CH 2 Governance & COSO

Question 1

The objective of safeguarding of assets is a subset of which of the following objectives?
Reporting.
Compliance.
Fraud.
Operations.

Answer 1

Operations.
There are a number of internal control frameworks used as benchmarks. The most commonly used framework in the U.S. is Internal Control—Integrated Framework developed by COSO. According to COSO internal control is:

A process, effected by the entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

As can be seen from the definition, internal control has three objectives: (1) reliability of reporting, (2) efficiency and effectiveness of operations, and (3) compliance with applicable laws and regulations. When internal control is determined to be effective senior management and the board of directors have the following reasonable assurance with respect to the objectives:

(7) Operations objectives—the organization achieves effective and efficient operations when significant external events can be predicted and their potential effects mitigated, or the organization understands the extent to which operations can be managed when the effects of significant events cannot be mitigated. The operations category of objectives also includes safeguarding of assets.
(8) Reporting objectives—the organization prepares internal and external financial and nonfinancial reports in conformity with applicable laws, rules, regulations, standards, and internal policies.
(9) Compliance objectives—the organization complies with applicable laws, rules and regulations.
Under the COSO framework internal control can be viewed as including five components: (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities. Seventeen principles are incorporated within the 5 components.

Question 2

The COSO definition of internal control considers control activities a(n):
Component of internal control.
Control objective.
Element of the control environment.
Portion of information and communication.

Answer 2

Auditing Standards divide internal control into five interrelated components as follows: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring.

Question 3

According to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, the chief audit executive should

Establish a risk-based approach to determine audit priorities.

Manage audit activities to ensure that all major areas receive coverage over the course of the year.

Establish audit priorities solely based on management’s priorities.

Establish audit priorities that have no overlap with external audit priorities.

Answer 3

Establish a risk-based approach to determine audit priorities.

The International Standards for the Professional Practice of Internal Auditing, much like generally accepted auditing standards, include rules and interpretations. They cover the two types of services that internal auditors perform, assurance services and consulting services. Assurance services involve providing an independent assessment of governance, risk management, or control processes of an organization. Consulting services involve advisory related services to improve an organization’s governance, risk management, or control processes. The internal auditing standards are broken down into attribute standards (related to the characteristics of the internal audit activity) and performance standards (related to the quality of internal audit activities). Aspects of the International Standards for the Professional Practice of Internal Auditing that relate particularly to corporate governance include

(1) The purpose, authority, and responsibility of the internal audit activity should be formally defined in the internal audit charter. The internal audit charter should recognize the need to adhere to the Code of Ethics and International Standards for the Professional Practice of Internal Auditing.
(2) The internal audit activity must be independent and internal auditors must be objective in performing their work. Independence for the internal auditor activity is achieved by organizational independence, which means auditors cannot be influenced by the man­agement of the functional areas that they audit. Accordingly, the chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. For effective organizational independence, the chief audit ex­ecutive ideally should report functionally to the audit committee and administra­tively to the chief executive officer of the corporation. This helps to prevent their work from be­ing influenced by management of the corporation. In addition, individual internal auditors must have an impartial, unbiased attitude and avoid conflicts of interest. For example, individual internal auditors cannot be independent in auditing activities for which they made operating decisions. If independence is impaired, the details of the impairment should be disclosed to appropriate parties.
(3) Internal audit engagements must be performed with proficiency and due professional care. Proficiency means that the internal auditors must possess the knowledge, skills, and competencies needed to perform their individual responsibilities. This includes a sufficient knowledge of key IT risks and controls, and IT audit techniques, and a sufficient knowledge to evaluate fraud risk.
(4) Internal auditors must enhance their skills with continuing professional development and the chief audit executive must develop and maintain a quality assurance and improvement program.
(5) The internal audit activity must evaluate the effectiveness and contribute to the improvement of the corporation’s risk management processes, and assist the management in maintaining effective controls by evaluating their effectiveness and efficiency and promoting continuous improvement.
(6) The chief audit executive must establish risk-based plans to determine audit priorities.
(7) The chief audit executive must establish and maintain a system to monitor the disposition of audit results communicated to management.

Question 4

Which of the following is not one of the attributes of a financial expert as required in the SEC rules regarding audit committees?
An understanding of generally accepted auditing standards.
An understanding of internal controls and procedures for financial reporting.
An understanding of audit committee functions.
An understanding of generally accepted accounting principles.

