Section D Internal Controls P1

Section D
Internal Controls
Part1

Topic 1 Risk assessment, controls, and risk management
Topic 2 Internal auditing
Topic 3 Systems controls and security measures

Q1:
When management of the sales department has the opportunity to override the system of
internal controls of the accounting department, a weakness exists in

monitoring.

risk management.

the control environment.

information and communication.
The correct answer is: the control environment.

The control environment includes the attitude of management toward the concept of
controls.
Q2:
When planning an audit, the auditor needs to evaluate audit risk where the auditor may
unknowingly fail to appropriately modify his opinion on financial statements that are
materially misstated. Audit risk is composed of

inherent risk, control risk, and detection risk.

risk of incorrect rejection, risk of incorrect acceptance, risk of overreliance, and risk of
underreliance.
r
r
r
r
r
r

tolerable error risk, sampling error risk, and inherent risk.

tolerable rate risk, sampling rate risk, and inherent risk.
The correct answer is: inherent risk, control risk, and detection risk.

Audit Risk = (Inherent Risk x Control Risk x Detection Risk)

Inherent risk is the probability of a misstatement due to an error or fraud. Control risk is the
probability that the misstatement gets by the clients internal control system. Detection risk
is the probability that the misstatement is not detected by the auditor.
Q3:
Which of the following is a reason for independent checks?

To assess an employee and determine whether he or she is following control
procedures

To ensure that management appears compliant with external audit standards

To ensure that mistakes can be corrected within the fiscal year they are made

To detect and correct errors and misappropriation of assets
The correct answer is: To detect and correct errors and misappropriation of assets
Independent checks are a preventive measure. They try to catch mistakes before they
become integrated into the financial system, thus providing a higher level of assurance of
financial integrity.

Q4:
To prevent or detect potential fraudulent actions that could result from unexecuted
computer program code designed to be activated if an unscrupulous programmer becomes
dissatisfied or is terminated, auditors seek to identify and review unexecuted program
codes. Auditors can accomplish this through the use of which one of the following methods?

Scanning routines.

Mapping programs.
r
r
r
r
r
r
r
r

Test data processing.

Regression testing.
The correct answer is: Mapping programs.

Mapping programs are used to identify those portions of the software application program
code that are not executed and not triggered by some event.

Q5:
Control risk is the risk that a material error in an account will not be prevented or detected
on a timely basis by the client's internal control system. The best control procedure to
prevent or detect fictitious payroll transactions is

personnel department authorization for hiring, pay rate, job status, and termination.

storage of unclaimed wages in a vault with restricted access.

to use and account for prenumbered payroll checks.

internal verification of authorized pay rates, computations, and agreement with the
payroll register.
The correct answer is: personnel department authorization for hiring, pay rate, job status,
and termination.

An independent personnel department responsible for hiring personnel, maintaining
personnel records, and processing and documenting personnel terminations is a key control
needed to prevent or detect fictitious personnel.
Q6:
The chief audit executive has a dynamic role in any organization. The responsibilities of this
role include all of the following except:

Defining the nature and scope of work for internal audit.

Communicate audit results and improvements to management.

Establishing procedures for internal audit.
r
r
r
r
r
r
r
r
r

Assist management in ensuring that profitability expectations are met.
The correct answer is: Assist management in ensuring that profitability expectations are
met.
The chief audit executives role is to manage the internal audit activity effectively, ensuring
that it adds value to the organization. The responsibilities of this role include:
Establishing risk-based plans
Communicating plans to senior management and the board
Ensuring that sufficient resources are available to carry out the plans
Establishing policies and procedures to guide audit activity
Coordinating activities and sharing information
Reporting relevant information periodically to senior management and the board
Defining the nature of work
Q7:
Sam needs to send a check to a contract worker. The check number is on the check, and the
computer program adds a second number while printing the check to aid in tracking the
transaction. This is an example of

a program access control.

an output control.

a processing control.

an input control.
The correct answer is: an output control.
Output controls ensure accuracy and validity of information. They include controls for
validating processing results such as activity reports. Output controls regulate the
distribution and disposal of printed output, including pre-numbered checks.

Q8:
Data processed by a computer system are usually transferred to some form of output
medium for storage. However, the presence of computerized output does not, in and of
r
r
r
r
r
itself, ensure the output's accuracy, completeness, or authenticity. For this assurance,
various controls are needed. The major types of controls for this area include

transaction controls, general controls, and printout controls

tape and disk output controls and printed output controls.

hash totals, tape and disk output controls, and printed output controls.

input controls, tape and disk output controls, and printed output controls.
The correct answer is: input controls, tape and disk output controls, and printed output
controls.

Controls necessary to assure the accuracy of system output are called application controls.
Application controls consist of controls over input, processing, and output.
Q9:
Which of the following are responsibilities of the audit committee?
I. Aid in the choice of accounting methods and policies.
II. Document internal control procedures.
III. Sign quarterly and annual financial reports.
IV. Choose the auditor and approve auditor compensation.
V. Review the auditor's suggestions for improved internal control.

I, IV, and V only

I, II, III, IV, and V

I, II, and III only

I, III, IV, and V only
The correct answer is: I, IV, and V only
The audit committee performs the following tasks:

Reviews the company's internal control structure
Aids in the choice of accounting methods and policies
Reviews quarterly reports
r
r
r
r
r
r
r
r
Chooses the auditor and approves auditor compensation
Reviews the audit plan
Reviews the auditor's suggestions for improved internal control
Reviews the audit report and the audited annual report
Q10:
Which input control would be most effective to mitigate risks related to paying large dollar
invoices without management approval?

Passwords

A limit check

Control total

Check digit
The correct answer is: A limit check
A limit check can be set to restrict the maximum dollar amount of an invoice that can be
processed without specific authorization of management.
Q11:
The Internal Control Integrated Framework from 1992 comprises ve mutually-reinforcing
components including control activities. Control activities include all of the following except:

Risk Management.

Independent verifications.

Adequate separation of duties.

Adequate documentation and records.
The correct answer is: Risk management
Control activities are policies and procedures established and implemented to help ensure
that the risk responses are effectively carried out. The Internal Control Integrated
Framework from 1992 model lists six control acvies:
The assignment of authority and responsibility (job descriptions)
r
r
r
r
r
r
r
r
A system of transaction authorizations
Adequate documentation and records
Security of assets
Independent verifications
Adequate separation of duties

Q12:
Procedures to limit the physical access to information systems hardware include all of the
following except:

requiring swipe card assess to restricted areas.

requiring dual control of valuable assets

sending confirmations to satellite offices.

employing security guards
The correct answer is: sending confirmations to satellite offices
Internal controls designed to protect the firms physical assets are often the most visible
safeguarding controls. Such controls include door locks, security systems, computer
passwords, and requirements for dual control of valuable assets.

Q13:
Which of the following are examples of systems development controls?
I. Each systems programmer is responsible for only a portion of the total program code.
II. The systems development manager runs a program that checks for unauthorized lines of
code, such as Trojan horses.
III. The computer tracks how long each person is on the Internet.
IV. A pilot review is run when the system is completed, tracking data results against results
from the previous version of the system.

II and IV only
r
r
r
r
r

I, II, and IV only

I, II, III, and IV

I and II only
The correct answer is: I, II, and IV only
Tracking how long an employee is on the Internet is not an example of systems development
controls. It may be an example of internal controls to promote efficiency.

Q14:
A variety of controls can be implemented to limit unauthorized access to an accounting
information system by external users. All of the following are acceptable access controls
except:

segregation of duties.

user IDs and profiles

passwords

encryption of data
The correct answer is: segregation of duties
Companies must use a variety of controls to protect their systems and data from
unauthorized access, beginning, at the most basic, with passwords. Software-based access
controls such as user IDs and profiles allow the system administrators to manage access
privileges. An additional step many firms take is to encrypt data so that unauthorized users
who have been able to bypass first-level controls are not able to read, change, add to, or
remove the data.

