ais chapter 10

Ace your homework & exams now with Quizwiz!

correct statements about COBIT

-COBIT 5 integrates other frameworks and standards such as ITIL and ISO 2700 series -COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interest of stakeholders -COBIT is a generally accepted framework for IT governance and management

monitoring component of the COSO ERM framework

-the ERM components and internal control process should be monitored continuously and modified as necessary -It is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model

what is the impact of Sarbanes Oxley Act 2002 (SOX) on the accounting profession?

-under SOX, the PCAOB replaces AICPA to issue audit standards -SOX established the PCAOB to regulate and audit public accounting firms

COBIT 199

(control objectives for information and related technology) an internationally accepted set of best IT security and control practices for IT management release by the IT Governance Institute (ITGI)

Sound internal control dictates that immediately upon receiving checks from customers by mail, a responsible employee should a. Prepare a summary listing of checks received. b. Add the checks to the daily cash summary. c. Record the checks in the cash receipts journal. d. Verify that each check is supported by a pre-numbered sales invoice.

A

Which edit check compares entered data to a predetermined acceptable upper and lower limit? A) Range check B) Valid check C) Field check D) Sequence check

A

Which of the following is a computer test made to ascertain whether a given characteristic belongs to the group? a. Validity check. b. Limit check. c. Check digit. d. Echo check.

A

Which of the following is considered an application input control? a. Edit check. b. Run control total. c. Exception report. d. Reporting distribution log.

A

Which of the following is not a COSO ERM framework objective? a. risk assessment b. compliance c. reporting d. operations e. strategic

A

Which of the following items is one of the eight components of COSO's enterprise risk management framework? A. Monitoring. B. Operations. C. Compliance. D. Reporting.

A

According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values? A. Information and communication B. Risk assessment. C. Control activities. D. Internal environment.

D

Control risk should be assessed in terms of a. Types of potential fraud. b. Specific controls. c. Control environment factors. d. Financial statement assertions

D

Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been: a. Monitored. b. Tested. c. Authorized. d. Implemented.

D

Proper segregation of duties calls for separation of the following functions: a. Custody, execution, and reporting. b. Authorization, payment, and recording. c. Authorization, execution, and payment. d. Authorization, recording, and custody.

D

Which is not an example of a batch total? a. record count b. financial total c. hash total d. exception total

D

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? a. Ensure proper authorization of transactions. b. Adequately safeguard assets. c. Segregation of duties. d. Independently verify the transactions.

D

Which of the following is not a component of COSO ERM? A) Event identification B) External environment C) Internal control evaluation D) B and C

D Internal environment, objective setting, event Identification, risk assessment, risk response, control activities, information and communication, and monitoring activities are the eight components in the COSO ERM framework.

Under COSO ERM framework, which of the following objectives involves parties external to the organization? A) Strategic objectives B) Compliance objectives C) Operation objectives D) Reporting objectives

D The ERM framework takes a risk-based, rather than a control-based approach to achieving the firm's objectives in four categories: Strategic, compliance, operation and reporting. The reporting objective is about the reliability of internal and external reporting. Hence, it may involve external parties.

Example of IT general controls:

IT control environment

.. provides the details for IT service management which is released by the UK Office of Government Commerce (OGC) and is the most widely accepted model for IT service management

ITIL

COBIT

a comprehensive framework for IT governance and management

COSO ERM

a framework expands from internal control to risk management that can be applied to all firms

ITIL

a framework focusing on IT infrastructure and IT service management

ISO 27000 series

a framework for information security management

COSO

a general internal control framework that can be applied to all firms

enterprise risk management 201 (ERM)

a process, affected by the entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives

Sarbanes Oxley Act of 2002 (SOX) 196

a response to business scandals such as Enron, WorldCom, and Tyco International, requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting

