they have no authorization. All salespersons have certain access permission to customer information. Which of the following is a true statement about the nature of the controls and risks?
A salesperson's access to customer information should extend only to what is necessary to perform his or her duties.
According to COSO, the difference between inherent risk and actual residual risk results because of management's
Actions to alter the severity of inherent risk.
Company management completes event identification and assesses the severity of risk. Management then acts to alter the severity of risk. According to COSO, which of the following types of risk does this situation represent?
Actual residual risk.
According to COSO, the proper tone at the top helps a company to do each of the following, except
Adhere to fiscal budgets and goals as outlined by the internal audit committee and board of directors.
Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?
Allowing for greater management oversight of incompatible activities.
A company headquartered in the United States has operations in 27 countries. The company purchased a subsidiary to expand operations into another country last year. According to COSO, which of the following provides the strongest mechanism for monitoring control in this new foreign venture?
An internal audit is being performed.
Control activities constitute one of the five components of internal control described in the COSO model. Control activities do not encompass
An internal auditing function.
Transaction authorization within an organization may be either specific or general. An example of specific transaction authorization is the
Approval of a detailed construction budget for a warehouse.
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except
Approval of high-dollar transactions by supervisors.
During its most recent risk assessment, Capital Investment Group discovered that the spreadsheets it uses to support certain amounts on its financial statements were highly susceptible to error. Which of the following would contribute in mitigating this risk? Input data is reconciled to source documentation The potential for fraud is considered Changes to formulas are tested against a manual calculation
Both I and III.
According to the COSO ERM framework, which of following best describes the difference between strategy and business objectives?
Business objectives are the steps to achieve strategy.
A company implements an enterprise resource planning application to help improve its financial and operational reporting while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of
Change management.
Which of the following is an inherent limitation of internal control?
Collusion.
The policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives are best described as
Control activities.
Which of the following components of internal control includes development and use of training policies that communicate prospective roles and responsibilities to employees?
Control environment.
Which of the following components of internal control would be considered the foundation for the other components?
Control environment.
Which of the following is the control component that reflects the attitude and actions of the board and management regarding the significance of control within the organization?
Control environment.
Which of the following best describe the interrelated components of internal control?
Control environment; risk assessment process; control activities; the information system, including related business processes; and monitoring of controls.
Which of the following is not a component of internal control?
Control risk.
Which of the following best describes an inherent limitation that should be recognized by an auditor when considering the potential effectiveness of internal control?
Controls, whether manual or automated, whose effectiveness depends on segregation of duties can be circumvented by collusion.
An internal audit manager requested information detailing the amount and type of training that the IT department's staff received during the last year. According to COSO, the training records would provide documentation for which of the following principles?
Demonstrating a commitment to retain competent individuals in alignment with objectives.
According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization?
Demonstrating appropriate behavior by example.
Effective internal control in a small company that has an insufficient number of employees to permit proper division of responsibilities can best be enhanced by
Direct participation by the owner of the business in the recordkeeping activities of the business.
Each of the following is a method to evaluate internal controls based on the framework set by the Committee of Sponsoring Organizations (COSO), except
Distinguishing economy risk from industry risk and enterprise risk.
Each of the following is a limitation of enterprise risk management (ERM), except
ERM can provide absolute assurance with respect to objective categories.
According to COSO, the benefits of enterprise risk management (ERM) include all of the following except
Elimination of all risks.
Which of the following activities by small business clients best demonstrates management integrity in the absence of a written code of conduct?
Emphasizing ethical behavior through oral communication and management example.
A client who recently installed a new accounts payable system assigned employees a user identification code (UIC) and a separate password. Each UIC is a person's name, and the individual's password is the same as the UIC. Users are not required to change their passwords at initial log-in nor do passwords ever expire. Which of the following statements does not reflect a limitation of the client's computer-access control?
Employees are not required to take regular vacations.
According to COSO, the presence of a written code of conduct provides for a control environment that can
Encourage teamwork in the pursuit of an entity's objectives.
An auditor would most likely be concerned with controls that provide reasonable assurance about the
Entity's ability to initiate, authorize, record, process, and report financial data.
A company's new time clock process requires hourly employees to select an identification number and then choose the clock-in or clock-out button. A video camera captures an image of the employee using the system. Which of the following exposures can the new system be expected to change the least?