Answer 4

The Sarbanes-Oxley Act provides that at least one member should be a “financial expert.” The names of the financial experts must be disclosed. If the firm does not have a financial expert, it must provide an explanation. A financial expert is one that possesses all of the following attributes:

1] An understanding of generally accepted accounting principles and financial statements
2] Experience in preparing, auditing, analyzing, or evaluating financial statements of the breadth and complexity expected to be encountered with the company
3] An understanding of internal controls and procedures for financial reporting
4] An understanding of audit committee functions

These attributes would be acquired through (1) education and experience as a principal financial officer, controller, public accountant, or equivalent, (2) experience supervising an individual in one of the positions in (1), (3) experience overseeing or assessing the performance of companies or public accountants with respect to preparing, auditing, or evaluating financial statements, or (4) other relevant experience.

Question 5

The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) includes the objectives of reporting, compliance with laws and regulations and:

Incorporation of ethical business practice standards.

Effectiveness and efficiency of operations.

Safeguarding of entity assets.

Effectiveness of prevention of fraudulent occurrences.

Answer 5

Effectiveness and efficiency of operations.

Close
B. Internal Controls
There are a number of internal control frameworks used as benchmarks. The most commonly used framework in the U.S. is Internal Control—Integrated Framework developed by COSO. According to COSO internal control is:

A process, effected by the entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Question 6

Which of the following disclosures is required by the Dodd-Frank Act of 2010?

Disclosure of who appoints the external auditors.

Disclosure of why or why not the chairman of the board is also the chief executive officer.

Disclosure of what committee sets compensation policy.

Disclosure of the number of inside directors on the board.

Answer 6

Officers operate the company based on the authority delegated to them by the board of directors. An officer of the corporation is an agent that can bind the corporation within the scope of his or her authority. Corporations are not bound by acts of an officer acting beyond the scope of his or her authority. The officers of the corporation are responsible for the fair presentation of the corporation’s financial reports, including the financial statements. Officers, employees, or major stockholders who are on the board of directors are referred to as inside directors. The Wall Street Reform and Consumer Protection (Dodd-Frank) Act of 2010 requires public corporations to disclose why or why not the chairman of the board is also the chief executive officer.

Question 7

Which of the following components of internal control encompass policies and procedures that ensure that management’s directives are carried out?

The control environment.

Monitoring.

Control activities.

Information and communication.

Answer 7

This answer is correct. Control activities encompass policies and procedures that ensure that management’s directives are carried out.

Question 8

An important benefit of an enterprise risk management system is

Alignment of shareholder returns with management returns.

Alignment of management risk taking with employee risk appetite.

Alignment of management risk taking with shareholder risk appetite.

Alignment of management risk taking with creditor risk appetite.

Answer 8

Alignment of shareholder returns with management returns.

Enterprise Risk Management
In addition to an internal control framework, COSO has also developed a framework for enterprise risk management (ERM). The framework defines ERM as follows:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

ERM helps align the risk appetite of the organization with its strategy, enhances risk response decisions, reduces operational surprises and losses, identifies and manages cross-enterprise risks, provides integrated responses to multiple risks, helps the organization seize opportunities, and improves the deployment of capital.

A key aspect of ERM is the identification and management of events that have a negative impact, positive impact, or both. Events with negative impact represent risks. Events with positive impact may offset negative impacts or represent opportunities.

Everyone in the organization has some responsibility for ERM. The best run organizations have a culture of risk management that is understood by every employee. Many organizations assign a risk officer, financial officer, and/or internal auditor with key support responsibilities. The internal control of the organization is an integral part of the organization’s ERM system.

Question 9

Which of the following tasks would be included in a document flowchart for processing cash receipts?

Compare control and remittance totals.
Record returns and allowances.

Authorize and generate an invoice.

Authorize and generate a voucher.

Answer 9

This answer is correct because comparing control and remittance totals is one of the activities involved in processing cash receipts. The requirement is to identify the task that would be included in a document flowchart for processing cash receipts.

Question 10

Which of the following is not required of corporations that are listed on the New York Stock Exchange (NYSE)?

External auditors must report directly to the audit committee of the board of directors.

One member of the audit committee of the board of directors must be a financial expert.

The principle executive officer must disclose all significant internal control deficiencies.

The chairman of the board of directors cannot also serve as the chief executive officer.

This answer is correct. This is not a requirement of the NYSE. Dodd-Frank indicates that a corporation must disclose why or why not the chairman is also the CEO.