Information Technology Infrastructure Library (ITIL) 199

a set of concepts and practices for IT service management

IT application controls 206

activities specific to a subsystem's or an application's input, processing and output

main purpose of ISO 27000 series

address information security issues

when entering a sales transaction, use an input control to ensure the customer account number is entered accurately

application control

IT application controls

are activities specific to a subsystem's or an application's input, processing, and output.

validity checks

compares data entering the system with existing data in a reference file to ensure only valid data are entered

COSO

composed of several organizations (AAA, AICPA, FEI, IIA, and IMA); studies the causal factors that lead to fraudulent financial reporting and develops recommendations for public companies, independent auditors, the SEC and other regulators, and educational institutions to improve the quality of financial reporting through internal controls and corporate governance

Three of the seven key criteria of business requirements for information in COBIT are about security and people often call then CIA:

confidentiality integrity availability

general controls 198

pertain to enterprisewide issues such as controls over accessing the network, developing and maintaining applications, and documenting changes of programs

concurrent update control

prevent two or more users updating the same record simultaneously

output controls 207

provide output to authorized people and ensure the output is used properly

main purpose of COBIT

provides the best IT security and control practices for IT management

main purpose of ITIL

provides the concepts and practices for IT service management

IT application control ( output controls)

providing output to authorized people and ensuring the output is used properly

closed-loop verifications

retrieve and display related information to ensure accurate data entry

the process, ....., is to identify and analyze risks systematically to determine the firm's risk response and control activities. It allows a firm to understand the extent to which potential events might affect corporate objectives

risk assessment

avoiding, accepting, reducing and sharing are components of .... in ERM . 1.risk response 2.risk assessment 3.control activities 4.communication and monitoring

risk response

information technology controls involve assurance for information and help to mitigate ... associated with the use of ... . Firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects

risks; technology

range checks

test a numerical amount to ensure that it is within a predetermined range

processing controls 207

ensure that data and transactions are processed accurately

input controls 206

ensure the authorization, entry, and verification of data entering the system

reasonableness checks

ensure the logical relationship between two data values is correct

IT application control ( processing control)

ensuring that data and transactions are processed accurately

IT application control (Input controls)

ensuring the authorization, entry, and verification of data entering the system

IT general controls (ITGC) (206)

enterprise level controls over IT

Public Company Accounting Oversight Board (PCAOB) (196)

established by SOX to provide independent oversight of public accounting firms

corrective controls 198

fix problems that have been identified such as using backup files to recover corrupted data

require a policy on developing and maintaining applications

general control

require using user names and passwords to access the company's network

general control

segregation of duties (COSO)

to prevent fraud and mistakes

correct statements regarding information technology governance and corporate governance:

1. information technology governance is the responsibility of management 2.information technology governance is a subset of corporate governance

COSO ERM framework indicates that :

1.ERM provides reasonable assurance regarding the achievement of the firm's objectives 2.ERM manages risk to be within the firm's risk appetite

Four categories of COSO's ERM framework

1.strategic - high level goals, aligned with and supporting the firm's mission and vision 2.operations - effectiveness and efficiency of operations 3. reporting - reliability of internal and external reporting 4.compliance -compliance with applicable laws and regulations

corporate governance

197 a set of processes and policies in managing an organizations with sound ethics to safeguard the interests of its stakeholders

control risk

203 the threat that errors and irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system

A field check is: a. preventive control b. detective control c. corrective control d. general control e. output control

A

The framework could be used by management in its internal control assessment under requirements of SOX is the: -COSO internal framework. -COSO enterprise risk management framework. -COBIT framework. -All of the above are correct.

All of the above are correct.