Errors in employees' overtime computation.
An organization's directors, management, and internal auditors all have important roles in creating a proper control environment. Senior management is primarily responsible for
Establishing a proper ethical culture.
Limitations of ERM may arise from all of the following except:
Failure to achieve objectives.
Which of the following is an inherent limitation in internal control?
Faulty human judgment.
According to COSO, which component of enterprise risk management (ERM) addresses an entity's operating structures and core values?
Governance and culture.
Which of the following components are supporting aspects of the COSO ERM framework?
Governance and culture; information, communication, and reporting.
In a small public company that has few levels of management with wide spans of control, each of the following mitigates management override of controls, except
Having two officers who significantly influence management and operations.
According to COSO's ERM framework, which of the following is an essential element of the governance and culture component?
Human capital.
Which of the following most likely would not be considered an inherent limitation of the potential effectiveness of an entity's internal control?
Incompatible duties.
According to COSO, an effective approach to monitoring internal control involves each of the following steps, except
Increasing the reliability of financial reporting and compliance with applicable laws and regulations.
Which of the following factors are included in an entity's control environment?
Integrity and ethical values, assignment of authority, and human resource practices.
Enterprise risk management
Involves the identification of events with negative impacts on organizational objectives.
An auditor is concerned with controls designed to safeguard assets that are relevant to the reliability of financial reporting. Adequate safeguards over access to and use of assets means protection from
Losses arising from access by unauthorized persons.
The control environment may decrease the effectiveness of control activities when
Management has substantial incentives for meeting earnings projections
A small private entity may use less formal means to ensure that internal control objectives are achieved. For example, extensive accounting procedures, sophisticated accounting records, or formal controls are least likely to be needed if
Management is closely involved in operations.
Management's aggressive attitude toward financial reporting and its emphasis on meeting projected profit goals most likely would significantly influence an entity's control environment when
Management is dominated by one individual who is also a shareholder.
According to COSO, an executive's deliberate misrepresentation to a banker who is considering whether to make a loan to an enterprise is an example of which of the following internal control limitations?
Management override.
Which risk response reflects a change from acceptance to sharing?
Management purchased insurance on previously uninsured property.
Which of the following would an auditor most likely consider in evaluating the control environment of an audit client?
Management's operating style.
Which of the following is a factor in the control environment?
Management's philosophy and operating style.
According to COSO, which of the following has day-to-day responsibility for enterprise risk management?
Management.
Within the COSO Internal Control - Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?
Monitoring.
Which of the following passwords would be most difficult to crack
O?Ca!FlSi
Matthews Corp. has changed from a system of recording time worked on clock cards to a computerized payroll system in which employees record time in and out with magnetic cards. The computer system automatically updates all payroll records. Because of this change,
Part of the audit trail is altered.
A client installed sophisticated controls using the biometric attributes of employees to authenticate user access to the computer system. This technology most likely replaced which of the following controls?
Passwords.
Which of the following control policies or procedures would be the least effective in mitigating the risk of inventory misappropriation?
Periodic physical counts of inventory will be performed by the payroll clerk.
Proper segregation of duties reduces the opportunities to allow persons to be in positions both to
Perpetrate and conceal fraud and error.
Of the following reasons to establish internal control, which is the most comprehensive?
Provide reasonable assurance that the objectives of the organization are achieved.
The underlying premise of the COSO ERM framework is that every organization exists to
Provide value for its stakeholders.
Proper segregation of duties reduces the opportunities to allow any employee to be in a position to both
Record and conceal fraudulent transactions in the normal course of assigned tasks.
A proper segregation of duties requires that an individual
Recording a transaction not compare the accounting record of the asset with the asset itself.
Each of the following types of controls is considered to be an entity-level control, except those
Regarding the company's annual stockholder meeting.
Piper Corp. reviewed the mix of preventive and detective control activities over its cash disbursements process and discovered a high proportion of preventive control activities. If Piper desires to establish additional detective control activities, which of the following control activities should it consider?
Regularly comparing reported results to budgets and other benchmarks.
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives related to
Reporting. Compliance Operations. All of the answers are correct.
Internal control is a function of management, and effective control is based upon the concept of charge and discharge of responsibility and duty. Which of the following is one of the overriding principles of internal control?
