Deck 11: Ais and Internal Controls

Processing controls are IT general controls.

Internal controls guarantee the accuracy and reliability of accounting records.

In a large pubic corporation, evaluating internal control procedures should be responsibility of:
A. Accounting management staff who report to the CFO.
B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operation officer.
D. Security management staff who report to the chief facilities officer.

According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to establish and maintain the effectiveness of internal control.

Review of the audit log is an example of which of the following types of security control?
A. Governance.
B. Detective.
C. Preventive.
D. Corrective.

COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT governance in the U.S.

In a computerized environment, internal controls can be categorized as general controls and application controls.

According to COSO, which of the following components of the enterprise risk management addresses an entity's integrity and ethical values?
A. Information and communication
B. Internal environment.
C. Risk assessment.
D. Control activities.

Topic: COSO Internal Control FrameworkWhich of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?
A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Providing greater management oversight of incompatible activities.

Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages auditors to start from the basic/bottom of financial records to identify the key controls.

The chief executive officer is ultimately responsible for enterprise risk management.

The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors to assess and report on the design and effectiveness of internal control over financial reporting annually.

Which of the following represents an inherent limitation of internal controls?
A. Bank reconciliations are not performed on a timely basis.
B. The CEO can request a check with no purchase order.
C. Customer credit check not performed.
D. Shipping documents are not matched to sales invoices.

The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving information security.

Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself.

Which of the following items is one of the eight components of COSO's enterprise risk management framework?
A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.

The risk of a company's internal auditing processes failing to catch the misstated dollar amount of revenue on the company's income statement is classified as inherent risk.

Corporate governance is a set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders.

A firm must establish control policies, procedures, and practices that ensure the firm's business objectives are achieved and its risk mitigation strategies are carried out.

Which of the following is not a component of internal control as defined by COSO?
A. Control environment.
B. Control activities.
C. Inherent risk
D. Monitoring.

Sound internal control dictates that immediately upon receiving checks from customers by mail, a responsible employee should
A. Add the checks to the daily cash summary.
B. Verify that each check is supported by a pre-numbered sales invoice.
C. Prepare a summary listing of checks received.
D. Record the checks in the cash receipts journal.

Which of the following most likely would not be considered as an inherent limitation of the effectiveness of a firm's internal control?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.

According to COSO which of the following is not a component of internal control?
A. Control risk.
B. Control activities.
C. Monitoring.
D. Control environment.

Reconciliation of cash accounts may be referred to as what type of control?
A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.

An auditor assesses control risk because it
A. is relevant to the auditor's understanding of the control environment.
B. provides assurance that the auditor's materiality levels are appropriate.
C. indicates to the auditor where inherent risk may be the greatest.
D. affects the level of detection risk that the auditor may accept.

Controls in the information technology area are classified into preventive, detective, and corrective categories. Which of the following is preventive control?
A. Contingency planning.
B. Hash total.
C. Echo check.
D. Access control software.

Which of the following is considered an application input control?
A. Run control total.
B. Edit check.
C. Reporting distribution log.
D. Exception report.

Proper segregation of duties calls for separation of the following functions:
A. Authorization, execution, and payment.
B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

Each of the following types of controls is considered to be an entity-level control, except those:
A. Relating to the control environment.
B. Pertaining to the company's risk assessment process.
C. Regarding the company's annual stockholder meeting.
D. Addressing policies over significant risk management practices

Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been:
A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.

When considering internal control, an auditor should be aware of reasonable assurance, which recognizes that
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.

The overall attitude and awareness of a firm's top management and board of directors concerning the importance of internal control is often reflected in its
A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

Management philosophy and operating style would have a relatively less significant influence on a firm's control environment when
A. The internal auditor reports directly to the controller.
B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific duties.
D. The audit committee does not have regular meetings.

The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related to:
A. Accounting practice.
B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.

Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system?
A. Segregation of duties.
B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.