Q15:
Which of the following are responsibilities of management?
I. Aid in the choice of accounting methods and policies.
II. Document internal control procedures.
III. Sign quarterly and annual financial reports.
IV. Choose the auditor and approve auditor compensation.
V. Review the auditor's suggestions for improved internal controls.
r
r
r
r
r
r
r


I, II, III, and V only


I and IV only
The correct answer is: I, II, III, and V only
Management must document internal control procedures and provide a written assessment
within 90 days prior to the publicaon of annual reports on the eecveness of the internal
control structure and procedures. In addition, management must sign quarterly and annual
financial reports, and the chief executive officer must sign tax returns. The audit committee
of the board of directors, not management, chooses the auditor and approves auditor
compensation.

Q16:
Which of the following is true regarding the board of directors?

The board of directors must act in the best interest of the employees.

The board of directors must act in the best interest of the shareholders.

The board of directors must act in the best interest of management.

The board of directors must establish an audit committee to oversee all internal
controls.
The correct answer is: The board of directors must act in the best interest of the
shareholders.
The board of directors' primary responsibility is to act in the best interest of the
shareholders. It is not required to establish an audit committee.

Q17:
A company's management is concerned about computer data eavesdropping and wants to
maintain the confidentiality of its information as it is transmitted. The company should
utilize
r
r
r
r
r
r
r
r

data encryption.

password codes.

dial back systems.

message acknowledgment procedures.
The correct answer is: data encryption.

Data encryption, which uses secret codes, ensures that data transmissions are protected
from unauthorized tampering or electronic eavesdropping.
Q18:
The data entry staff of National Manufacturing Inc. has responsibility for converting all of the
plants shipping information to computerized records. The information flow begins when the
shipping department sends a copy of a shipping order to the data entry staff. A data entry
operator scans the shipping order information onto a hand-held data storage device.
Verification clerks then check the computerized record with the original shipping orders.
When a given batch of files has been reviewed and corrected, as necessary, the information
is uploaded to the companys mainframe system at the home office.

The most effective way to visualize and understand this set of activities would be through
the use of a

* Source: Retired ICMA CMA Exam Questions

document flowchart.

decision table.

Gantt chart.

program flowchart.
Document flowchart. The most effective way to visualize and understand a set of activities
or process is through the use of a document flowchart

Q19:
r
r
r
r
r
r
r
r
Which of the following incidents should the auditor report to management or the board of
directors?

Several employees have been observed coming in late or leaving early.

An error of $0.05 was found in the data entry of one transacon.

Control procedures require that the same person not enter and ship a transaction, but
both have been observed being done by the same person.

Compensation for the customer service manager is higher than for the internal auditor.
The correct answer is: Control procedures require that the same person not enter and ship a
transaction, but both have been observed being done by the same person.
The auditor must report findings that include inadequate control procedures, lack of
adherence to control procedures, inefficient allocation of resources, etc. The auditor is not
responsible for reporting on personnel behavior that does not affect accuracy of data
reporting or safeguarding of assets, and the auditor has no concern with levels of employee
compensation.

Q20:
The Sarbanes-Oxley Act has multiple sections that outline management's responsibility
regarding

the purchase of securities.

long-term strategic planning.

required education for chief financial officers.

internal controls and external reporting.
The correct answer is: internal controls and external reporting.
The Sarbanes-Oxley Act concentrates on management's responsibility in maintaining internal
controls so that external reports become more reliable.
Q21:
Locked doors, security systems, ID badges, passwords, and similar controls are designed to

ensure that internal controls are followed.
r
r
r
r
r
r
r
r
r

safeguard the firm's assets.

lower production costs.

protect the firm's reputation.
The correct answer is: safeguard the firm's assets.
The most visible safeguarding controls are designed and implemented to protect an
organization's assets.
Q22:
Internal controls are designed to provide reasonable assurance of achieving a corporations
control objectives. Several factors may present inherent limitations to otherwise well-
designed policies and procedures. Which one of the following is not a factor that limits the
effectiveness of internal controls?

Management override

Collusion

Segregation of duties

Carelessness
The correct answer is: Segregation of duties
Certain human factors or exceptions may present inherent limitations to otherwise well-
designed and well-supported control policies and procedures. The major ones are
management override of controls and collusion between employees and between
employees and outsiders. Other inherent weaknesses are carelessness, misunderstandings,
and the cost/benefit nature of controls.

Q23:
An operational audit

determines whether the overall financial statements fairly represent the firm's
operations and financial condition.

verifies that the company is following all applicable laws and regulations.
r
r
r
r
r
r
r
r
r

verifies that capital assets are accurately tracked.

appraises the effectiveness of the business against corporate and industry standards.
The correct answer is: appraises the effectiveness of the business against corporate and
industry standards.
The operational audit is technically a non-financial audit. The purpose of an operational
audit is to evaluate the organization and efficiency of the firm or one of its subdivisions.
Operational audits are designed to examine and evaluate systems of internal control and
overall company operations.

Q24:
All of the following are included in the systems implementation process except

systems design.

testing.

conversion.

training.
The correct answer is: systems design.

The steps in systems development are analysis, design, implementation, follow-up,
operations, and maintenance. Implementation consist of training , testing, conversion, and
documentation.

Q25:
Part of the audit planning process is the gathering of evidence about an organizations
internal controls. The following procedures would be evidence for evaluating the
effectiveness of internal controls except:

Interviewing employees in the accounting department.

Observing procedures as employees complete daily tasks.
r
r
r
r
r
r
r
r

Review documentation, policies, procedures, and user manuals.

Documentation sent to senior management summarizing audit findings
The correct answer is: Documentation sent to senior management summarizing audit
findings
Evidence gathered by auditors is called primary evidence and might be gathered by
observation, surveys, interviews, inspection of documents (cancelled checks to verify
disbursements, timecards to verify hours worked, and so on), or other means.

Q26:
During an audit, an auditor assesses the adequacy of internal controls. An auditor considers
what to audit and the extent of substantive testing based upon the auditors assessment of

Preventative controls.

Control risk.

Corrective controls.

Detective controls.
The correct answer is: Control risk
When designing a financial audit, the auditor assesses the adequacy of internal controls as
they relate to financial activities. The nature, timing, and extent of substantive testing will
depend upon the auditors assessment of the amount of control risk and the credibility of
assertions regarding the companys transactions. Substantive tests in the financial audit
might focus on the details of account balances, analytical procedures, transactions, and the
physical security of assets, among other matters.

Q27:
A firm is constructing a risk analysis to quantify the exposure of its data center to various
types of threats. Which one of the following situations would represent the highest annual
loss exposure after adjustment for insurance proceeds?

Frequency of occurrence: 20 years, Loss Amount: $200,000, Insurance coverage: 80%
r
r
r
r
r
r
r


Frequency of occurrence: 1 year, Loss Amount: $15,000, Insurance coverage: 85%

The correct answer is: Frequency of occurrence: 1 year, Loss Amount: $15,000, Insurance
coverage: 85%.

The exposure is the same as the expected loss, which is calculated by taking the Frequency
of Occurrence, multiplying it by the loss amount, and then multiplying that by one minus
the Insurance % coverage rate.

Expected loss = (frequency of occurrence) (loss amount) (1 - % insurance coverage)

For the 1 year frequency: the expected loss = (1/1)($15,000)(1-0.85) = $2,250.

$2,250 represents the highest annual loss exposure aer adjusng for insurance proceeds.

Q28:
PCAOB Auding Standard No. 5 requires auditors to follow a top-down, risk assessment
(TDRA) approach to auditing financial statements and internal controls. Which item is not
one of the steps in TDRA?

Determining which transaction-based controls compensate for possible entity-level
control failures.

Determining which entity-level controls sufficiently address the risks.

Identifying insignificant accounts or disclosures.

Identifying material misstatement risks within these accounts or disclosures.
The correct answer is: Identifying insignificant accounts or disclosures.
TDRA is a hierarchical approach that applies specific risk factors to determine the scope of
work and evidence required in the assessment of internal controls. The steps in TDRA are as
follows:
r
r
r
r
r
r
r
Identifying significant accounts or disclosures.
Identifying material misstatement risks within these accounts or disclosures.
Determining which entity-level controls sufficiently address the risks.
Determining which transaction-based controls compensate for possible entity-level control
failures.
Determining the nature, extent, and timing of evidence gathering tests needed to complete
the assessment of the internal controls

Q29:
Which of the following statements is false?

Internal controls can be most effective if they are supported by word and example of
management.

The auditor will examine internal controls to determine control risk.