Controls that are designed to prevent, detect or correct errors in transactions as they are processed through a specific subsystem are referred to as: a. general controls b. application controls c. physical controls d. two of the above are correct

B

Which of the following is considered a control environment factor by the COSO definition of internal control? A) Control objectives B) Integrity and ethical values C) Reasonable assurance D) Risk assessment

B

Which of the following statements is correct? a. SOX requires all public companies to use the COSO ERM framework to meet the requirements of Section 404. b. regarding IT control and governance, the COBIT framework is most commonly adopted by companies in the US. c. ITIL is the best internal control framework for the high tech industry d. ISO 27000 series are best practices for IT service management

B

prenumbering of source documents helps to verify that a. multiple types of source documents have a unique identifier b. all transactions have been recorded because the numerical sequence serves as control c. no inventory has been misplaced d. document have been used in order

B

Which duties should be completed by different people to achieve strong separation of duties? A) Journalizing and posting B) Receivables and payables C) Authorization, custody and recordkeeping D) Document numbering and document completion

B Separation of duties requires segregation of authorization, custody and recordkeeping.

Based on SOX, which of the following sections is about internal controls? a. 302 b.401 c.404 d. 906

C

Bill is responsible for custody of the finished goods in the warehouse. If his company wishes to maintain strong internal control, which of the following responsibilities are incompatible with his primary job? A) He is responsible for the company's fix asset control ledger. B) He is responsible for receiving of goods into the warehouse. C) He is responsible for the accounting records for all the receipts and shipments of goods from the warehouse. D) He is responsible for issuing goods for shipment.

C

When considering internal control, an auditor should be aware of reasonable assurance, which recognizes that a.Establishing and maintaining internal control is an important responsibility of management. b. Internal control may be ineffective due to mistakes in judgment and personal carelessness. c. The cost of an entity's internal control should not exceed the benefits expected to be derived. d. Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.

C

Which is least likely to be provided by an application control? A) Accuracy B) Completeness C) Reliability D) Authorization

C

the computer sums the first four digits of a customer number to calculate the value of the fifth digit and then compares that calculation to the number typed ruing data entry. This is an example of a a. field check b. parity check c. check digit verification d.batch total

C

... defines the overall IT control framework

COBIT

physical controls 207

mainly manual but could involve the physical use of computing technology

Backup is a preventive control. T/F

F

SOX requires companies to use COSO or COSO ERM as the framework in evaluating internal controls T/F

F

A major reason of internal controls implemented for an information system is to provide perfect assurance that the goals of each business process are achieved.A major reason of internal controls implemented for an information system is to provide perfect assurance that the goals of each business process are achieved. T/F

FALSE

T/F Each company should use only one of the control/governance frameworks in corporate and IT governance

FALSE

the control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security control practices and is required by PCAOB to be used for SOX section 404 audit

FALSE

The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors to assess and report on the design and effectiveness of internal control over financial reporting annually. True False

False

Batch Processing is the aggregation of several business events over a set period of time with eventual processing of the related data (periodic processing). T/F

TRUE

Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. True False

True

Processing controls are IT general controls. True False

True

Segregation of duties reduces the risk of errors and irregularities in accounting records. True False

True

... controls find problems when they arise

detective

preventative controls 198

deter problems before they arise

Four of the seven key criteria of business requirements for information in COBIT are similar to COSO control objectives:

effectiveness efficiency compliance reliability

cost/benefit analysis 205

important in determining whether to implement an internal control

International Organization for Standardization (ISO) 27000 series is designed to address ... ... issues

information security

IT controls 205

involve processes that provide assurance for information and help to mitigate risk associated with the use of technology

residual risk 203

the product of inherent risk and control risk ( residual risk = inherent risk x control risk )

inherent risk 203

the risk related to the nature of the business activity itself

International Organization for Standardization (ISO) 27000 series (199)

this series contains a range of individual standards and documents specifically reserved by ISO for information technology

supervision (COSO)

to compensate imperfect segregation of duties

independent verification (COSO)

to double check for errors and misrepresentations

authorization ( COSO)

to ensure transactions are valid

access control (COSO)

to enure only authorized personnel have access to physical assets and information

accounting document and records (COSO)

to maintain audit trails and accuracy of the financial data


Related study sets

1. Basics of Supply Chain Management

View Set

Chapter 11: Stress, Health, and Coping

View Set

Taxation of Life Insurance and Annuities- Premiums and Proceeds

View Set