Answer 10

New York Stock Exchange (NYSE) & NASDAQ Rules Related to Corporate Governance and Director Independence. Among other items, the NYSE and NASDAQ require listed corpo­rations to

(1) Have a majority of independent directors on their boards.
(2) Make determination of independence of members and provide information to investors about the determination. Specific NYSE and NASDAQ rules that make a director not independent include

(a) A director is not independent if s/he has been an employee of the corporation or an affili­ate in the last 5 years (3 years for NASDAQ).
(b) A director is not independent if a family member has been an officer of the corporation or af­filiate in the last 5 years (3 years for NASDAQ).
(c) A director is not independent if s/he was a former partner or employee of the corporation’s external auditor in the last 5 years (3 years for NASDAQ).
(d) A director is not independent if s/he or a family member in the last 3 years received more than $120,000 (for a twelve-month period) in payments from the corporation other than for director compensation.
(e) A director is not independent if s/he is an executive of another entity that receives signifi­cant amounts of revenue from the corporation.

(3) Identify certain relationships that automatically preclude a board member from being indepen­dent.
(4) Have nonmanagement directors meet at regularly scheduled executive sessions.
(5) Adopt and make publically available a code of conduct applicable to all directors, officers and employees, and disclose any waivers of the code for directors or executive officers.
(6) Have an independent audit committee. In addition, nominating/corporate governance and com­pensation decisions must be made by independent committees (or a majority of indepen­dent directors for NASDAQ).

Question 11

According to the IIA International Standards for the Professional Practice of Internal Auditing, the internal audit charter should include all of the following except:
The purpose of the internal audit activity.

The responsibility of the internal audit activity.
The scope of the internal audit activity.

The authority of the internal audit activity.

This answer is correct. The scope of the activity should not be included in the charter.

Answer 11

Close
The purpose, authority, and responsibility of the internal audit activity should be formally defined in the internal audit charter. The internal audit charter should recognize the need to adhere to the Code of Ethics and International Standards for the Professional Practice of Internal Auditing.

Question 12

The Dodd-Frank Act of 2010 established a requirement that
All members of the compensation committee of the board of directors be independent.
All members of the audit committee of the board of directors be independent.
All members of the corporate governance committee of the board of directors be independent.
All members of the board of directors be independent.

Answer 12

he compensation committee (1) reviews and approves CEO compensation based on meeting per­formance goals, (2) makes recommendations to the board with respect to incentive and equity-based compensation plans, and (3) attempts to align incentives with shareholder objec­tives and risk appetite. The Dodd-Frank Act of 2010 established a requirement that all members of the compensation committee of public companies must be independent. In addition, shareholders must be allowed a nonbinding vote on executive compensation at least every three years, and a vote at least every six years as to whether the vote on compensation should be held more often. Finally, the act also requires a nonbinding vote by shareholders on “golden parachutes” to be provided to executives as a result of major transactions.

Question 13

Which of the following forms of compensation is more likely to result in shirking by management?
Fixed compensation.
Base salary and bonus.
Base salary and stock options.
Base salary and stock grants.

Answer 13

This answer is correct. With fixed compensation management may not be inclined to work hard or take appropriate risks.

Question 14

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

A.
Control baseline

Correct B.
Change identification

C.
Change management

D.
Control revalidation/update

Answer 14

The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity’s ability to manage those changes. To “identify and address changes” is part of change identification.

The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.

Question 15

The manager of a production line has the authority to order and receive replacement parts for all machinery that require periodic maintenance. The manager typically pays for the parts using a corporate credit card (that bills to the company). The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The manager processed payments for the undelivered parts through the company’s credit card and those payments were sent to the family-member supplier. After the supplier received the money, it was divided between the manager and the family member.

An internal auditor is conducting an audit of the use of corporate credit cards by employees and the supplies ordering process. Which of the following are major audit concerns regarding these issues?

Segregation of duties is insufficient.
The purchasing function is impaired.
Cards may be used for personal benefit.
The company is required to make one large payment instead of many small ones.
A.	 	
II and IV only

B.
III only

C.
I, II, III, and IV

Correct D.
I and III only

Answer 15

The segregation of duties is insufficient as there should be another person to process the receiving documents. In the absence of effective monitoring, credit cards could easily be used for personal benefit.

Question 16

Which of the following is necessary to be an audit committee financial expert according to the criteria specified in the Sarbanes-Oxley Act of 2002?

A.
A limited understanding of generally accepted auditing standards

B.
Education and experience as a certified financial planner

Correct C.
Experience with internal accounting controls

D.
Experience in the preparation of tax returns

Answer 16

The Sarbanes-Oxley Act of 2002 explains that a financial expert must have experience with internal accounting controls, an understanding of generally accepted accounting standards, and experience with the preparation or auditing of financial statements of generally comparable issuers.

Question 17

he Sarbanes-Oxley Act changed the way financial reports are treated. What section of the act requires the CEO to review the financial statements?