Thorough and well-documented internal controls can result in fewer misstatements of
information.

Thorough and well documented internal controls can guarantee that fraud cannot be
committed.
The correct answer is: Thorough and well documented internal controls can guarantee that
fraud cannot be committed.
Internal controls are not a guarantee against fraud.

Q30:
Output controls provide assurance that processing is complete and accurate. Which of the
following controls is not an output control?

Reasonableness check

Audit trail

Password protection of document
r
r
r
r
r
r
r

Error listing
The correct answer is: Reasonableness check
A reasonableness check is an input control. The other three items are examples of output
controls.

Q31:
Lynn is entering a transaction on the screen and receives an error message telling her the
account number does not match the customer name. This is an example of


an output control.

an input control.

The correct answer is: an input control.
This is an example of an input control, which processes validity checks to help avoid input of
transactions with inaccurate information.

Q32:
The internal audit function is

responsible for ensuring that all information on financial statements is accurate and
true.

required by the Foreign Corrupt Practices Act.

independent of operations and responsible for reviewing the reliability and integrity of
financial and operating information.

a part of the accounting department and reports directly to the operations manager.
The correct answer is: independent of operations and responsible for reviewing the
reliability and integrity of financial and operating information.
The internal auditing department should remain independent of company operations, so
r
r
r
r
r
r
r
r
r
that it can remain objective. The internal auditor cannot assure that all information is
accurate. The Foreign Corrupt Practices Act (FCPA) does not require a firm to have an
internal audit department.

Q33:
When an internal auditor expresses an opinion as to the efficiency and effectiveness of an
entitys activities and makes recommendations for improvements, the auditor is conducting
a(n)


financial statement audit of a public company.

operational audit.

compliance audit.

financial statement audit of a municipality.
Operational audit. The type of audit that would focus on the objectives related to the
efficient use of resources is an operational audit.

Q34:
Which one of the following methods, for the distribution of employees paychecks, would
provide the best internal control for the organization?


Direct deposit in each employees personal bank account.

Delivery of the paychecks to each department supervisor, who in turn would distribute
paychecks directly to the employees in his/her department.

Distribution of paychecks directly to each employee by the payroll manager.

Distribution of paychecks directly to each employee by a representative of the Human
Resource department.
r
r
r
r
r
r
r
r
Direct deposit in each employees personal bank account. The best internal control
procedure for the distribution of employee paychecks would be the direct deposit of the
paychecks into each employees personal bank account. This would allow the organization to
maintain control of the payroll processing function.

Q35:
Which of the following are potential threats to an information system?
I. Trojan horses
II. Manipulation of input data
III. Computer viruses
IV. Data theft

I, II, and III only

III and IV only

I, II, III, and IV

I and II only
The correct answer is: I, II, III, and IV
There are many threats to information systems, including input manipulation, program
alteration, data theft, sabotage, viruses, Trojan horses, and theft.

Q36:
During the audit of assets, an internal auditor believes that several items were classified as
assets when they should have been classified as expenses. To whom should the internal
auditor report these concerns to?

Consult with legal counsel for advice.

Discuss the matter with senior management to determine if the classifications are
correct.

Discuss the matter with the general accountant who classified the transactions.

Discuss the matter with the chief audit executive.
r
r
r
r
r
r
r
r
The correct answer is: Discuss the matter with the chief audit executive.
An internal auditor should report all concerns they encounter to the chief audit executive
who will then determine the appropriate next course of action.

Q37:
Audit procedures may include a variety of computerized programs and accuracy tests to
confirm that the data processed by computer applications post to the correct general ledger
accounts. These procedures are referred to as:

Output controls

Security controls

Input controls

Processing controls
The correct answer is: Processing controls
Computerized programs and accuracy tests to confirm that data is processed by computer
applications correctly are called processing controls.

Q38:
A computer virus is different from a Trojan Horse because the virus can


erase executable files.

corrupt data.

replicate itself.

alter programming instructions.
Replicate itself. A virus is different from a Trojan Horse in the way it can replicate itself.
Q39:
r
r
r
r
r
r
r
Which of the following is an example of a completeness control?

Facilities utilization reports

Employees time sheets that must be completed before employees can receive their
paychecks

Pre-numbered forms that allow for reconciliation of form numbers against shipping
reports

Thorough training on proper accounting classes to which transactions should be posted
The correct answer is: Pre-numbered forms that allow for reconciliation of form numbers
against shipping reports
Completeness controls are measures taken to account for all transactions. Poor control over
blank forms, blank checks, or unnumbered forms can provide access to assets and allow
transfers to unauthorized personnel.

Q40:
In entering the billing address for a new client in Emil Company's computerized database, a
clerk erroneously entered a nonexistent zip code. As a result, the first month's bill mailed to
the new client was returned to Emil Company. Which one of the following would most likely
have led to discovery of the error at the time of entry into Emil Company's computerized
database?

Limit test.

Validity text.

Parity test.

Record count test.
The correct answer is: Validity text.

A validity test compares data against a master file for accuracy. Data that cannot possibly be
correct (e.g., a nonexistent zip code) would be discovered at that time.

r
r
r
r
r
r
r
r
Q41:
Detection risk is the risk

that the business will naturally experience, regardless of internal controls.

that measures the effectiveness of a firm's internal controls.

that internal controls will not be followed.

that an internal audit will not uncover incidents where controls have not been
followed.
The correct answer is: that an internal audit will not uncover incidents where controls have
not been followed.
Detection risk can also be planned detection risk and is a measure of the risk that audit
evidence will fail to detect misstatements exceeding an acceptable audit risk.

Q42:
Which of the following is an example of segregation of duties?

The shipping manager can access the order-entry computer software and enter an
order.

A clerk in the order department does not have access to the products and therefore
cannot ship products to customers.

The president of a small company is able to access payroll records and adjust entries.

The person who takes the order from a customer enters the order into the system and
supervises the shipment of the product.
The correct answer is: A clerk in the order department does not have access to the products
and therefore cannot ship products to customers.
One of the purposes of segregation of duties is to safeguard assets. If the same person can
enter an order and then ship it, he or she may be able to steal product by shipping to him or
herself or an accomplice.

Q43:
r
r
r
r
r
r
r
r
The basic concepts implicit in internal accounting controls include the following:

The cost of the system should not exceed benefits expected to be attained.
The overall impact of the control procedure should not hinder operating efficiency.

Which one of the following recognizes these two factors?


Reasonable assurance.

Management responsibility.

Limitations.

Methods of data processing.
Reasonable assurance. Reasonable assurance recognizes that the cost of the system should
not exceed the benefits expected to be attained, and the overall impact of the control
procedure should not hinder operating efficiency.

Q44:
Which controls provide reasonable assurance that data is complete, accurate, and
authorized?

Processing controls

Physical controls

Input controls

Output controls
The correct answer is: Input controls
Input controls help to provide reasonable assurance that data is complete, accurate, and
authorized.
Q45:
Which of the following has the most effect on the control environment?
r
r
r
r
r
r
r
r

Organizational structure

Whether controls are changed on a regular basis

Management philosophy and operating style

Size of the company
The correct answer is: Management philosophy and operating style
Management's philosophy and operating style send signals to employees about the
importance of establishing and following internal controls. The size of the company, the
frequency with which controls are changed, and the organizational structure by themselves
do not impact the control environment as much as management's philosophy.

Q46:
Auditors document their understanding of management's internal control system with
questionnaires, flowcharts, and narrative descriptions. A questionnaire consists of a series of
questions concerning controls that auditors consider necessary to prevent or detect errors
and irregularities. The most appropriate question designed to contribute to the auditors'
understanding of the completeness of the expenditure cycle concerns the

use and accountability of prenumbered checks.

qualifications of accounting personnel.

internal verification of quantities, prices, and mathematical accuracy of sales invoices.

use of a check protection device to imprint check amounts.
The correct answer is: use and accountability of prenumbered checks.

All important forms relating to financial transactions such as checks should be prenumbered
and their numerical sequence should be accounted for.

