CH 9+10

Question 1

Why is an understanding of internal control important?

Answer 1

Understanding internal control is critical because it helps ensure quality of information, efficient operations, security over assets, and compliance with regulations.

Question 2

What are internal controls? How does the Sarbanes-Oxley 404 view of internal control over financial reporting differ?

Answer 2

Internal controls are processes designed to provide reasonable assurance regarding financial reporting, operational efficiency, and regulatory compliance. Sarbanes-Oxley 404 requires management and auditors to assess and report on the effectiveness of internal controls over financial reporting.

Question 3

How does an error compare and contrast to an irregularity in financial reporting?

Answer 3

An error is an unintentional mistake in financial reporting, while an irregularity is a deliberate act of fraud or misrepresentation.

Question 4

What is the COSO (2013) framework? What is it used for?

Answer 4

The COSO (2013) framework is a model for designing and evaluating internal controls. It is used to ensure the effectiveness of internal controls in achieving financial reporting accuracy, operational efficiency, and regulatory compliance.

Question 5

What are the components of the COSO framework?

Answer 5

The five components are:

1. Control Environment – Ethical culture, governance, and accountability.
2. Risk Assessment – Identifying and evaluating risks.
3. Control Activities – Policies and procedures to mitigate risk.
4. Information & Communication – Effective data flow and reporting.
5. Monitoring – Continuous assessment of controls.

Question 6

Provide three examples of control activities. What activities should be segregated?

Answer 6

Examples:

1. Authorization procedures.
2. Reconciliation of accounts.
3. Physical asset security.

Segregation of duties should be applied to authorization, recordkeeping, and custody of assets.

Question 7

How does the control environment affect the effectiveness of control activities?

Answer 7

A strong control environment enhances effectiveness by promoting ethical behavior and accountability, while a weak environment can undermine controls.

Question 8

How do ethical values affect internal control over financial reporting?

Answer 8

Ethical values ensure integrity in financial reporting. The SEC emphasizes corporate ethics, and organizations can measure them through audits, surveys, and monitoring of compliance programs.

Question 9

What is risk assessment, and how does it relate to the COSO (2013) framework?

Answer 9

Risk assessment is the identification and evaluation of risks that may impact an organization. It is a key component of COSO and helps determine necessary internal controls.

Question 10

What is monitoring, and how does it relate to the COSO (2013) framework?

Answer 10

Monitoring is the continuous assessment of internal controls to ensure they function properly. It differs from control activities as it focuses on oversight rather than execution.

Question 11

What are management’s responsibilities under Section 404 of the Sarbanes-Oxley Act?

Answer 11

Management must assess and report on the effectiveness of internal controls over financial reporting.

Question 12

What are the inherent limitations of a “perfectly” designed internal control system?

Answer 12

No system is perfect due to human error, collusion, management override, and evolving risks.

Question 13

What is the main difference between application and general IT security controls?

Answer 13

Application controls focus on transaction-level security, while general controls apply to the overall IT environment, such as network security and access management.

Question 14

What are the three types of application controls? Provide an example.

Answer 14

1. Input controls – Validity checks on entered data.
2. Processing controls – Ensuring calculations are performed correctly.
3. Output controls – Restricting access to reports.

Question 15

What is phishing, and why is it a threat?

Answer 15

Phishing is a cyberattack where attackers trick users into providing sensitive information. It threatens data security and financial integrity.

Question 16

What is ransomware, and why is it harmful to businesses?

Answer 16

Ransomware is malicious software that encrypts data and demands payment for decryption. It disrupts operations and leads to financial losses.

Question 17

Why is encryption used in accounting?

Answer 17

Encryption protects sensitive financial data from unauthorized access and ensures data integrity.

Question 18

What is patch management?

Answer 18

Patch management is the process of updating software to fix security vulnerabilities and improve system performance.

Question 19

What is a disaster recovery plan? Are they necessary? What should be included?

Answer 19

A disaster recovery plan outlines procedures for restoring IT operations after an incident. It is necessary for business continuity and should include data backup strategies, alternate processing sites, and emergency response protocols.

Question 20

What are the three types of disaster recovery options?

Answer 20

1. Hot site – Fully operational backup facility.
2. Cold site – Infrastructure without pre-installed systems.
3. Warm site – A balance between hot and cold, with some pre-configured resources.

Question 21

Which control would reduce the likelihood of someone receiving an expense check for $65,000 more than they were entitled to?

Answer 21

Limit check.

Question 22

What best describes a computer virus?