A.
Section 202

Correct B.
Section 302

C.
Section 102

D.
Section 402

Answer 17

Section 302 of the Sarbanes-Oxley Act requires that CEOs and CFOs certify that the periodic statutory financial statements were reviewed before being signed.

Question 18

Which of the following positions best describes the nature of the board of directors of XYZ Co.’s relationship to the company?

A.
Agent

B.
Executive

Correct C.
Fiduciary

D.
Representative

Answer 18

The board of directors of XYZ Co.’s relationship to the company is a fiduciary relationship. To understand why, you must first define “fiduciary.” A fiduciary relationship is a legal or ethical relationship of trust between two people, organizations, or other such parties.

Question 19

A written policy and procedure manual should contain:

A.
a formal job description.

B.
an employee training program.

C.
corporation budgets.

Correct D.
proper business practices.

Answer 19

Policies and procedures help the employee understand the organization’s policies for operation and the procedures that are followed to meet the policies. The policies and procedures include such things as the proper business practices, the purpose of the organization, responsibilities, and definitions.

Question 20

Each of the following statements is correct regarding the existence and implementation of codes of conduct, except:

A.
employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior.

B.
the codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading.

C.
the codes of conduct are periodically acknowledged by all employees.

Correct D.
the codes of conduct must be in writing and displayed in public areas, such as a break room.

Answer 20

Answer A is incorrect because a code of conduct is only effective if employees understand the limits on behavior contained in the code and are able to take appropriate action when improper behavior is encountered.

Answer B is incorrect because a code of conduct that omitted any of these topics would be incomplete and unable to meet its objectives.

Answer C is incorrect because it is important that employees periodically review the code of conduct and acknowledge agreement to its ethical restrictions.

Answer D is correct because there are numerous ways to make a code of conduct available to employees, such as distributing written handbooks or presenting the code of conduct on the entity’s web site.

Question 21

What does the audit committee of the board of directors oversee?

A.
Formal job descriptions for employees in an organization

Correct B.
The financial reporting process in an organization

C.
The responsibilities assigned to employees

D.
The creation of standards

Answer 21

The audit committee of the board of directors oversees the following:

Financial reporting
Financial disclosure
Compliance with standards

Question 22

A company implements an enterprise resource planning application to help improve its financial and operational reporting, while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of:

Correct A.
change management.

B.
a social event.

C.
segregation of duties.

D.
an economic event.

Answer 22

Answer A is correct because implementing an ERP application is a change to the entity’s internal controls and documenting the change is part of the process of managing the change.

Answer B is incorrect because documenting an application is part of the entity’s internal controls, not a social event.

Answer C is incorrect because segregating one duty from another is an example of a control. It is not related to documentation of policies or training.

Answer D is incorrect because this is the implementation of a change in the financial reporting system, not an economic event.

Question 23

To be effective, analytical procedures in the overall review stage of an audit engagement should be performed by which of the following?

A.
The managing audit partner who has responsibility for all audit engagements at that practice office

Correct B.
An audit manager or partner who has a comprehensive knowledge of the client’s business and industry

C.
The CPA firm’s quality control manager or partner who has responsibility for the firm’s peer review program

D.
The staff accountant who performed the substantive auditing procedures

Answer 23

An audit manager or partner should perform the analytical procedures in the overall review stage because they have a more thorough understanding of the client and the industry when compared to other individuals who have less knowledge of the client and the industry.

The objective of analytical procedures used in the overall review stage of the audit is to assist the auditor in assessing the conclusions reached and in the evaluation of the overall financial statement presentation.

Question 24

Computer program libraries can best be kept secure by:

A.
restricting physical and logical access.

B.
denying access from remote terminals.

C.
monitoring physical access to program library media.

Incorrect D.
installing a logging system for program access.

Answer 24

Restricting physical and logical access secures program libraries from unauthorized use, in person and remotely via terminals.

Installing a logging system for program access would permit detection of unauthorized access but would not prevent it. Monitoring physical access to program library media would control only unauthorized physical access. Denying all remote access via terminals would likely be inefficient and would not secure program libraries against physical access.

Question 25

Processing data through the use of simulated files provides an auditor with information about the operat­ing effectiveness of control policies and procedures. One of the techniques involved in this approach makes use of:

A.
controlled reprocessing.

Correct B.
an integrated test facility.

C.
input validation.

D.
program code checking.

Answer 25

An integrated test facility allows an auditor to introduce test data (simulated files) into an actual processing run to test the processing of that data. This provides evidence about operating effectiveness of the software.

“Controlled reprocessing” is incorrect because reprocessing the same data again with the same software provides no new information. “Input validation” is incorrect because input validation is a control that improves the accuracy of data entry, but does not provide information about control effectiveness. “Program code checking” is incorrect because manual program code checking in a complex system is a difficult task, sometimes impossible, which is more efficiently done by using test data in an integrated test facility.

