Unit 6 Test Flashcards
An organization’s internal controls have been deemed effective by management and external audits for the last five years. A proposal is made to upgrade the enterprise resource planning (ERP) system at a significant cost. The proposal mentions slightly increased IT controls to better detect errors.
Which modifying assumption would keep management from implementing the upgrade?
Management responsibility Reasonable assurance System limitations Methods of data processing
Reasonable assurance
The correct answer is “Reasonable assurance.” The reasonable assurance modifying assumption states that the four objectives of internal control are met in a cost-effective manner. The upgrade is expensive, and the benefits will be limited. Since the current system is effective, the management team may decide to reject the upgrade due to cost-effectiveness.
Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is comparing a company’s organization chart to the prior year’s chart to identify new personnel who are responsible for internal controls?
Control activities Control environment Risk assessment Monitoring
Risk assessment
The correct answer is “Risk assessment.” Risk assessment’s purpose is to identify, analyze, and manage risks related to financial reporting. New personnel create risk because they may not fully understand or be aware of an organization’s internal controls.
What is one of the four areas that ethical issues in business can be divided into?
Risk minimization Honesty Proportionality Computer ethics
Honesty
The correct answer is “Honesty.” Ethical issues in business can be divided into the areas of equity, rights, honesty, and exercise of corporate power. These areas can be used to assess any ethical situation, whether it is a computer-based issue or not.
A disgruntled employee places a logic bomb to erase an organization’s supplier list.
Which type of fraud does this scenario reflect?
Program fraud Operations fraud Scavenging fraud Database management fraud
Database management fraud
The correct answer is “Database management fraud.” Database management fraud involves altering, deleting, corrupting, destroying, or stealing an organization’s data.
Which access point is the most common for committing computer fraud?
Information dissemination Data collection Information generation Data processing
Data collection
The correct answer is “Data collection.” The data collection stage is the most common access point for perpetrating computer fraud.
According to the Public Company Accounting Oversight Board (PCAOB) Standard No. 5, auditors need to understand transaction flows, including the controls pertaining to how transactions are initiated, authorized, recorded, and reported.
Which accounts are affected by this requirement?
All financial accounts of an organization All financial accounts with material implications for financial reporting All financial accounts with implications for financial reporting All financial and nonfinancial accounts of an organization
All financial accounts with material implications for financial reporting
The correct answer is “All financial accounts with material implications for financial reporting.” The auditors are interested in the financial accounts that can materially affect the accuracy of the financial statements.
Management is required to provide external auditors with documented evidence of functioning controls related to selected material accounts in a report on control effectiveness.
How is this evidence obtained?
The IT department documents this evidence. The internal audit department documents this evidence. The documented evidence is provided by the information system. The documented evidence is provided by the information system vendor.
The internal audit department documents this evidence.
The correct answer is “The internal audit department documents this evidence.” The internal audit department of the organization would perform and document the necessary tests.
What is a common form of contra-security behavior?
Changing passwords Complex passwords Challenge-response syndrome Post-it syndrome
Post-it syndrome
The correct answer is “Post-it syndrome.” The post-it syndrome, in which passwords are written down and displayed for others to see, is a contra-security behavior.
What are two general forms of risk related to the technology of network communications?
Data corruption and degraded computer performance Subversive threats and equipment failures Abuse of authority and application errors Internal and external individuals who exploit security flaws
Subversive threats and equipment failures
The correct answer is “Subversive threats and equipment failures.” The technology of network communications is subject to two general forms of risk: subversive threats and equipment failures.
What represents an equipment failure risk in a communication system?
A denial-of-service attack A loss of databases stored on network servers A computer hacker gaining unauthorized access A computer criminal intercepting a message
A loss of databases stored on network servers
The correct answer is “A loss of databases stored on network servers.” Equipment failures can result in the loss of databases and programs stored on network servers.
Which information technology (IT) test category verifies that credit checks and accounts payable (AP) three-way matches are performed by an application?
Accuracy test Completeness test Validity test Redundancy test
Validity test
The correct answer is “Validity test.” A validity test verifies that credit checks and AP three-way matches are properly performed by the application.
Which characteristic applies to black box testing?
It is used for inputs and outputs that are easily reconciled. It requires the use of generalized audit software. It is used on complex applications. It requires test files for execution.
It is used for inputs and outputs that are easily reconciled.
The correct answer is “It is used for inputs and outputs that are easily reconciled.” Black box testing is feasible for applications that are relatively simple with inputs and outputs that are easily reconciled.
Why is an accumulator routine used in a banking application?
To explain differences in reporting To address rounding errors To collect account balances To catch overpayments
To address rounding errors
The correct answer is “To address rounding errors.” An accumulator routine is a special technique used to keep track of the rounding differences between calculated and reported balances.
Which scenario accurately represents the general approach used to test application controls for a batch processing application?
Auditor-created data are submitted in a transaction file. Accountant-created data are submitted from their workstations. Auditor-created data are submitted via a dummy terminal. Accountant-created data are submitted in a data upload.
Auditor-created data are submitted in a transaction file.
