Chapter 7
____ relate to a specific AIS process, such as billing or cash receipts.
Business process control plans
This framework was issued in 1996 (and updated in 2007) by the Information Systems Audit and Control Association (ISACA) because of the influence of IT over information systems, financial reporting and auditing.
COBIT
The ERM framework is comprised of eight components. Which component includes the policies and procedures established and implemented to help ensure the risk responses are effectively carried out?
Control activities
____ are the policies and procedures that help ensure that the risk responses are effectively carried out.
Control activities
____ sets the tone of the organization, influencing the control consciousness of its people.
Control environment
As a result of an inadequate design, a production process yields an abnormally high amount of raw material scrapped. Which control goal is being violated?
Ensure efficient employment of resources
Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once?
Ensure input completeness
A programming error causes the sale of an inventory item to be added to the quantity on hand attribute in the inventory master data. Which control goal was not achieved?
Ensure update accuracy
Which of the following is a control goal regarding master data?
Ensure update accuracy
Which component of the ERM framework is best described here: Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.
Event identification
The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.
False (ensure input validity)
Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives (or goals).
False (risk)
A computer crime technique called worm involves the systematic theft of very small amounts from a number of bank or other financial accounts.
False (salami slicing)
These are applied to all IT service activities.
IT general controls
Why is there usually no control goal called update validity?
Input and update completeness achieve update validity
This component of the ERM framework that encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.
Internal environment
A computer abuse technique called a ____ involves inserting unauthorized code in a program, which, when activated, may cause a disaster, such as shutting the system down or destroying files.
Logic bomb
Which component of the ERM framework is best described here: Management selects whether to avoid, accept, reduce, or share risk, developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
Risk response
A(n) ____ is a computer abuse technique where unauthorized instructions are inserted into a program to systematically steal very small amounts, usually by rounding to the nearest cent in financial transactions.
Salami slicing
The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging in certain nonaudit services with the same client is:
Title II - Auditor Independence
The section of Sarbanes Oxley that requires a company's CEO and CFO to certify quarterly and annual reports is:
Title III - Corporate Responsibility
The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an internal control report is:
Title IV - Enhanced Financial Disclosures
The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to $5 million and up to 20 years imprisonment if they knowingly or willfully certify false or misleading information contained in periodic reports is:
Title IX - White-Collar Crime Penalty Enhancements
The section of Sarbanes Oxley that requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend is:
Title V - Analysts Conflicts of Interests
The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation and offers legal protection to whistle blowers is:
Title VIII - Corporate & Criminal Fraud Accountability
The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the document's integrity or availability for use in an official proceeding, or to otherwise obstruct, influence or impede any official proceeding is:
Title XI - Corporate Fraud and Accountability
As described in COSO, elements of a control environment might include the following:
all of the above (commitment to the importance of control, reward systems, tone at the top of the organization)
The major reasons for exercising control of the organization's business processes include:
all the above (provide reasonable assurance that the goals of the business are being achieved, mitigate risks of fraud & other intentional & unintentional acts, provide reasonable assurance that the company is in compliance with applicable legal & regulatory obligations)
A process captures only authorized transactions but fails to record them only once. Which control goal does this fail to achieve?
completeness
The ERM framework addresses four categories of management objectives. Which category of concerns laws and regulations?
compliance
Approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures, supervision, audit trails, and segregation of duties are examples of:
control activities
The correct sequence of the control hierarchy, from top to bottom, is:
control environment, pervasive controls, IT general controls, business process controls
The business process objectives that an internal control system is designed to achieve are:
control goals
A tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans is:
control matrix
Information-processing policies and procedures that assist in accomplishing control goals are known as:
control plans
A control that involves reprocessing transactions that are rejected during initial processing is an example of:
corrective controls
A control goal that is a measure of success in meeting a set of established goals is called:
effectiveness
Discrepancies between data items recorded by a system and the underlying economic events or objects they represent are a violation of the control goal of:
ensure input accuracy
Failing to record a customer's order for the purchase of inventory violates the control goal of:
ensure input completeness
The information process control goal which relates to preventing fictitious events from being recorded is termed:
ensure input validity
Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of:
ensure update accuracy
Assuring that the accounts receivable master data reflects all cash collections recorded in the cash receipts event data addresses the control goal of:
ensure update completeness
A process, effected by an entity's board of directors, management and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives is:
enterprise risk management
According to the 2008 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by audits or internal controls than through tips.