Question 26

The Sarbanes-Oxley Act requires financial issuers to publish what kind of information?

A.
The immaterial condition of the company

B.
Internal control performance relative to industry best practice benchmarks

C.
Only positive impacts on internal controls

Correct D.
The scope and capabilities of the internal control structure

Answer 26

Section 404 of the Sarbanes-Oxley Act requires issuers of annual reports to include the scope and capabilities of the internal control system. It also requires the issuer to include procedures for financial reporting.

Question 27

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is:

A.
the internal audit department.

B.
the chief executive officer.

Correct C.
a manager within the department.

D.
the audit committee.

Answer 27

Answer A is incorrect because the internal audit department evaluates risk procedures and shouldn’t be in the position of evaluating procedures they have developed.

Answer B is incorrect because the CEO in a large organization doesn’t have the time or knowledge to devise risk procedures for every department.

Answer C is correct because a manager within the department has the most detailed knowledge of risks in that department.

Answer D is incorrect because the audit committee of the board has overall responsibility for the selection of the auditor and receipt of audit results. They don’t have detailed knowledge of any one department.

Question 28

Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted. A bank, for example, may incur significant penalties as a result of missed payments.

Which of the following activities is necessary to determine what would constitute a disaster for an organization?

A.
Risk analysis

Incorrect B.
File and equipment backup requirements analysis

C.
Vendor supply agreement analysis

D.
Contingent facility contract analysis

Answer 28

Risk analysis is necessary to determine an organization’s definition of a disaster and evaluate the effect of that disaster.

System backup analysis, vendor supply agreement analysis, and contingent facility contract analysis are all contingency planning strategies to react to a disaster.

Question 29

Internal auditors play a role in an entity’s internal control through all of the following methods except:

A.
implementing control activities.

Incorrect B.
evaluating the effectiveness of controls.

C.
promoting continuous improvement.

D.
evaluating the efficiency of controls.

Answer 29

Internal auditors are required by the International Standards for the Professional Practice of Internal Auditing (set forth by the IIA, Institute of Internal Auditors) to assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal auditors do not act as management by implementing control activities. In fact, they are prohibited from doing so and must remain independent. Internal auditors cannot assess operations for which they have been responsible.

IIA International Standards for the Professional Practice of Internal Auditing 2130

Question 30

According to COSO, an effective approach to monitoring internal control involves each of the following steps, except:

A.
establishing a foundation for monitoring.

Correct B.
increasing the reliability of financial reporting and compliance with applicable laws and regulations.

C.
designing and executing monitoring procedures that are prioritized based on risks to achieve organizational objectives.

D.
assessing and reporting the results, including following up on corrective action where necessary.

Answer 30

Monitoring is intended to insure that controls are functioning effectively as designed. The question asks for the answer choice that is not a step in monitoring the system. Increasing financial reporting reliability and compliance with laws and regulations are goals of the internal control structure, but are not steps in the monitoring of that system.

The other answer choices are all steps in the monitoring process, since they relate to evaluating whether the system is functioning as designed.

Question 31

If controls add to the efficiency of operations, management must:

A.
implement the controls immediately.

B.
ask the internal auditor for recommendations.

Correct C.
weigh the benefit of reducing loss or inefficiency against the cost of the control.

D.
consider only the cost of the control.

Answer 31

Managers must weigh the benefit of reducing loss or inefficiency against the cost of the controls. They should not implement controls without first understanding whether any benefits of implementing these controls outweigh the costs. Although management can solicit recommendations from the internal auditor, it is not a requirement.

Question 32

A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should:

Correct A.
visibly participate in a global information security campaign.

B.
allocate additional budget resources for external audit services.

C.
review and accept the information security risk assessments in a staff meeting.

D.
refer to the organization’s U.S. human resources policies on privacy in a company newsletter.

Answer 32

“All team members” refers to the entire international organization, which implies the executive would provide this message to all employees worldwide. The tone at the top is most clearly demonstrated by personal example set by senior executives. The other answer choices are good behaviors but they are not visible to the worldwide entity.

Question 33

Under COSO, according to SAS 78, management monitors controls for which of the following reasons?

Correct A.
To consider whether controls are operating as intended

B.
To let employees know that errors and irregularities will not be tolerated

C.
To provide data for inclusion in the annual report to shareholders regarding employee honesty and integrity

D.
To provide a check on the efficiency and effectiveness of both the internal and external audit functions

Answer 33

To consider whether the controls are operating as intended is an appropriate reason for management to employ a process for monitoring controls.