Q47:
Company ABC has installed a software/hardware system that restricts access by outsiders to
the firm's network. This is called
r
r
r
r
r
r
r
r

a firewall.

data encryption.

a disaster recovery procedure.

an intrusion detection system.
The correct answer is: a firewall.
A firewall restricts access to a network from outside the company but does not guarantee
security. An intrusion detection system alerts the system administrator to unusual activity or
attempts at breaking past the firewall. Data encryption can minimize the risk of
unauthorized access to data but does not restrict access to a network. A disaster recovery
procedure is instituted when the network has been destroyed due to a natural disaster or
purposeful destruction.

Q48:
Inherent risk is the risk

that the business will naturally experience, regardless of internal controls.

that internal controls will not be followed.

that measures the effectiveness of a firm's internal controls.

that an internal audit will not uncover incidents where controls have not been
followed.
The correct answer is: that the business will naturally experience, regardless of internal
controls.
Inherent risk is the normal risk of the business, such as the risk of droughts for farmers or
the risk of a recession.
Q49:
Which of the following best describe the interrelated components of a system of internal
control?

organizational structure, management philosophy, and planning
r
r
r
r
r
r
r
r
r

risk assessment, backup facilities, responsibility accounting, and natural laws

control environment, risk assessment, control activities, information and
communication systems, and monitoring

personnel practices and policies, authorization, and segregation of duties
The correct answer is: control environment, risk assessment, control activities, information
and communication systems, and monitoring.

The ve interrelated components or elements of internal control as dened in the 1992
COSO (Committee of Sponsoring Organizations) Model are the control environment, risk
assessment, control activities, information and communication, and monitoring.
Q50:
In securing the client/server environment of an information system, a principal disadvantage
of using a single level sign-on password is the danger of creating a(n)


trap door entry point.

single point of failure.

lock-out of valid users.

administrative bottleneck.
Single point of failure. Advantages of a securing a client/server environment of an
information system using a single level sign-on password is a trap door entry point,
administrative bottleneck and lock-out of valid users. A disadvantage of using such a system
is a single-point of failure.

Q51:
Which one of the following is not the component of the audit risk model commonly used by
auditors in deciding how much evidence to accumulate in each cycle?

Inherent risk
r
r
r
r
r
r
r
r

Control risk

Engagement risk

Planned detection risk
The The correct answer is: Engagement risk.

Audit Risk = Inherent Risk x Control Risk x Detection Risk.

Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk).

Engagement risk relates to whether the auditor should be associated with the client in the
first place, and is not part of the audit risk equation.

Q52:
Which one of the following represents a lack of internal control in a computer-based
system?

Programmers have access to change programs and data files when an error is detected.

Provisions exist to protect data files from unauthorized access, modification, or
destruction.

The design and implementation is performed in accordance with management's
specific authorization.

Any and all changes in applications programs have the authorization and approval of
management.
The correct answer is: Programmers have access to change programs and data files when an
error is detected.

The IT (information technology) function should be separate from the other functional areas
in the organization. In addition, within IT, there should be a separation between
programmers/analysts, operations, and technical support. Change programs and data files
belong to IT operations. Error correction and reentry belongs to the system user.

Q53:
Which of the following might an internal auditor provide as a result of an audit?
r
r
r
r
r
r
r
I. Appraisal of performance
II. Recommendations for changes
III. Advice to management on improving controls
IV. Recommendations to management on changes to their compensation.

I, II, and III only

I, II, III, and IV

I and II only

III and IV only
The correct answer is: I, II, and III only
The internal audit function reports primarily to the board of directors but also provides
analyses, appraisals, recommendations, counsel, and information concerning activities
reviewed to assist management. The audit report does not deal with levels of employee
compensation.

Q54:
All of the following are examples of encryption techniques used for computer security
except


authentication key.

primary key.

private key.

public key.
Primary key. Encryption techniques include a public key, a private key, and an authentication
key.

Q55:
In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system
should have adequate controls. Thebest set of controls for a payroll system includes
r
r
r
r
r
r
r
r

employee supervision, batch totals, record counts of each run, and payments by check.

batch totals, record counts, user codes, proper separation of duties, and online edit
checks.

passwords and user codes, batch totals, employee supervision, and record counts of
each run.

batch and hash totals, record counts of each run, proper separation of duties,
passwords and user codes, and backup copies of activity and master files.
The correct answer is: batch and hash totals, record counts of each run, proper separation of
duties, passwords and user codes, and backup copies of activity and master files.

Transaction processing systems need controls to assure authorization, completeness,
accuracy, and timeliness. The four objectives, in processing payroll, are accomplished by
using batch and hash totals, record counts of each run, proper separation of duties,
passwords and user codes, and backup copies of activity and master files.

Q56:
The Institute of Internal Auditors (IIA) is the leading professional organization that sets
standards and rules for the practice of internal auditing. In light of the definition of internal
auditing adopted by the IIA, the scope of internal auditing includes all of the following
activities except

conducting operational audits to help improve the efficiency and effectiveness of the
company's operations.

providing periodic positive assurance to the board on the effectiveness of the
company's system of internal control.

assisting on consulting projects as needed by the management.

evaluating the effectiveness of the company's risk management processes.
The correct answer is: providing periodic positive assurance to the board on the
effectiveness of the company's system of internal control.

Periodic evaluation of the effectiveness and efficiency of internal controls is a standard
internal audit function. The evaluation, however, may not result in positive assurance.

r
r
r
r
r
r
r
r
Q57:
Accounting controls are concerned with the safeguarding of assets and the reliability of
financial records. Consequently, these controls are designed to provide reasonable
assurance that all of the following take place except

comparing recorded assets with existing assets at periodic intervals and taking
appropriate action with respect to differences.

recording transactions as necessary to permit preparation of financial statements in
conformity with generally accepted accounting principles and maintaining
accountability for assets.

executing transactions in accordance with management's general or specific
authorization.

compliance with methods and procedures ensuring operational efficiency and
adherence to managerial policies.
The correct answer is: compliance with methods and procedures ensuring operational
efficiency and adherence to managerial policies.

An internal control system is concerned with safeguarding assets, accuracy and reliability of
records, operational efficiency, adherence to policy, and compliance with laws and
regulations. The first two are called accounting controls. The latter three are referred to as
administrative controls.

Q58:
Which one of the following functions performed in an organization is a violation of internal
control?


The General Ledger clerk compares the summary journal entry, received from the
Cashier for cash receipts applicable to outstanding accounts, with the batch total for
posting to the Subsidiary Ledger by the Accounts Receivable clerk.

A mail clerk opening the mail compares the check received with the source document
accompanying the payment, noting the amount paid, then forwards the source
documents that accompany the payments (along with a listing of the cash receipts) to
Accounts Receivable, on a daily basis, for posting to the subsidiary ledger.
r
r
r
r
r
r

At the end of the week the Cashier prepares a deposit slip for all of the cash receipts
received during the week.

A mail clerk opening the mail compares the check received with the source document
accompanying the payment, noting the amount paid, then forwards the checks daily
(along with a listing of the cash receipts) to the Cashier for deposit.
At the end of the week the Cashier prepares a deposit slip for all of the cash receipts
received during the week. Internal controls should have effective separation of duties to
prevent fraudulent activities to occur. From the examples provided, a cashier preparing a
deposit slip for all of the cash receipts received during the week is a clear violation of
internal control.

Q59:
Which of the following are objectives of internal controls?
I. Reliability of financial reports
II. Guarantees against fraud
III. Effectiveness of operations
IV. Efficiency of operations
V. Compliance with applicable laws and regulations


I, III, and V only


I, II, and IV only
The correct answer is: I, III, IV, and V only
Internal controls cannot guarantee that fraud will not be perpetrated.

Q60:
Data encryption

is not necessary unless a business is working on government defense contracts.
converts data from easily read local language into a secret code and helps prevent
r
r
r
r
r
r
r
r
unauthorized usage of sensitive information.

is less necessary over the Internet than on a LAN or WAN because e-mail and FTP
cannot be intercepted.

converts graphics into binary code that can be more easily transmitted over the
Internet.
The correct answer is: converts data from easily read local language into a secret code and
helps prevent unauthorized usage of sensitive information.
Data encryption helps prevent unauthorized access to sensitive information and can be used
on data transmissions over the Internet and on a LAN/WAN as well as on files stored on the
LAN/WAN.

Q61:
Which statement is not a requirement of PCAOB Auding Standard No. 5?

Requires auditors to follow a risk-based approach to the development of auditing
procedures.

