Chapter 7

Ace your homework & exams now with Quizwiz!

____ relate to a specific AIS process, such as billing or cash receipts.

Business process control plans

This framework was issued in 1996 (and updated in 2007) by the Information Systems Audit and Control Association (ISACA) because of the influence of IT over information systems, financial reporting and auditing.

COBIT

The ERM framework is comprised of eight components. Which component includes the policies and procedures established and implemented to help ensure the risk responses are effectively carried out?

Control activities

____ are the policies and procedures that help ensure that the risk responses are effectively carried out.

Control activities

____ sets the tone of the organization, influencing the control consciousness of its people.

Control environment

As a result of an inadequate design, a production process yields an abnormally high amount of raw material scrapped. Which control goal is being violated?

Ensure efficient employment of resources

Achieving which control goal requires that all valid objects or events are captured and entered into a system's database once and only once?

Ensure input completeness

A programming error causes the sale of an inventory item to be added to the quantity on hand attribute in the inventory master data. Which control goal was not achieved?

Ensure update accuracy

Which of the following is a control goal regarding master data?

Ensure update accuracy

Which component of the ERM framework is best described here: Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes.

Event identification

The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.

False (ensure input validity)

Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives (or goals).

False (risk)

A computer crime technique called worm involves the systematic theft of very small amounts from a number of bank or other financial accounts.

False (salami slicing)

These are applied to all IT service activities.

IT general controls

Why is there usually no control goal called update validity?

Input and update completeness achieve update validity

This component of the ERM framework that encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values and the environment in which they operate.

Internal environment

A computer abuse technique called a ____ involves inserting unauthorized code in a program, which, when activated, may cause a disaster, such as shutting the system down or destroying files.

Logic bomb

Which component of the ERM framework is best described here: Management selects whether to avoid, accept, reduce, or share risk, developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

Risk response

A(n) ____ is a computer abuse technique where unauthorized instructions are inserted into a program to systematically steal very small amounts, usually by rounding to the nearest cent in financial transactions.

Salami slicing

The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging in certain nonaudit services with the same client is:

Title II - Auditor Independence

The section of Sarbanes Oxley that requires a company's CEO and CFO to certify quarterly and annual reports is:

Title III - Corporate Responsibility

The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an internal control report is:

Title IV - Enhanced Financial Disclosures

The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to $5 million and up to 20 years imprisonment if they knowingly or willfully certify false or misleading information contained in periodic reports is:

Title IX - White-Collar Crime Penalty Enhancements

The section of Sarbanes Oxley that requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend is:

Title V - Analysts Conflicts of Interests

The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation and offers legal protection to whistle blowers is:

Title VIII - Corporate & Criminal Fraud Accountability

The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the document's integrity or availability for use in an official proceeding, or to otherwise obstruct, influence or impede any official proceeding is:

Title XI - Corporate Fraud and Accountability

As described in COSO, elements of a control environment might include the following:

all of the above (commitment to the importance of control, reward systems, tone at the top of the organization)

The major reasons for exercising control of the organization's business processes include:

all the above (provide reasonable assurance that the goals of the business are being achieved, mitigate risks of fraud & other intentional & unintentional acts, provide reasonable assurance that the company is in compliance with applicable legal & regulatory obligations)

A process captures only authorized transactions but fails to record them only once. Which control goal does this fail to achieve?

completeness

The ERM framework addresses four categories of management objectives. Which category of concerns laws and regulations?

compliance

Approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures, supervision, audit trails, and segregation of duties are examples of:

control activities

The correct sequence of the control hierarchy, from top to bottom, is:

control environment, pervasive controls, IT general controls, business process controls

The business process objectives that an internal control system is designed to achieve are:

control goals

A tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans is:

control matrix

Information-processing policies and procedures that assist in accomplishing control goals are known as:

control plans

A control that involves reprocessing transactions that are rejected during initial processing is an example of:

corrective controls

A control goal that is a measure of success in meeting a set of established goals is called:

effectiveness

Discrepancies between data items recorded by a system and the underlying economic events or objects they represent are a violation of the control goal of:

ensure input accuracy

Failing to record a customer's order for the purchase of inventory violates the control goal of:

ensure input completeness

The information process control goal which relates to preventing fictitious events from being recorded is termed:

ensure input validity

Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of:

ensure update accuracy

Assuring that the accounts receivable master data reflects all cash collections recorded in the cash receipts event data addresses the control goal of:

ensure update completeness

A process, effected by an entity's board of directors, management and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives is:

enterprise risk management

According to the 2008 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by audits or internal controls than through tips.