Question 34

To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit:

A.
access only to authorized users.

Incorrect B.
read-only access to the database files.

C.
user updates of their access profiles.

D.
updating from privileged utilities.

Answer 34

Accounting database files contain sensitive data. Proper control requires that the database administrator permit access only to authorized users of this data.

Permitting read-only access to accounting database files would, unfortunately, preclude any updating of those files. Updating from privileged utilities would produce a security breach. User updates of their access profiles is a security issue.

Question 35

The one component of internal control that sets the tone of an organization, influencing the control consciousness of its people and serving as the foundation for all other components of internal control is:

Correct A.
the control environment.

B.
risk assessment.

C.
control activities.

D.
information and communication.

Answer 35

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Risk assessment is the entity’s identification and analysis of relevant risks and the determination of how these risks should be managed. Control activities are the policies and procedures that help ensure that management directives are carried out. Information and communication systems support the identification, capture, and exchange of information.

Question 36

A company controller is concerned that parts may be stolen because there is no formal receiving function (that is, receiving slips are not filled out). Production raw materials are moved from rail cars directly to the production line, and vendors are paid based on actual production. Which of the following comments correctly portrays the current process?

Incorrect A.
Goods can be paid for only if they have been used in production. Stolen goods or goods not shipped will not be paid for.

B.
There is less handling of goods received, thereby decreasing the cost associated with processing goods received as well as decreasing the opportunities for errors to enter the system.

C.
Shortages of materials in the system will be brought to a supervisor’s attention because of production shutdowns.

D.
All of the answer choices are correct.

Answer 36

All of the statements are correct. The advantage of the production-based control procedure is that all significant discrepancies between records become known because production will be shut down. Supervisors are then in position to take corrective action. A side benefit is that goods cannot be paid for unless they are used in production. Significant discrepancies with a vendor would, however, have to be investigated.

Question 37

The treasurer makes disbursements by check and reconciles the monthly bank statements to accounting records. Which of the following best describes the control impact of this arrangement?

A.
Internal control will be enhanced since these are duties that the treasurer should perform.

Correct B.
The treasurer will be in a position to make and conceal unauthorized payments.

C.
The treasurer will be able to make unauthorized adjustments to the cash account.

D.
Controls will be enhanced because the treasurer will have two opportunities to discover inappropriate disbursements.

Answer 37

Having the treasurer in a position to make and conceal unauthorized payments is an example of inadequate segregation of functions. The treasurer could make unauthorized payments and conceal them.

Question 38

Under human resources policies and procedures, what is an appropriate policy or procedure for managing employees?

A.
Hire employees based only on the cover page of their resume.

B.
Do not promote employees on merit.

Correct C.
Train top management to enforce sanctions against employees violating policies.

D.
Hire employees based on passing only the background check.

Answer 38

Human resources policies and procedures should include the following:

Hire employees based on the written job requirements
Verify resumes and perform background checks
Promote on both merit and performance
Train members of the organization on many aspects

Question 39

Why is a well-defined organizational structure important?

A.
To inspect corporate records

B.
To elect officers

Correct C.
To define lines of authority

D.
To oversee the internal control structure

Answer 39

Organizational structures help no one unless they are well-defined. The structure helps define lines of authority, so an organization does not have too many people in management. This structure creates working relationships between the various employees in the organization.

Question 40

A member of the board of directors of Central Communications Co. is offered a license by a third party to operate a cellular phone system. The director does not present this offer to the board of directors for approval but informally mentions it to a fellow board member, who does not think it will be a problem. The director buys the license. Which of the following statements is correct regarding the director’s actions?

A.
The director breached a duty of care by failing to use prudent business judgment.

B.
The director breached the duty of due diligence.

Correct C.
The director breached a duty of loyalty by usurping a corporate opportunity.

D.
The director acted properly in purchasing the license.

Answer 40

Answer A is incorrect because a failure of business judgment relates to making a bad decision.

Answer B is incorrect because a lack of due diligence refers to making a decision without seeking appropriate information.

Answer C is correct because the director put personal interests ahead of corporate interest.

Answer D is incorrect because the director should have presented the opportunity to the corporation instead of acting on it personally.

Question 41

Which of the following is most useful when risk is being prioritized?

A.
Low- and high-probability exposures

B.
Low- and high-degree loss exposures

Correct C.
Expected value

D.
Uncontrollable risks

Answer 41

Expected value is the sum of the outcomes (payoff) of each event multiplied by the probability of each event occurring. It combines the likelihood of each outcome with the payoff of that outcome, and so is a way of prioritizing alternatives while considering risk. None of the other answer choices consider both the likelihood and payoff of each alternative course of action.