Requires auditors to scale the audit to the size of the organization.

Requires auditors to follow a rules-based approach to determine the extent of audit
testing.

Requires the auditors to follow prescribed approaches to perform the audit.
The correct answer is: Requires auditors to follow a rules-based approach to determine the
extent of audit testing.
PCAOB Auding Standard No. 5 requires auditors to follow a risk-based approach to the
development of auding procedures and performing a Secon 404 audit. It also requires the
auditor to scale the audit to the size of the organization under audit, and to follow a
principles-based approach to determine when and to what extent he or she can rely on the
work of others.

Q62:

Which of the following are required under the Foreign Corrupt Practices Act?
r
r
r
r
r
r
I. A firm must design internal control procedures.
II. A firm must have an internal audit department.
III. Transactions must be executed with management's authorization.
IV. Access to assets must be authorized.

I and III only

I and II only

I, III, and IV only

I, II, III, and IV
The correct answer is: I, III, and IV only
The Foreign Corrupt Practices Act (FCPA) does not require a firm to have an internal audit
department.

Q63:
Flowcharts of activities are used to

visually inspect, observe, and document a process in order to assess effectiveness of
control procedures.

help ensure that data transmitted over the Internet is not intercepted by unauthorized
personnel.

ensure that data can be recovered if it is lost.

help detect intrusion past the firewall into the network.
The correct answer is: visually inspect, observe, and document a process in order to assess
effectiveness of control procedures.
A flowchart is used by the internal auditor to review the information system and related
control procedures for adequacy as well as efficiency of operations.
Q64:
Which of the following is NOT an internal control?

Requirements for accurate recording of vacations
r
r
r
r
r
r
r
r
r

Required dress code

Employee pay records

Pre-numbered forms
The correct answer is: Required dress code
All of the choices except required dress code are internal controls.

Q65:
The chief audit executive believes that the company has accepted an unacceptably high level
of risk related to their assessment of uncollectible accounts receivables. To whom should the
chief audit executive report this concern to?

The CFO.

The board of directors.

The CEO.

The external audit team.
The correct answer is: The board of directors.
If the chief audit executive believes that senior management has accepted an unacceptably
high level of risk for the organizations risk appetite, then the chief audit executive and
senior management should report the matter to the board.

Q66:
A critical aspect of a disaster recovery plan is to be able to regain operational capability as
soon as possible. In order to accomplish this, an organization can have an arrangement with
its computer hardware vendor to have a fully operational facility available that is configured
to the user's specific needs. This is best known as a(n)

hot site.

parallel system.
r
r
r
r
r
r
r
r
r

cold site.

uninterruptible power system.
The correct answer is: hot site.

A hot site is a back-up site in another location, that has the companys hardware and
software and is ready to run on a moments notice.
Q67:
regarding




The Sarbanes-Oxley Act concentrates on management's responsibility in maintaining internal
controls so that external reports become more reliable.

Q68:
Which of the following could a compliance audit verify?
I. Compliance with GAAP
II. Compliance with employment laws
III. Compliance with OSHA laws
IV. Compliance with tax laws

I and II only

III and IV only

II, III, and IV only
r
r
r
r
r
r
r
r
r

I, II, III, and IV
The auditor could verify compliance with any law or regulation.

Q69:
Which one of the following would be most effective in deterring the commission of fraud?


Policies of strong internal control, segregation of duties, and requiring employees to
take vacations.

Policies of strong internal control and punishments for unethical behavior.

Hiring ethical employees, employee training, and segregation of duties.

Employee training, segregation of duties, and punishment for unethical behavior.
Policies of strong internal control, segregation of duties, and requiring employees to take
vacations. The most effective policy to deter the commission of fraud is to provide policies of
strong internal control, segregation of duties, and requiring employees to take vacations.

Q70:
Which of the following statements is true?

Higher-paid employees tend to follow control procedures more carefully and
consistently.

Control procedures can completely make up for careless employees.

Control procedures are ineffective if employees are not all highly educated and trained.

Hiring, promoting, and training competent personnel are integral to an efficient control
environment.
The correct answer is: Hiring, promoting, and training competent personnel are integral to
an efficient control environment.
Hiring, promoting, and training competent personnel are integral to an efficient control
r
r
r
r
r
r
r
r
r
environment. However, control procedures will not be ineffective without this, and
adherence to control procedures does not necessarily follow with higher levels of education
or pay.

Q71:
Which of the following is true regarding the board of directors?

The board of directors must act in the best interest of management.

The board of directors must act in the best interest of the shareholders.

The board of directors must act in the best interest of the employees.

The board of directors must establish an audit committee to oversee all internal
controls.
The correct answer is: The board of directors must act in the best interest of the
shareholders.
The board of directors' primary responsibility is to act in the best interest of the
shareholders. It is not required to establish an audit committee.

Q72:
The Sarbanes-Oxley Act of 2002 increased managements responsibility for accurate
nancial reporng. Which of the following is not a requirement of Secon 404 of the
Sarbanes-Oxley Act?

Document managements responsibility to refuse to accept contracts or business
through the payment of bribes.

Document managements responsibility for establishing adequate internal control
policies.

Document managements assessment of the effectiveness of the internal control
structure and procedures.

Document managements responsibility for maintaining adequate internal control
policies.
The correct answer is: Document managements responsibility to refuse to accept contracts
or business through the payment of bribes.
r
r
r
r
r
r
r
r
The 1977 Foreign Corrupt Pracces Act forbids companies from accepng contracts or
business through the payment of bribes to foreign governments. The other answers are all
requirements of SOX Secon 404.

Q73:
There are many ways that realtime accounts receivable systems differ from batch accounts
receivable systems. Which one of the following is not correct?

Realtime systems: Must use direct-access files; Batch systems: Can use simple
sequential files.

Realtime systems: Invoicing is performed as goods are shipped; Batch systems:
Invoicing is performed through scheduled billing runs.

Realtime systems: Processing is done on demand; Batch systems: Processing is done
during scheduled computer runs.

Realtime systems: Processing choices are menu-driven; Batch systems: Processing is
interactive.
The correct answer is: Realtime systems: Processing choices are menu-driven; Batch
systems: Processing is interactive.

Real-time processing is menu driven, but the batch system processing is not interactive.
Batch processing is the aggregation of several transactions over a period of time with the
subsequent processing of these data as a group. The system feedback in batch processing
can be received only after such processing with a substantial delay.

Q74:
regarding




r
r
r
r
r
r
r
r

Secon 404 of the 2002 Sarbanes-Oxley Act requires management to establish and
document internal control procedures and to provide a wrien assessment within 90 days
prior to publication of annual reports of the effectiveness of the internal control structure
and procedures. Secon 906 of the act requires management cercaon of the nancial
statements.

Q75:
Systems security controls

include blocking physical access to computers, protecting computer systems from
environmental effects (cold, floods), and logical controls that block unauthorized
access.

are not necessary if proper software controls are maintained.

are not required in a small company.

require only that the computer is in a climate-controlled room and behind a locked
door.
The correct answer is: include blocking physical access to computers, protecting computer
systems from environmental effects (cold, floods), and logical controls that block
unauthorized access.
Systems security controls encompass both the physical access to the hardware and the
logical (ability to use) access to the hardware.

Q76:
Which of the following is true?

Disaster recovery will be effective only for firms with subsidiaries in a different region.

A firewall system guarantees that unauthorized users will not be able to access the
backup data.

Data backups should be regularly stored off site for recovery in the event of the loss of
the facility in which the data resides.
r
r
r
r
r
r
r

Automated backup systems are often ineffective; backups should be instituted every
day by an authorized computer manager.
The correct answer is: Data backups should be regularly stored off site for recovery in the
event of the loss of the facility in which the data resides.
Data backup tapes should be regularly transferred to off-site storage so that recovery
procedures can be instituted in case a disaster destroys the data center. Automated backup
systems work fine. Nothing guarantees that hackers will not be able to access the system.
Disaster recovery can be effective for many types and sizes of businesses.

Q77:
The primary reason an auditor considers the strengths and weaknesses of internal control
systems in conjunction with financial statement audits is to

appraise the efficiency with which resources are employed.

identify the controls that could likely prevent or detect errors or irregularities.

identify the causes of errors or irregularities in an internal control system.

provide a basis for reliance in determining the nature, timing, and extent of substantive
tests.
The correct answer is: provide a basis for reliance in determining the nature, timing, and
extent of substantive tests.