Answer 22

A list of instructions to a computer that can replicate itself and attach to another program.

Question 23

Which approach to alternate processing facilities presents the least risk to a company?

Answer 23

Recovery operations center.

Question 24

Physical access and protection falls under which category of control?

Answer 24

General control.

Question 25

What control can prevent a vendor payment due date from being entered as 2001 instead of 2010?

Answer 25

Validity check.

Question 26

What control can prevent omission of a due date from a payment input?

Answer 26

Completeness check.

Question 27

What control can prevent an accounts payable clerk from missing one of 52 check requisitions sent for processing?

Answer 27

Reconciliation and batch totals.

Question 28

What control can prevent unauthorized access to a school’s computer system to change grades?

Answer 28

Strong password policies and access control measures.

Question 29

What control can prevent an employee from coding an expense to a non-existent department?

Answer 29

Validity check.

Question 30

What control can prevent an employee from entering a letter instead of a number in a payroll deduction form?

Answer 30

Field check.

Question 31

What is Expected Loss?

Answer 31

Exposure x Probability of Occurrence.

Question 32

What is Inherent Risk?

Answer 32

Risk that is faced prior to taking action.

Question 33

What is Residual Risk?

Answer 33

Risk that remains after management takes action to respond to the risks threats and implements counteractions.

Question 34

What is Collusion?

Answer 34

When two employees work together to defeat the system to commit fraud.

Question 35

What is Pressure in the context of the fraud triangle?

Answer 35

Element of the fraud triangle that is the motive to commit the fraud.

Question 36

What is Opportunity in the context of the fraud triangle?

Answer 36

Element of the fraud triangle that is the availability to commit the fraud.

Question 37

What is Rationalization in the context of the fraud triangle?

Answer 37

Element of the fraud triangle that is the reasoning to commit the fraud.

Question 38

What is the Fraud Triangle?

Answer 38

Requires all three elements, pressure, opportunity, and rationalization, to commit fraud.

Question 39

What is Segregation of Accounting Duties?

Answer 39

Different individuals should be responsible for each of the three major activities of a transaction: approval, recordkeeping, and custody.

Question 40

What is a Validity Check?

Answer 40

Ensures that account numbers or customers exist.

Question 41

What are Application Controls?

Answer 41

Ensures the accuracy of specific input, processing, and output.

Question 42

What is a Consistency Check?

Answer 42

Reviewing output to make sure there are no obvious problems.

Question 43

What is a Check Digit?

Answer 43

Extra character added to account number to ensure no transpositions or other data errors have been made.

Question 44

What is a Limit Check?

Answer 44

Checks to be sure that pre-established thresholds are not exceeded.

Question 45

What is a Completeness Check?

Answer 45

Ensures that all required fields are filled in.

Question 46

What is a Field Check?

Answer 46

Determines whether the characters in a field are of the proper type.

Question 47

What is Prenumbering?

Answer 47

Used to keep track of transactions and to ensure that all authorized transactions are processed once and only once.

Question 48

What is a Firewall?

Answer 48

Used to filter data packets from the internet and drop data packets coming from unauthorized network servers.

Question 49

What is Malware Prevention?

Answer 49

Software that prevents malicious code from infecting your computer.

Question 50

What are Reasonableness Tests?

Answer 50

Ensures that items make sense in relation to one another.

Question 51

What is Ransomware?

Answer 51

Malware that locks you out of the system and requires you to pay a ransom in order for your data to be unlocked.

Question 52

What is Patch Management?

Answer 52

Update to fix software bugs.

Question 53

What is Biometric Identification?

Answer 53

A security measure that can identify unique physical characteristics.

Question 54

What is a Lockout Procedure?

Answer 54

Tries at password then system shuts off.

Question 55

What are Callback Procedures?

Answer 55

Allows you to log in then shuts off and calls you back at an authorized location.

Question 56

What is Encryption?

Answer 56

Uses an algorithm to scramble data so that anyone gaining unauthorized access to it cannot read it without a key.

Question 57

What is IPE (Information Produced by the Entity)?

Answer 57

Information produced by the entity.

Question 58

What is Phishing?

Answer 58

Attempts to steal credit card and other sensitive information through social engineering.

Question 59

What is Source Data?

Answer 59

The total of all the dollars input to a particular batch.

Question 60

What are Disaster Recovery Plans?

Answer 60

Comprehensive outlines of the actions that should be taken before, during, and after an earthquake, fire, or terrorist attack along with tested procedures to ensure continuity of operations.