The correct answer is “Auditor-created data are submitted in a transaction file.” Auditor-created data are submitted in a transaction file.
Which component of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is being considered when an auditor is reviewing a walk-through and process narrative of an established process and decides to gain an understanding of the process by tracing a single transaction from the source documents through the accounting information system to the financial statements?
Risk assessment Control environment Information and communication Monitoring
Information and communication
The correct answer is “Information and communication.” By gaining an understanding of the process and following a transaction through the system an auditor can assess how the system processes information (transaction processing) and communicates the results (reporting). Testing a single transaction would not qualify as testing of the control environment , ensuring monitoring or showing how management assesses risk. It would help in gaining an understanding of what information is in the system and how it is reported.
Which internal control is primarily supported by a manager’s review of a checklist after a task has been completed?
- Measure compliance with an organization’s prescribed policies and procedures
- Ensure the accuracy and reliability of accounting records and information
- Confirm management is safeguarding an organization’s assets
- Promote efficiency in a firm’s operations
Measure compliance with an organization’s prescribed policies and procedures
What is a limitation of the preventive-detective-corrective (PDC) control model?
Is conceptually incomplete Lacks management accountability Does not address risk Lacks practical guidance
Lacks practical guidance
The correct answer is “Lacks practical guidance.” Conceptually, the PDC framework addresses all necessary areas regarding preventing, detecting, and correcting errors, but it fails to give specific examples of controls to implement.
According to the Sarbanes-Oxley Act (SOX), what is management’s responsibility regarding controls designed to prevent and detect fraud that could lead to financial statements being materially misstated?
Management is responsible for reviewing controls. Management is responsible for implementing controls. Management is responsible for testing controls. Management is responsible for attesting to the quality of controls.
Management is responsible for implementing controls.
The correct answer is “Management is responsible for implementing controls.” Management is responsible for implementing the controls designed to prevent and detect fraud that could lead to financial statements being materially misstated.
After completing the annual audit for a publicly traded company, an external auditor issues a qualified opinion about the effectiveness of internal controls.
What is the implication of this finding?
- The auditor issued an unqualified opinion on the fairness of the financial statements.
- The auditor issued a qualified opinion on the fairness of the financial statements.
- The auditor identified no material weaknesses in internal controls.
- The auditor identified at least one material weakness in internal controls.
The auditor identified at least one material weakness in internal controls.
The correct answer is “The auditor identified at least one material weakness in internal controls.” The standard for the audit opinion on internal controls is high. The auditor cannot issue an unqualified opinion if one material weakness in internal control is detected.
What is the role of management regarding the effectiveness of internal controls over financial reporting, according to the Sarbanes-Oxley Act (SOX)?
Review their effectiveness Test their effectiveness Attest their effectiveness Assess their effectiveness
Assess their effectiveness
The correct answer is “Assess their effectiveness.” SOX mandates that management must assess the effectiveness of the organization’s internal controls over financial reporting.
Why should the systems development function be separated into two independent groups: new systems development and systems maintenance?
To improve systems documentation To increase operational feasibility To improve user satisfaction To increase cost savings
To improve systems documentation
The correct answer is “To improve systems documentation.” The segregation of duties between the new systems development team and the systems maintenance team leads to improved systems documentation. The maintenance group needs to have adequate documentation to perform their maintenance duties.
Which trait is associated with an antiviral program?
-The program is a safeguard for mainframes, networks, and personal computers.
-The program works on mutations and modified changes.
-The program must be started by executing an application.
-The program tests specifically selected files uploaded to a host.
The program is a safeguard for mainframes, networks, and personal computers.
The correct answer is “The program is a safeguard for mainframes, networks, and personal computers.” Antiviral programs are used to safeguard mainframes, networks, and personal computers.
What is an example of a password standard?
Discretionary access privilege Privileged personnel access Expiration interval Access token
Expiration interval
The correct answer is “Expiration interval.” Password expiration interval is an example of a password standard.
Which control objective ensures that no module should be allowed to destroy or corrupt another module?
The operating system must protect users from each other. The operating system must be protected from itself. The operating system must be protected from the environment. The operating system must protect itself from other users.
The operating system must be protected from itself.
The correct answer is “The operating system must be protected from itself.” The operating system is made up of modules. For the operating system to be protected from itself, no module should be allowed to destroy or corrupt another module.
Which test is used to determine that an application creates an adequate audit trail?
Verifying authority tables Recalculating control totals Reviewing record counts Recording all transactions
Recording all transactions
The correct answer is “Recording all transactions.” Audit trail tests include obtaining evidence that the application records all transactions.
Why does a simulated application reprocess transactions that a production application previously processed?
For reconciliation purposes To ensure processing To remove errors For backup purposes
For reconciliation purposes
The correct answer is “For reconciliation purposes.” The results obtained from the simulation are reconciled with the results of the original production run to determine if application processes and controls are functioning correctly.
Who reconciles simulation output with production data?
Auditor Information technology (IT) specialist Management Accountant
Auditor
The correct answer is “Auditor.” The auditor reconciles simulation output with production data.
What is used in a test of credit approvals?
Purchase order Sales amount Quantity ordered Expected price
Sales amount