The purpose of the auditors study and evaluation of the internal control system is to
determine the nature, extent, and timing of the other audit tests needed to collect sufficient
evidence upon which to base his/her opinion. The nature, extent, and timing of the other
tests depends on the strengths and weaknesses in the system.

Q78:
When assessing a companys internal control structure policies and procedures, the primary
consideration is whether they


relate to the control environment.
r
r
r
r
r
r

reflect managements philosophy and operating style.

affect the financial statement assertions.

prevent management override.
Affect the financial statement assertions. The primary consideration when assessing a
companys internal control structure policies and procedures is whether they affect the
financial statement assertions.

Q79:
In designing systems of internal control, which of the following types of controls are
the best to include in the design in order to be fully effective?

systems development, operations, and access controls

management, personnel, and administrative controls

edit, input verification, and output controls

preventative, detective, and corrective controls
The correct answer is: preventative, detective, and corrective controls.

There are five types of internal controls. They are preventive, detective, corrective, directive,
and compensating. The first three are the ones designed into the sytem.

Q80:
A compliance audit verifies

whether employees are wearing appropriate attire.

that transactions are accurately recorded and financial information is fairly reported.

whether internal control policies and procedures are adequate for safeguarding assets.

that the company is following all applicable laws and regulations.
r
r
r
r
r
r
r
r
r
r
r
The correct answer is: that the company is following all applicable laws and regulations.
The compliance audit verifies that the company has complied with all applicable laws and
regulations.

Q81:
Which of the following is a risk of using the Internet to transmit data?

Data wires connecting a LAN can easily be breached by hackers.

Data is easily intercepted and can be stolen or altered when being sent on an
unsecured line.

Telecommunication lines connecting a WAN may corrupt data due to the long distances
between computers.

Encrypted files cannot be sent via the Internet.
The correct answer is: Data is easily intercepted and can be stolen or altered when being
sent on an unsecured line.
Data transmitted via the Internet generally is considered to have a low level of integrity due
to the possibility of interception or data scrambling. Encrypted files can be sent via the
Internet and are better protected from interception. Wired LANs and WANs do not rely on
Internet technology to connect computers and are therefore not open to the same risks for
data transmission.

Q82:
The relationship between inherent risk, planned detection risk, and planned audit evidence
is best described as follows.

Inherent risk is positively related to planned detection risk and not at all related to
planned evidence.

Inherent risk is inversely related to planned detection risk and directly related to
planned evidence.

Inherent risk is inversely related to planned detection risk and planned audit evidence.

There is no relationship between inherent risk, planned detection risk, and planned
audit evidence.
r
r
r
r
r
r
r
r
The correct answer is: Inherent risk is inversely related to planned detection risk and directly
related to planned evidence.

Audit Risk = (Inherent Risk x Control Risk x Detection Risk).

Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk).

Since detection risk is the probability that a misstatement will not be discovered by the
auditor, as detection risk decreases, the planned audit evidence required will decrease. The
formula for detection risk shows that inherent risk is inversely related to planned detection
risk and directly related to planned evidence.

Q83:
Alex is an unhappy employee, and he writes a line of code into the company's software
system that will erase every tenth transaction entered into the system. Which of the
following is this called?

Virus

Trojan horse

Saboteur

Revenge line
The correct answer is: Trojan horse
A Trojan horse is a computer program containing an intentional line of code created by a
programmer for personal gain (transferring funds without the company knowing) or
revenge.

Q84:
In situations where it is crucial that data be entered correctly into an accounting information
system, the best method of data control would be to use


reasonableness tests.
r
r
r
r
r

key verification.

limit checks.

compatibility tests.
Key verification. The best method of data control in situations where it is crucial that data be
entered correctly into an accounting information system is through the use of key
verification.

Q85:
Segregation of duties controls are examples of

compensating controls.

preventive controls.

administrative controls.

detective controls.
The correct answer is: preventive controls.

Proper segregation of duties is a control designed to prevent threats, errors and
irregularities by separating the incompatible functions of authorization, execution,
recording, and custody of assets between four people.

Q86:
Sandy opens an e-mail that she doesn't realize contains a line of code that enters the
company LAN via her computer. Three days later, all the data files on the LAN and
everybody's computers are erased. This is an example of

a prototype.

a computer virus.

a computer spam.
r
r
r
r
r
r
r
r
r
r

a Trojan horse.
The correct answer is: a computer virus.
A computer virus can move through a network deleting or altering files before it is even
detected. Computer viruses have become a concern to companies.

Q87:
Many organizations participating in e-commerce have serious concerns about security,
therefore a new subdiscipline, internet assurance services, has evolved. Its main objective is
to

provide value to data being transmitted by making it secure.

provide assurance that electronic data transmissions reach their destinations and on
time.

insure against fraud and hackers by charging a fee per transmitted transaction.

provide assurances that web sites are reliable and transaction security is reasonable.
The correct answer is: provide assurances that web sites are reliable and transaction security
is reasonable.

Internet assurance is a service of providing a limited assurance to users of the vendor's web
site that the site is reliable and event data security is reasonable

Q88:
During the audit of inventory, an internal auditor suspects that the stores clerk may be
stealing inventory. What is the best way for the internal auditor to proceed?

Consult ethics policy.

Interview the stores clerk to determine if they stole the inventory.

Consult with senior management to determine the best application of company policy.

Consult with legal counsel for advice regarding local laws.
The correct answer is: Consult ethics policy
r
r
r
r
r
r
r
r
r
Since this is an ethical issue, the auditor should first consult the companys ethics policy and
if the matter is still unresolved, he or she should then discuss with the store clerks
immediate supervisor.

Q89:
Which one of the following represents a weakness in the internal control system of an
electronic data processing system?


The accounts receivable clerk prepares and enters data into the computer system and
reviews the output for errors.

The systems analyst designs new systems and supervises testing of the system.

The data control group reviews and tests procedures and handles the reprocessing of
errors detected by the computer.

The computer operator executes programs according to operating instructions and
maintains custody of programs and data files.
The computer operator executes programs according to operating instructions and
maintains custody of programs and data files. A weakness in the internal control system of
an electronic data processing system is a computer operator executing programs according
to operating instructions and maintains custody of programs and data files.

Q90:
Which of the following is not a function of an internal auditor?

Verifying that transactions are correctly recorded

Verifying that the computer system controls are effective

Verifying that laws and regulations are followed

Verifying that management compensation is reasonable
r
r
r
r
r
r
r
r
The correct answer is: Verifying that management compensation is reasonable
The auditor is not responsible for judging the reasonableness of executive compensation,
only for verifying that it is recorded and reported accurately.

Q91:
What is the role of the PCAOB in providing guidance on the auditing of internal controls?

The PCAOB is responsible for the setting of standards for audits of privately held
corporations.

The PCAOB is responsible for the setting of standards for audits of governmental
organizations.

The PCAOB is responsible for the setting of standards for audits of both publicly held
and privately held corporations

The PCAOB is responsible for the setting of standards for audits of publicly held
corporations.
The correct answer is: The PCAOB is responsible for the setting of standards for audits of
publicly held corporations.
The Public Company Accounting Oversight Board (PCAOB) is a private sector, nonprofit
corporation, created by the Sarbanes-Oxley Act of 2002, to oversee the auditors of (public)
companies in order to protect the interests of investors and further the public interest in the
preparation of informative, fair and independent audit reports. The Act required that
auditors of U.S. companies be subject to external and independent oversight for the first
time in history. Previously, the profession was self-regulated.

Q92:
Segregation of duties is a fundamental concept in an effective system of internal control.
Nevertheless, the internal auditor must be aware that this safeguard can be compromised
through

irregular employee reviews.

lack of training of employees.

absence of internal auditing.
r
r
r
r
r
r
r

collusion among employees.
The correct answer is: collusion among employees.

Effective segregation of duties means that no single employee has control over
authorization, recording and custody. If two or more employees are in collusion, these
controls can be overridden.
Q93:
Processing controls provide reasonable assurance that only approved data are processed.
Which of the following controls is not a processing control?

