Ch 2 Flashcards
Which of the following is least likely a role of the governance committee?
A.
Develop the company’s code of ethics. (7%)
B.
Ensure compliance with applicable laws and regulations. (9%)
C.
Present annual audit to the board of directors. (67%)
D.
Oversee annual board of director’s evaluation.
C
Board of director members serve on functional committees to disburse the board’s responsibilities. The governance committee safeguards the company by implementing best practices in the company’s policies and procedures. The main functions of the governance committee are:
Review and update policies for regulatory changes and developments
Recommend remedial actions for breaches of laws
Develop and supervise the implementation of:
Corporate governance code
Charter of the board and its committees
Company’s code of ethics and conflicts of interest policy (Choice A)
Ensure compliance with applicable laws and regulations (Choice B)
Oversee annual evaluation of the board of directors (Choice D)
The audit committee, not the governance committee, presents the annual audit to the board.
Things to remember:
Board of director members serve on functional committees to disburse the board’s responsibilities. The governance committee ensures that the company adopts good corporate governance policies and procedures. The audit committee presents the annual audit to the board.
Internal controls are likely to fail for any of the following reasons, except
A.
They are not designed and implemented properly at the outset. (6%)
B.
They are designed and implemented properly as static controls, but the environment in which they operate changes. (10%)
C.
They are designed and implemented properly, but their operation changes in some way. (9%)
D.
They are designed and implemented properly, and their design changes as processes change
Choice D (Correct) and Choices A, B, C (Incorrect): Controls should be designed and implemented properly, and as processes change so should their design. Controls are likely to fail if they are not designed and implemented properly at the outset. Properly designed and implemented controls are likely to fail if they remain static controls but their operational environment changes. Controls that are effective for a manual system, for example, would not necessarily be effective in an IT environment. Internal controls are also likely to fail if operations change in some way that is not a response to change in their environment. Using a stronger and more expensive raw materials may require controls to prevent theft, for example, that were not necessary for the inexpensive material that was previously in use.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should
A.
Visibly participate in a global information security campaign. (69%)
B.
Allocate additional budget resources for external audit services. (1%)
C.
Review and accept the information security risk assessments in a staff meeting. (20%)
D.
Refer to the organization’s U.S. human resources policies on privacy in a company newsletter.
Choice A (Correct): Visibly participating in a global information security campaign would demonstrate the importance of the security of company information to all team members. The visible participation by the senior executive in the information security campaign would help to stress the importance and show the commitment that the organization places on information security. Actions speak more loudly than words.
Choice B (Incorrect): Allocating additional budget resources for external audit services will not help to demonstrate the importance of the security of company information to all team members. Although an external audit may help the organization to discover security information breaches, it will not be effective at demonstrating the importance of the security of company information.
Choice C (Incorrect): Reviewing and accepting the information security risk assessments in a staff meeting will not demonstrate the importance of the security of company information beyond the few aware of the meeting. If the senior executive accepts information security risk assessments which are below levels tolerable to the organization, it will actually have an adverse effect on demonstrating the importance of company information security. Even if the assessments are favorable, the demonstration only will impact those attending the meeting–not the larger group of team members.
Choice D (Incorrect): Referring to the organization’s U.S. human resources policies on privacy in a company newsletter will not demonstrate the importance of the security of company information to all team members. Human resource policies are concerned with the hiring, training, evaluating and compensating of employees and would have a minimal effect on the security of company information. Further, most team members probably will assume the newsletter article is written by a ghostwriter or will not perceive it as more than lip service. In short, actions speak more loudly than words.
Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?
A.
Change control. (64%)
B.
Management override. (10%)
C.
Data integrity. (12%)
D.
Computer operations.
A
Entities are continuously evolving. Changes may be pervasive when entities reevaluate their missions, expand into new geographical areas, or establish relationships with new customers or suppliers. Changes also occur when systems become obsolete or new resources are made available to enhance them.
Management should develop a change control process to guard against any potential adverse effects of change implementation. Well-designed change controls can ensure that alterations to the accounting and operating systems are performed in an authorized, coordinated, and controlled manner.
Any ability of programmers to change an application code without monitoring or testing can result in a change control deficiency. Therefore, segregation of duties (SOD) is needed. SOD reduces opportunities for individuals to either perpetrate or conceal errors in the normal course of their duties.
(Choice B) Management override occurs when management circumvents change control (eg, implements a change without following control procedures).
(Choice C) Data integrity refers to completeness and accuracy in the processing of data. It depends on controls over the accuracy of input and processing, not on SOD.
(Choice D) A deficiency in computer operations occurs when operators apply incorrect programs, use inappropriate equipment, or misuse appropriate equipment.
Things to remember:
A change control process guards against any potential adverse effects of change implementation. Well-designed change controls can ensure that alterations to accounting and operating systems are performed in an authorized, coordinated, and controlled manner that includes a segregation of duties.