Question 42

What does enterprise risk management do for an organization?

Correct A.
It manages risks and seizes opportunities to achieve the goals of the organization.

B.
It creates policies and procedures.

C.
It creates risks to achieve the goals of the organization.

D.
It creates progress.

Answer 42

Enterprise risk management (ERM) is the process used by organizations to manage risk and seize opportunities to achieve the goals of the organization. It provides a framework for risk management, determines response strategy, and monitors the progress.

Question 43

An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.

If certain data elements were not defined in the expansion, the following problem could result:

A.
Unlimited access to data and transactions

Correct B.
Incomplete transaction processing

C.
Unauthorized program execution

D.
Manipulation of the database contents by an application program

Answer 43

Failure to completely define the program specification blocks (PSB) prevents the application program from accessing or changing data, resulting in incomplete processing.

Data element definition allows application programs to access or change data; therefore, if they are not defined, no access takes place.
Without the program specification blocks, the application program cannot access data and cannot execute.
The desired manipulation of the database contents by an application program cannot take place if program specification blocks are not defined.

Question 44

To identify those components of a telecommunication system (i.e., network) that present the greatest risk, the internal auditor should first:

A.
review the open systems interconnect (OSI) network model.

B.
identify the network operating costs.

Correct C.
determine the business purpose of the network.

D.
map the network software and hardware products into their respective layers.

Answer 44

Determining the business purpose of the network will be the best first step to identify those components of a telecommunication system which present the greatest risk.

Reviewing the open systems interconnect (OSI) network model may be done as part of audit preparation.
Identifying the network operating costs may be an audit step.
Mapping the network software and hardware products into their respective layers may be a subsequent audit step.

Question 45

How long must an accountant maintain workpapers on an audit performed?

A.
At least one year

Correct B.
At least seven years

C.
At least three years

D.
The accountant may shred records immediately.

Answer 45

Section 103 of the Sarbanes-Oxley Act requires an auditor of an issuer of securities to maintain all audit or review workpapers for at least seven years from the end of the fiscal period in which the audit or review was completed.

Question 46

A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?

Correct A.
Risk reduction

B.
Prospect theory

C.
Risk sharing

D.
Risk acceptance

Answer 46

Risk reduction helps to lower costs and correct issues within a corporation. If the manufacturing firm relocates to an area closer to a firm that can provide the raw materials, the firm will reduce the risk of higher costs.

Management should always be in the process of identifying risks in order to assess and respond accordingly.

Question 47

All of the following are procedures of a change control process, except:

A.
the change control board approves the change.

Correct B.
once the work is done, the process is released without testing.

C.
schedules are set up.

D.
the project manager keeps things running smoothly.

Answer 47

The procedures for a well-defined change control process would include the following:

The change control board approves the change and assigns a project manager.
The project manager makes sure all paperwork has been received and approved.
The project manager sets up schedules for all personnel involved.
The projects are completed.
Changes are tested and approved before release.

Question 48

Regarding the requirements of the Sarbanes-Oxley Act, officers of a company are not permitted to:

Correct A.
move the activities of the organization outside of the United States to avoid complying with the Sarbanes-Oxley Act.

B.
report deficiencies of internal controls.

C.
report material misstatements.

D.
keep the organization transparent.

Answer 48

Officers of an organization are not permitted to move the activities of the company outside of the United States in order to avoid the Sarbanes-Oxley Act requirements.

Question 49

Communications risk has increased in recent years primarily because of changes in which of the following?

Correct A.
Technology used

B.
Asset accessibility

C.
Business regulations

D.
Duties of managers

Answer 49

Technological change, particularly in the area of telecommunications, has greatly increased communications risk for businesses utilizing this technology. Lack of security access to telecommunication systems tied into entity computer files can lead to loss of data and theft of assets.

Question 50

Which of the following items is one of the eight components of COSO’s enterprise risk management framework?

A.
Operations

B.
Reporting

Correct C.
Monitoring

D.
Compliance

Answer 50

The eight components of COSO’s ERM framework are internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. ERM processes must be monitored, deficiencies reported to management, and modifications performed when required.

Question 51

Communications risk is concerned with the unauthorized access to and manipulation of which of the following?

A.
Signatures

B.
Assets

C.
Liabilities

Correct D.
Data

Answer 51

Recent significant increases in the use of and reliance on telecommunications procedures and devices have resulted in greater risk of data theft and manipulation.

Question 52

Who is the person ultimately responsible for enterprise risk management within a company?

A.
The chief financial officer

Incorrect B.
The managers

C.
Other entity personnel

D.
The chief executive officer

Answer 52

Enterprise risk management is the responsibility of everyone in an organization. The individual ultimately responsible for risk management is the chief executive officer, who should assume ownership.