Sequence checks

Completeness checks

Error report

Run-to-run totals
The correct answer is: Error report
Completeness checks, sequence checks, and run-to-totals are all processing controls. Error
reports are an output control.

Q94:
Online access controls are critical for the successful operation of today's computer systems.
To assist in maintaining control over such access, many systems use tests that are
maintained through an internal access control matrix which consists of

a list of controls in the online system and a list of those individuals authorized to
change and adjust these controls along with a complete list of files in the system.

authorized user code numbers, passwords, lists of all files and programs, and a record
of the type of access each user is entitled to have to each file and program.

a complete listing of system tests and the applicable programs.

authorized user code numbers and passwords.
r
r
r
r
r
r
r
r
r
The correct answer is: authorized user code numbers, passwords, lists of all files and
programs, and a record of the type of access each user is entitled to have to each file and
program.

An access control mechanism defines object and action privileges for a user. Object
privileges define the resources the user may access. Action privileges define what the user
may do with a resource. Access controls often employ user ID codes and passwords.

Q95:
Which one of the following statements about an accounting information system (AIS)
is incorrect?

AIS is best suited to solve problems where there is great uncertainty and ill-defined
reporting requirements.

The information produced by AIS is made available to all levels of management for use
in planning and controlling an organization's activities.

AIS supports day-to-day operations by collecting and sorting data about an
organization's transactions.

AIS is a subsystem of the management information system.
The correct answer is: AIS is best suited to solve problems where there is great uncertainty
and ill-defined reporting requirements.

A decision support system, not an accounting information system (AIS), is best suited to
solve problems where there is great uncertainty and ill-defined reporting requirements.

Q96:
The most critical aspect of the separation of duties within a mainframe information systems
environment is between

programmers and users.

programmers and project leaders.

programmers and computer operators.
r
r
r
r
r
r
r

programmers and systems analysts.
The correct answer is: programmers and computer operators.

The IT (information technology) function should be separate from the other functional areas
in the organization. In addition, within IT, there should be a separation between
programmers/analysts, operations, and technical support. Separation of programmers from
computer operators is critical.

Q97:
The Sarbanes-Oxley Act of 2002 (SOX) established increased requirements for audit
committees. These requirements include all of the following except:

the audit committee must have at least one financial expert.

the audit committee must consist of independent directors.

the CEO of the company can be a member of the audit committee.

the audit committee is responsible for selecting the external auditor.
The correct answer is: The CEO of the company can be a member of the audit committee.
Audit committees need independent directors with sophisticated financial backgrounds. The
Sarbanes-Oxley Act of 2002 (SOX) requires that the audit commiee consist entirely of
directors who are independent of the issuer, meaning that they cannot accept any
consulting, advisory, or other compensatory fee from the issuer or be affiliated with the
issuer or any of its subsidiaries. At least one of the audit committee members should qualify
as a financial expert.
Q98:
During the annual review of internal controls in the HR department, an internal auditor may
complete all of the following procedures to confirm the existence of adequate policies and
procedures except

inspect documents.

limit access to confidential data.

confirm proper segregation of duties.
r
r
r
r
r
r
r
r

review job descriptions.
The correct answer is: limit access to confidential data
Evidence gathered by auditors is called primary evidence and might be gathered by
observation, surveys, interviews, inspection of documents (cancelled checks to verify
disbursements, timecards to verify hours worked, and so on), or other means.

Q99:
components. An organizations management philosophy and ethical values is a part of the


risk assessment.

control environment.

Monitoring.
The correct answer is: Control environment
The control environment refers to the organizations management philosophy and appetite
for risk, and includes integrity, ethical values, and the environment in which an organization
operates.

Q100:
In planning an audit, the auditor considers audit risk. Audit risk is the

risk that a material error in an account will not be prevented or detected on a timely
basis by the client's internal control system.

susceptibility of an account balance to material error assuming the client does not have
any related internal control.

risk that the auditor's procedures for verifying account balances will not detect a
material error when in fact such error exists.
risk that the auditor may unknowingly fail to appropriately modify his opinion on
r
r
r
r
r
r
r
r
r
financial statements that are materially misstated.
The correct answer is: risk that the auditor may unknowingly fail to appropriately modify his
opinion on financial statements that are materially misstated.

Audit risk is the probability of an audit failure. An audit failure occurs when the auditors
opinion states that the financial statements fairly present, in all material respects, in
accordance with GAAP (Generally Accepted Accounting Principles) when, in fact, they are
materially misstated.

Q101:
If a corporation may be violating federal and state laws governing environmental concerns,
which one of the following types of audit will best assist in ascertaining whether such
situations may exist?


Financial audit.

Operational audit.

Management Audit.

Compliance Audit.
Compliance Audit. The type of audit that will assist an auditor in determining whether or not
a corporation may be violating federal and state laws governing environmental concerns is a
Compliance Audit.

Q102:
Which of the following provides protection from unauthorized use of databases?

Data encryption

Input entry screens with validity checks

File transfer protocol
r
r
r
r
r
r
r

Storing the data center in a secured area
The correct answer is: Data encryption
Data encryption protects data while it is stored and while it is being transmitted. Locating
the data center in a secured area protects hardware, not access to programs and data. File
transfer protocol is a standard method of transferring files over the Internet, and it does not
protect data from unauthorized use unless transmitted data is encrypted. Input entry
screens with validity checks are effective controls for accuracy of input but do not protect
programs or the system from unauthorized use.

Q103:
An inherent risk specifically related to conducting business over the internet includes:

exposure to viruses

website denial of service attack

unauthorized access by hackers, exposure to viruses, and website denial of service
attacks.

unauthorized access by hackers.
The correct answer is: unauthorized access by hackers, exposure to viruses, and website
denial of service attacks.
The Internet has introduced risks to computer systems that do not exist on private networks.
Among the threats is a greatly increased risk of unauthorized access, as hackers have grown
both numerous and more sophisticated in their attacks. Internet presence also exposes
systems to malwareincluding viruses, worms, spyware, spam, and Trojan horses.

Q104:
Which one of the following would most compromise the use of the grandfather-father-son
principle of file retention as protection against loss or damage of master files?

Use of magnetic tape.

Inadequate ventilation.
r
r
r
r
r
r
r

Storing of all files in one location.

Failure to encrypt data.
The correct answer is: Storing of all files in one location.

Storing all files in one location undermines the concept of multiple backups inherent in the
grandfather-father-son principle.
Q105:
There are three components of audit risk: inherent risk, control risk, and detection risk.
Inherent risk is

the risk that a material misstatement that could occur in an assertion will not be
prevented or detected on a timely basis by the entity's internal control structure
policies or procedures.

the risk that the auditor will not detect a material misstatement that exists in an
assertion.

the risk that the auditor may unknowingly fail to appropriately modify his or her
opinion on financial statements that are materially misstated.

the susceptibility of an assertion to a material misstatement, assuming that there are
no related internal control structure policies or procedures.
The correct answer is: the susceptibility of an assertion to a material misstatement,
assuming that there are no related internal control structure policies or procedures.

Inherent risk is the probability of an error or irregularity causing a material misstatement in
an assertion. This is also referred to as the probability that a threat to the system will occur.
Q106:
components. An organizations ongoing management activities, evaluations, and internal
audits are a part of

monitoring.

risk assessment.

r
r
r
r
r
r
r
r
r

control environment.
The correct answer is: Monitoring
Monitoring is accomplished through ongoing management activities, separate evaluations,
or both. Internal auditors, the audit committee, and the disclosure committee, as well as
management, may all be involved in monitoring controls.

Q107:
Effective controls designed to catch errors and improve the accuracy of data processing in
batches before new information is written to the master file includes all of the following
except:

A record count

A control total

A hash total

A check digit
The correct answer is: A check digit
A check digit is an input control used during the data entry process of an individual record.
The other three items are all examples of batch input controls.