false
Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlements.
false
Expected gross risk is a function of the initial expected gross risk, reduced risk exposure due to controls, and cost of controls.
false
Implementing key controls to determine their operating efficiency is a requirement of SOX Section 404
false
The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended.
false
Under the Sarbanes Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits.
false (Title I - PCAOB)
External directives are the policies and procedures that help ensure that management directives are carried out.
false (control activities)
A corrective control plan is designed to discover problems that have occurred.
false (detective control plan)
The external environment is a system of integrated elements, people, structures, processes, and procedures acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals.
false (internal environment)
The control matrix is a computer virus that takes control of the computer's operating system for malicious purposes.
false (malware)
A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error.
false (programming error)
Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer.
false (signed by CEO)
Salami slicing is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data.
false (worm)
A deliberate act or untruth intended to obtain unfair or unlawful gain is a(n):
fraud
A manager of a manufacturing plant alters production reports to provide the corporate office with an inflated perception of the plant's cost effectiveness in an effort to keep the inefficient plant from being closed. This action would be classified as a(n):
fraud
The effect of an event's occurrence is:
impact
A business event which is not properly authorized is an example of:
invalid item
Establishing a viable internal control system is primarily the responsibility of:
management
Who is legally responsible for establishing and maintaining an adequate system of internal control?
management
This component of the ERM framework concerns the entirety of enterprise risk management and is accomplished through ongoing management activities, separate evaluations, or both.
monitoring
____ is a process that evaluates the quality of internal control performance over time.
monitoring
The ERM framework addresses four categories of management objectives. Which category addresses the effective and efficient use of resources?
operations
Events that could have a positive impact on organizational objectives:
opportunities
A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance is:
organizational governance
Control plans that relate to a multitude of goals and processes are called:
pervasive control plans
Controls that stop problems from occurring are called:
preventative controls
The ERM framework addresses four categories of management objectives. Which category addresses the reliability of the financial statements?
reporting
Events that could have a negative impact on organizational objectives:
risks
Control goals of operations processes include:
security of resources
The ERM framework addresses four categories of management objectives. Which category concerns high-level goals, aligned with and supporting its mission?
strategic
Risk assessment is best described by:
the likelihood and impact of risks are analyzed, as a basis for determining how they should be managed
According to the 2008 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by:
tips
A batch of business events is accurately entered into a business event data store, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error.
true
A computer abuse technique called a back door involves a programmer's inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of the program.
true
A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.
true
A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program, which, when activated, may cause a disaster such as shutting down a system or destroying data.
true
A major reason management must exercise control over an organization's business processes is to provide reasonable assurance that the company is in compliance with applicable laws and regulations.
true
Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts.
true
Ensuring the security of resources is the control goal that seeks to provide protection of organization's resources from loss, destruction, disclosure, copying, sale, or other misuse of an organization's resources.
true
Establishing and maintaining a viable internal control system is the responsibility of management.
true
Ethical behavior and management integrity are products of the "corporate culture".
true
Management is responsible for establishing and maintaining an adequate system of internal control.
true
Management's legal responsibility to prevent fraud and other irregularities is implied by laws such as the Foreign Corrupt Practices Act.
true
Monitoring is a process that assesses the quality of internal control performance over time.
true
Opportunities are events that could have a positive impact on organization objectives.
true
Organizational governance is a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance.
true
Risk assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
true
Risks are those events that could have a negative impact on organization objectives.
true
SAS No. 99 emphasizes auditors should brainstorm fraud risks, increase professional skepticism, use unpredictable audit test patterns, and detect management override of internal controls.
true
The control environment reflects the organization's general awareness of and commitment to the importance of control throughout the organization.
true
The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.
true
Under the Sarbanes Oxley Act of 2002, the section on Corporate Responsibility requires a company's CEO and CFO to certify quarterly and annual reports.
true
Under the Sarbanes Oxley Act of 2002, the section on Enhanced Financial Disclosures requires each annual report filed with the SEC to include an internal control report.
true
Valid input data are appropriately authorized and represent actual economic events and objects.
true
A computer abuse technique called a ____ involves a virus that replicates itself on disks, in memory, or across networks.
worm