Responsibility for the performance of each duty must be fixed.
Internal control has five components: the control environment, risk assessment, information and communication, monitoring, and control activities. Control activities relevant to an audit may be categorized as policies and procedures that pertain to
Reviewing actual performance.
According to COSO, which of the following components addresses the need to respond in an organized manner to significant changes resulting from international exposure, acquisitions, or executive transitions?
Risk assessment.
Which of the following is a component of internal control?
Risk assessment.
The performance component of the COSO ERM framework addresses an entity's
Risk identification, assessment, and prioritization methods.
There are two staff members in the purchasing department of Mayflower Manufacturing Co., each of whom is authorized to prepare, authorize, and issue inventory purchase orders up to $3,000. However, no one is assigned to review purchase orders before they are sent to vendors. Which of the following best matches a resulting risk to a control activity designed to mitigate that risk?
Risk of inventory shortages - a payables clerk matches invoices to purchase orders and receiving reports before amounts are paid.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?
Risk reduction.
According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in
Risks.
Basic to a proper control environment are the quality and integrity of personnel who must perform the prescribed procedures. Which is not a factor in providing for competent personnel?
Segregation of duties.
Which of the following controls most likely could prevent computer personnel from modifying programs to bypass programmed controls?
Separation of duties for computer programming and computer operations.
Management considers risk appetite for all of the following reasons except
Setting risk capacity.
The internal auditor who works in enterprise risk management (ERM) may perform each of the following activities except
Setting the risk appetite of the organization.
An entity determined that its variable interest rate on borrowing will increase significantly in the near future. Consequently, the entity hedged its variable rate by locking in a fixed rate for the relevant period. According to COSO, this decision is which type of response to risk?
Sharing.
An adequate system of internal controls is most likely to detect a fraud perpetrated by a
Single employee.
An entity defines its risk appetite in which component of the COSO ERM framework?
Strategy and objective-setting.
For control purposes, which of the following should be organizationally separated from the computer operations function?
Systems development.
Which of the following represents an example of an inherent limitation of internal controls?
The CEO can override a control and request a check with no purchase order.
According to COSO, which of the following differences relevant to the risk-assessment process is most likely to exist between a large entity and a small entity?
The CEO of a small entity is more likely than the CEO of a large entity to be attuned to risks arising from internal factors through hands-on involvement with all levels of personnel.
According to COSO, which of the following provides oversight of an entity's enterprise risk management (ERM)?
The board of directors.
An auditor is obtaining an understanding of a client's Internet controls. Which of the following is most likely the least effective control?
The client requires users to share potentially useful downloaded programs from public electronic sources with only authorized employees.
Each of the following statements is correct regarding the existence and implementation of codes of conduct except
The codes of conduct must be in writing and displayed in public areas, such as a break room.
Internal control can provide only reasonable assurance that the entity's objectives and goals will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives is that
The cost of internal control should not exceed its benefits.
Which of the following statements about internal control is correct?
The cost-benefit relationship is a primary criterion that should be considered in designing internal control.
According to COSO, ERM is best defined as
The culture, capabilities, and practices that organizations rely on to manage risk in creating, preserving, and realizing value.
Inherent risk is
The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
Which of the following factors is most relevant when an auditor considers the client's organizational structure in the context of the risks of material misstatement?
The suitability of the client's lines of reporting.
Internal controls are likely to fail for any of the following reasons, except
They are designed and implemented properly, and their design changes as processes change.
According to COSO, which of the following is a compliance objective?
To maintain a safe level of carbon dioxide emissions during production.
Employees of an entity feel peer pressure to do the right thing; management appropriately deals with signs that problems exist and resolves the issues; and dealings with customers, suppliers, employees, and other parties are based on honesty and fairness. According to COSO, the above scenario is indicative of which of the following?
Tone at the top.
Which of the following is the most serious password security problem?
Users are assigned passwords when accounts are created, but they do not change them.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should
Visibly participate in a global information security campaign.
Which of the following factors are included in an entity's control environment?
Yes Yes Yes
Which of the following are considered control environment elements?
detection risk no commitment to competence yes
Which of the following are factors considered in the control environment?
integrity and ethical values. Organizational structure. Assignment of authority and responsibility. All of the answers are correct.