false

Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlements.

false

Expected gross risk is a function of the initial expected gross risk, reduced risk exposure due to controls, and cost of controls.

false

Implementing key controls to determine their operating efficiency is a requirement of SOX Section 404

false

The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended.

false

Under the Sarbanes Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits.

false (Title I - PCAOB)

External directives are the policies and procedures that help ensure that management directives are carried out.

false (control activities)

A corrective control plan is designed to discover problems that have occurred.

false (detective control plan)

The external environment is a system of integrated elements, people, structures, processes, and procedures acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals.

false (internal environment)

The control matrix is a computer virus that takes control of the computer's operating system for malicious purposes.

false (malware)

A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error.

false (programming error)

Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer.

false (signed by CEO)

Salami slicing is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data.

false (worm)

A deliberate act or untruth intended to obtain unfair or unlawful gain is a(n):

fraud

A manager of a manufacturing plant alters production reports to provide the corporate office with an inflated perception of the plant's cost effectiveness in an effort to keep the inefficient plant from being closed. This action would be classified as a(n):

fraud

The effect of an event's occurrence is:

impact

A business event which is not properly authorized is an example of:

invalid item

Establishing a viable internal control system is primarily the responsibility of:

management

Who is legally responsible for establishing and maintaining an adequate system of internal control?

management

This component of the ERM framework concerns the entirety of enterprise risk management and is accomplished through ongoing management activities, separate evaluations, or both.

monitoring

____ is a process that evaluates the quality of internal control performance over time.

monitoring

The ERM framework addresses four categories of management objectives. Which category addresses the effective and efficient use of resources?

operations

Events that could have a positive impact on organizational objectives:

opportunities

A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance is:

organizational governance

Control plans that relate to a multitude of goals and processes are called:

pervasive control plans

Controls that stop problems from occurring are called:

preventative controls

The ERM framework addresses four categories of management objectives. Which category addresses the reliability of the financial statements?

reporting

Events that could have a negative impact on organizational objectives:

risks

Control goals of operations processes include:

security of resources

The ERM framework addresses four categories of management objectives. Which category concerns high-level goals, aligned with and supporting its mission?

strategic

Risk assessment is best described by:

the likelihood and impact of risks are analyzed, as a basis for determining how they should be managed

According to the 2008 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by:

tips

A batch of business events is accurately entered into a business event data store, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error.

true

A computer abuse technique called a back door involves a programmer's inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of the program.

true

A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.

true

A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program, which, when activated, may cause a disaster such as shutting down a system or destroying data.

true

A major reason management must exercise control over an organization's business processes is to provide reasonable assurance that the company is in compliance with applicable laws and regulations.

true

Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts.

true

Ensuring the security of resources is the control goal that seeks to provide protection of organization's resources from loss, destruction, disclosure, copying, sale, or other misuse of an organization's resources.

true

Establishing and maintaining a viable internal control system is the responsibility of management.

true

Ethical behavior and management integrity are products of the "corporate culture".

true

Management is responsible for establishing and maintaining an adequate system of internal control.

true

Management's legal responsibility to prevent fraud and other irregularities is implied by laws such as the Foreign Corrupt Practices Act.

true

Monitoring is a process that assesses the quality of internal control performance over time.

true

Opportunities are events that could have a positive impact on organization objectives.

true

Organizational governance is a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance.

true

Risk assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.

true

Risks are those events that could have a negative impact on organization objectives.

true

SAS No. 99 emphasizes auditors should brainstorm fraud risks, increase professional skepticism, use unpredictable audit test patterns, and detect management override of internal controls.

true

The control environment reflects the organization's general awareness of and commitment to the importance of control throughout the organization.

true

The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.

true

Under the Sarbanes Oxley Act of 2002, the section on Corporate Responsibility requires a company's CEO and CFO to certify quarterly and annual reports.

true

Under the Sarbanes Oxley Act of 2002, the section on Enhanced Financial Disclosures requires each annual report filed with the SEC to include an internal control report.

true

Valid input data are appropriately authorized and represent actual economic events and objects.

true

A computer abuse technique called a ____ involves a virus that replicates itself on disks, in memory, or across networks.

worm


Related study sets

Characteristics of High-Performing Teams

View Set

Anatomy Chapter 2 Review questions

View Set

NSG 333 Ch 20- Nursing Management of the Pregnancy at Risk: Selected Health Conditions and Vulnerable Populations

View Set

Chapter 12 Practice Quiz-Business Comm

View Set

Magic box 1 (1-е полугодие)

View Set