Question 53

According to COSO, which of the following is a compliance objective?

A.
To maintain adequate staffing to keep overtime expense within budget

Correct B.
To maintain a safe level of carbon dioxide emissions during production

C.
To maintain material price variances within published guidelines

D.
To maintain accounting principles that conform to GAAP

Answer 53

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the internal control structure provides reasonable assurance that three business objectives are achieved. One of those objectives is compliance with applicable laws and regulations, which fits the answer choice “to maintain a safe level of carbon dioxide emissions during production.” OSHA regulations requiring a safe workplace cover the maintenance of a safe level of emissions to protect workers. The other answer choices refer to the COSO objectives of operating effectiveness/efficiency and financial statement reliability.

Question 54

Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management’s response to the risk. According to COSO, which of the following types of risk does this situation represent?

A.
Inherent risk

Correct B.
Residual risk

C.
Event risk

D.
Detection risk

Answer 54

Answer A is incorrect because inherent risk is the risk that exists before management takes any steps to control the likelihood or impact of a risk.

Answer B is correct because residual risk is the risk that remains after management reacts to the risk, such as by instituting appropriate internal controls.

Answer C is incorrect because event risk is the risk of unforeseen events associated with a particular entity, not after management responds to the risk.

Answer D is incorrect because detection risk is the risk that auditors fail to detect a material misstatement in financial statements.

Question 55

Which of the following actions is required to ensure the validity of a contract between a corporation and a director of the corporation?

A.
An independent appraiser must render to the board of directors a fairness opinion on the contract.

Correct B.
The director must disclose the interest to the independent members of the board and refrain from voting.

C.
The shareholders must review and ratify the contract.

D.
The director must resign from the board of directors.

Answer 55

A corporation is permitted to enter into a contract for services or goods with a board member (director). This type of a transaction is called a “related-party transaction.” This action could be seen by shareholders as preferential treatment to the director who receives the contract, and it could be interpreted as a lack of due care on the part of the directors in carrying out the corporation’s business.

In order to invoke the business judgment rule, where the directors are protected from shareholder lawsuits alleging a lack of due care, the board must:

make an informed decision,
eliminate conflict of interest, and
have a rational basis for the decision.
A rational basis for the decision could be that these services or products are not available elsewhere, or the director is offering the best quality for the lowest price (which would be in the shareholders’ favor). In order to make an informed decision, the board must review all of its options and then come to the conclusion that the best decision is to contract with the director. Finally, to eliminate conflict of interest, the director must disclose his or her interest in the contract to the board and refrain from voting.

It is not necessary that the contract be reviewed by an independent appraiser, that the shareholders approve the contract, or that the director resign.

Question 56

Which statement regarding the control environment of a small- to mid-size entity is true?

A.
They implement the control environment exactly like a larger entity.

Correct B.
Their culture is strongly influenced by the integrity and ethical behavior of top management.

C.
They always have a written code of conduct.

D.
The characteristics of top management style and attitude are less pronounced in smaller organizations.

Answer 56

A small- to mid-size entity’s culture is strongly influenced by the integrity and ethical behavior of top management. They may implement the control environment differently than a larger entity. They may not have a written code of conduct. The characteristics of top management style and attitude are more pronounced in smaller organizations.

Question 57

Internal auditors play a role in assessing an organization’s risk management by determining if:

A.
organizational objectives are distinct and separate from the organization’s mission.

B.
significant risks are completely and fully mitigated.

C.
risk responses have been selected that increase the organization’s risk appetite.

Correct D.
relevant risk information is captured and communicated in a timely manner.

Answer 57

Internal auditors are required by the International Standards for the Professional Practice of Internal Auditing (set forth by the IIA, Institute of Internal Auditors) to evaluate the effectiveness and contribute to the improvement of risk management processes.

Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that:

organizational objectives support and align with the organization’s mission,
significant risks are identified and assessed,
appropriate risk responses are selected that align risks with the organization’s risk appetite, and
relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
IIA International Standards for the Professional Practice of Internal Auditing 2120

Question 58

The Sarbanes-Oxley Act requires that all financial statements include:

A.
all material off-balance-sheet liabilities, obligations, or transactions.

B.
all immaterial off-balance-sheet liabilities, obligations, or transactions.

Incorrect C.
only material off-balance-sheet liabilities.

D.
neither material nor immaterial off-balance-sheet liabilities, obligations, or transactions.

Answer 58

All material off-balance sheet liabilities, obligations, or transactions must be reported on financial statements. This will help the user understand the full scope of the firm’s financial obligations.