Tracing shipping documents to pre-numbered sales invoices provides evidence that
A. No duplicate shipments or billings occurred.
B. Shipments to customers were properly invoiced.
C. All goods ordered by customers were shipped.
D. All pre-numbered sales invoices were accounted for.

All of the following are examples of internal control procedures except
A. Using pre-numbered documents
B. Reconciling the bank statement
C. Customer satisfaction surveys
D. Insistence that employees take vacations

Which of the following statement is correct regarding internal control?
A. A well-designed internal control environment ensures the achievement of an entity's control objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by management override.
C. A well-designed and operated internal control environment should detect collusion perpetrated by two people.
D. Internal control in a necessary business function and should be designed and operated to detect errors and fraud.

According to AS 5, control risk should be assessed in terms of
A. Specific controls.
B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.

Ethical principals are derived from all of the following except:
A. Personal attitudes on issues of right and wrong.
B. Cost benefit analysis.
C. Cultural values.
D. Societal traditions.

Which of the following input controls is a numeric value computed to provide assurance that the original value has not been altered in construction or transmission?
A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.

Which of the following is an example of a validity check?
A. The computer ensures that a numerical amount in a record does not exceed some predetermined amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the errors are printed out.
C. After data for a transaction are entered, the computer sends certain data back to the terminal for comparison with data originally sent.
E. The computer flags any transmission for which the control field value did not match that of an existing file record.

The IT Infrastructure Libarary (ITIL) is considered a de facto standard in which of the following regions?
A. Asia and Australia.
B. North America.
C. The UK.
D. Europe.

The ISO 27000 Series of standards are designed to address which of the following?
A. Corporate governance.
B. Internal controls.
C. Information security issues.
D. IT value.

In addition to focusing on controls, COBIT 5 expands its scope by incorporating which of the following broad perpsectives?
A. How IT brings value to the firm.
B. How IT can automate specific business processess.
C. IT networking requirements.
D. IT cost reductions.

The Sarbanes-Oxley Act (SOX) was passed as a response to which of the following events?
A. The savings & loan scandals of the 1980s.
B. The bust of dot-com bubble companies such as pets.com and Webvan.
C. Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco.
D. Securities manipulation and insider trading in the 1930s.

In a computerized environment, internal controls can be categorized into which of the following?
A. General controls and application controls.
B. Detective controls and protective controls.
C. Network controls and transaction controls.
D. Preventive controls and mandatory controls.

Which of the following provides the advantage of incorporating other widely accepted standards and frameworks?
A. ITIL.
B. COBIT 5.
C. COSO 2013.
D. ISO 27000.

Which of the following best describes what is meant by corporate governance?
A. The organizational structure and responsibilities of the executive team and board of directors of a corporation.
B. Regulatory bodies, such as the SEC and PCAOB, that govern the behavior of corporations.
C. The ability of a corporation's management team to meet earnings forecasts over an extended period of time..
D. Management's processes, policies, and ethical approach to safeguarding stakeholder interests.

COBIT 5 takes the view that all IT processes should provide clear links between all of the following except:
A. IT processes.
B. IT controls.
C. IT components.
D. IT governance requirements.

Which of the following best describes why firms choose to create codes of ethics?
A. Because most people will not behave ethically without a written set of guidelines.
B. Codes of ethics protect firms against lawsuits that may be filed due to corporate fraud.
C. They allow firms to create a formal set of expectations for employees who may have different sets of personal values.
D. Companies must have a written code of ethics in order to conduct interstate commerce in the U.S.

Which of the following is not one of the responses to risk presented in COSO ERM?
A. Share the risk.
B. Accept the risk.
C. Delegate the risk.
D. Reduce the risk.

According to COSO ERM, which of the following is not one of the bases that should be used to analyze the risks of an identified event?
A. Inherent risk.
B. Organizational risk.
C. Residual risk.
D. Control risk.

The COSO ERM framework encourages a review of risks as they apply to achieving firms' objectives. Which of the following is not one of the listed categories of objectives to be considered?
A. Environment.
B. Operations.
C. Strategic.
D. Compliance.