Corporate Governance Flashcards
Why is a well-defined organizational structure important?
A.
To inspect corporate records
B.
To elect officers
C.
To define lines of authority
D.
To oversee the internal control structure
C. To define lines of authority
Organizational structures help no one unless they are well-defined. The structure helps define lines of authority, so an organization does not have too many people in management. This structure creates working relationships between the various employees in the organization.
An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.
If certain data elements were not defined in the expansion, the following problem could result:
A. Unlimited access to data and transactions
B. Incomplete transaction processing
C. Unauthorized program execution
D. Manipulation of the database contents by an application program
B. Incomplete transaction processing
Failure to completely define the program specification blocks (PSB) prevents the application program from accessing or changing data, resulting in incomplete processing.
Data element definition allows application programs to access or change data; therefore, if they are not defined, no access takes place.
Without the program specification blocks, the application program cannot access data and cannot execute.
The desired manipulation of the database contents by an application program cannot take place if program specification blocks are not defined.
Internal controls are likely to fail for any of the following reasons, except:
A. they are not designed and implemented properly at the outset.
B. they are designed and implemented properly as static controls, but the environment in which they operate changes.
C. they are designed and implemented properly, but their operation changes in some way.
D. they are designed and implemented properly, and their design changes as processes change.
D. they are designed and implemented properly, and their design changes as processes change.
Control activities are only designed to provide reasonable assurance related to the achievement of the stated objectives. Internal control will fail if the control is not designed, implemented, monitored, and modified for operational changes. If the control is designed and implemented properly, and the design changes as processes change, then the control should not fail.
Internal controls are likely to fail if they are not designed and implemented properly, are static in nature (i.e., the control does not adapt to changes in the operating environment), or change operationally.
Internal auditors play a role in an entity’s internal control through all of the following methods except:
A. implementing control activities.
B. evaluating the effectiveness of controls.
C. promoting continuous improvement.
D. evaluating the efficiency of controls.
A. implementing control activities.
Internal auditors are required by the International Standards for the Professional Practice of Internal Auditing (set forth by the IIA, Institute of Internal Auditors) to assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal auditors do not act as management by implementing control activities. In fact, they are prohibited from doing so and must remain independent. Internal auditors cannot assess operations for which they have been responsible.
IIA International Standards for the Professional Practice of Internal Auditing 2130
According to COSO, each of the following is an example of an appropriate ongoing monitoring activity, except:
A.
follow-up of customer and vendor complaints regarding amounts due and owed.
B.
periodic analysis of variances between expectations and actual results.
C.
comparisons of information from various sources within the company.
D.
approval of high-dollar transactions by supervisors.
D. approval of high-dollar transactions by supervisors.
Monitoring of controls is a process that assesses the quality of internal control performance over time. Monitoring involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
Approval of high-dollar transactions is a control activity, not a monitoring activity. The other answer choices are all examples of monitoring activities.
A senior executive of an international organization who wishes to demonstrate the importance of the security of company information to all team members should:
A. visibly participate in a global information security campaign.
B. allocate additional budget resources for external audit services.
C. review and accept the information security risk assessments in a staff meeting.
D. refer to the organization’s U.S. human resources policies on privacy in a company newsletter.
A. visibly participate in a global information security campaign.
“All team members” refers to the entire international organization, which implies the executive would provide this message to all employees worldwide. The tone at the top is most clearly demonstrated by personal example set by senior executives. The other answer choices are good behaviors but they are not visible to the worldwide entity.
According to COSO, an executive’s deliberate misrepresentation to a banker who is considering whether to make a loan to an enterprise is an example of which of the following internal control limitations?
A. Costs versus benefits
B. Management override
C. Breakdown
D. Collusion
B. Management override
Internal control activities are only designed to provide reasonable assurance related to the achievement of the stated objectives. In other words, all risk is not eliminated.
Limitations related to the control process include the following:
Limitations on staff size
Cost versus benefit on implementation and monitoring
Breakdowns in communication, training, and technology
Employee collusion
Management override
All of the answer choices are limitations of internal control, but only management override is indicative of a deliberate action of only one individual to avoid internal controls.
The treasurer makes disbursements by check and reconciles the monthly bank statements to accounting records. Which of the following best describes the control impact of this arrangement?
A.
Internal control will be enhanced since these are duties that the treasurer should perform.
B.
The treasurer will be in a position to make and conceal unauthorized payments.
Incorrect C.
The treasurer will be able to make unauthorized adjustments to the cash account.
D.
Controls will be enhanced because the treasurer will have two opportunities to discover inappropriate disbursements.
B.
The treasurer will be in a position to make and conceal unauthorized payments.
Having the treasurer in a position to make and conceal unauthorized payments is an example of inadequate segregation of functions. The functions of disbursing funds and reconciling the related cash account should be assigned to different personnel.
Many organizations are critically dependent on information systems to support daily business operations. Consequently, an organization may incur significant loss of revenues or incur significant expenses if a disaster such as a hurricane or power outage causes information systems processing to be delayed or interrupted.
Which of the following activities is necessary to determine what would constitute a disaster for an organization?
A. Risk analysis
B. File and equipment backup requirements analysis
C. Vendor supply agreement analysis
D. Contingent facility contract analysis
A. Risk analysis
Risk analysis is necessary to determine an organization’s definition of a disaster and evaluate the effect of that disaster.
System backup analysis, vendor supply agreement analysis, and contingent facility contract analysis are all contingency planning strategies to react to a disaster.
According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?
A. Control baseline
B. Change identification
C. Change management
D. Control revalidation/update
B. Change identification
The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity’s ability to manage those changes. To “identify and address changes” is part of change identification.
The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.