Q108:
The internal auditors should report all of the following control breakdowns or risks to
management except for:

Penetration of information security

Illegal acts

Immaterial weaknesses

Fraud
The correct answer is: Immaterial weaknesses
r
r
r
r
r
r
r
r
r
The internal auditors should report fraud, material weaknesses, illegal acts and any
penetration of information security.
Q109:
A data backup

should be run every day but is not helpful in the event of a data loss due to a computer
virus.

helps recover data after data losses but is done only if a company has a very large
database of information to recover.

helps prevent hacking and should be run on a daily basis.

helps recover data after data loss due to viruses, natural disasters, and hardware
failures and should be run on a daily basis.
The correct answer is: helps recover data after data loss due to viruses, natural disasters,
and hardware failures and should be run on a daily basis.
A data backup should be run on a daily basis. It is necessary for any business with stored
data and helps with recovery regardless of how data is lost. A data backup does not prevent
hacking.

Q110:
Internal auditors can evaluate the effectiveness of internal controls over the revenue and
cash collection process by completing all of the tasks except:

verify information in the sales journal and on sales invoices.

reconcile the accounts payable detail to the general journal.

reconcile accounts receivable detail with the general ledger.

send confirmations to customers requesting current account balances
The correct answer is: reconcile the accounts payable detail to the general journal.
Reconciling the accounts payable detail to the general ledger would be appropriate to an
audit of the cash disbursements process. The other activities mentioned are appropriate to
an audit of revenue and cash collection processes.

r
r
r
r
r
r
r
r
Q111:
In order to properly segregate duties, which function within the computer department
should be responsible for reprocessing the errors detected during the processing of data?


Data control group.

Systems analyst.

Department manager.

Computer programmer.
Data control group. To properly segregate duties, the data control group should be
responsible for reprocessing the errors detecting during the processing of data within the
computer department.

Q112:
Edit checks in a computerized accounting system

should be performed on transactions prior to updating a master file.

are preventive controls.

should be performed immediately prior to output distribution.

are easier to install after a system is operational.
The correct answer is: should be performed on transactions prior to updating a master file.

Edit checks are executed upon data entry. Their purpose is to detect and correct problems in
data input. They are performed upon data entry prior to updating a file to assure accuracy of
the update. The edit checks prevent the phenomenon of garbage in, garbage out.

Q113:
Under the Sarbanes-Oxley Act of 2002, companies are now required to implement an-fraud
programs and controls that they evaluate on an annual basis as part of their integrated
r
r
r
r
r
r
r
r
audit. A common component of such anti-fraud programs and controls is the effective
design and implementation of codes of ethics and conduct. Which one of the following
is not a characteristic of the operating effectiveness of a code of conduct?

The existence of a plan to communicate the code of conduct to all (or covered)
employees of the company

Audit committee involvement and oversight of non-compliance with the company's
code of conduct

The existence of an appropriate "hot-line" or whistle blowing to report any violations
with the company's code of conduct

Lack of employee training in the company's code of conduct upon hiring and
periodically thereafter
The correct answer is: Lack of employee training in the company's code of conduct upon
hiring and periodically thereafter.

Lack of employee training in the company's code of conduct upon hiring and periodically
thereafter is not a characteristic of operating effectiveness of a code of conduct.

Q114:
Which of the following is not a requirement regarding a company's system of internal
control under the Foreign Corrupt Pracces Act of 1977?

Management must annually assess the effectiveness of its system of internal control.

Transactions are executed in accordance with management's general or specific
authorization.

Transactions are recorded as necessary (1) to permit preparaon of nancial
statements in conformity with GAAP or any other criteria applicable to such
statements, and (2) to maintain accountability for assets.

The recorded accountability for assets is compared with the existing assets at
reasonable intervals, and appropriate action is taken with respect to any differences.
The correct answer is: Management must annually assess the effectiveness of its system of
internal control.

Managements annual assessment of internal control is not a requirement of the Foreign
r
r
r
r
r
r
r
r
Corrupt Pracces Act. It became a requirement with the passage of the 2002 Sarbanes-Oxley
Act.

Q115:
Which of the following are provisions of the Sarbanes-Oxley Act?
I. The board of directors of an issuer must appoint an audit committee.
II. Management must certify financial statements.
III. Management must provide a written report on the effectiveness of internal control
procedures within 90 days of the publicaon of the annual report.
IV. A public accounting firm may not audit the books of an issuer of public securities if any
officer or director of the issuer was employed by the public accounting firm and participated
in any audit activity with the issuer within one year.

II and IV only

I, II, III, and IV

IV only

I, II, and IV only
All of the listed requirements are provisions of the Sarbanes-Oxley Act.

Q116:
Ellen is processing a group of transactions and indicates as she begins running the program
that there are 15 transacons in the batch, totaling $150,000 in orders. This batch control is
related to all of the following except


an input control.


an output control.
r
r
r
r
r
r
r
r
The correct answer is: a program access control.
Processing controls are often interdependent with input and output controls. Processing
controls are checks that are run by the computer program while it processes the data to
verify that the information is accurate. In this example, the computer system will re-verify
that the batch was input properly. The output controls would tie the batch back to the input.
Q117:
Consider the following types of controls.

I. Preventive
II. Corrective
III. Feedback
IV. Feedforward
V. Detective

Which one of the following groups of controls are generally considered the most cost-
effective controls?


I, III, and V.

III, IV, and V.

I, II, and V.

I, II, and III.
I, II, and IV. The most cost-effective controls to implement in an accounting information
system is preventative, corrective, and detective controls.

Q118:
Disaster recovery policies and procedures are designed to enable a company to carry on
business in the event of an unplanned disaster where the business would not be able to
function normally. A companys disaster recovery plan should include all of the following
except:

appoint a primary leader for the process.

specify backup sites for alternate computer processing.
r
r
r
r
r
r

define the roles of all members of the disaster recovery team.

document all processing and output controls.
The correct answer is: document all processing and output controls.
Disaster recovery policies and proceduresalso called business continuance plansare
designed to enable the firm to carry on business in the event that an emergency, such as a
natural disaster, disrupts normal function. A companys disaster recovery plan should define
the roles of all members of the disaster recovery team, appointing both a primary leader and
an alternate leader for the process. The plan should specify backup sites for alternate
computer processing.

Q119:
The principal impetus for the enactment of the Foreign Corrupt Act by the U.S. Congress was
to


promote the mandates issued by the United Nations with regard to global trade
between its member nations.

discourage unethical behavior by foreigners employed by U.S. firms.

require mandatory documentation of the evaluation of internal controls by the
independent auditors.

prevent the bribery of foreign officials by U.S. firms seeking to do business overseas.
Prevent the bribery of foreign officials by U.S. firms seeking to do business overseas. The
enactment of the Foreign Corrupt Act by the U.S. Congress was implemented to prevent the
bribery of foreign officials by U.S. firms seeking to do business overseas.

Q120:
Of the following, the primary objective of compliance testing is to determine whether

procedures are regularly updated.
r
r
r
r
r
r
r

financial statement line items are properly stated.

controls are functioning as planned.

collusion is taking place.
The correct answer is: controls are functioning as planned.

A compliance audit is a review of controls to see how they conform with established laws,
standards, and procedures.

Q121:
The objective of a disaster recovery plan is to

provide for continuing business in the event of an emergency that results in the
inability to use the facility or the data center.

set forth procedures to follow if the building needs to be evacuated in the event of a
disaster.

provide a plan in the event of a union strike when there are no operators for the data
and processing systems.

provide protection against losses during times of severe recession.
The correct answer is: provide for continuing business in the event of an emergency that
results in the inability to use the facility or the data center.
The objective of a disaster recovery plan is to provide for continuing business in the event of
an emergency that results in the inability to use the facility or the data center.

Q122:
A public corporation that must meet the provisions of the Foreign Corrupt Practices Act of
1977 should have a compliance program that includes all of the following steps except


documentation of the corporations existing internal accounting control systems.
r
r
r
r
r
r
r
r

an authorized and properly signed agreement that it will abide by the Act.

a system of quality checks to evaluate the internal accounting control system.

a cost/benefit analysis of the controls and the risks that are being minimized.
An authorized and properly signed agreement that it will abide by the Act. A compliance
program to meet the provisions provided in the Foreign Corrupt Pracces Act of 1977
include documentation of the corporations existing internal accounting control systems, a
cost/benefit analysis of the controls and the risks that are being minimized, and a system of
quality checks to evaluate the internal accounting control system.
Q123:
Which one of the following types of audits would be most likely to focus on objectives
related to the efficient use of resources?


Independent audit.

Operational audit.

Compliance audit.

Information systems audit.
The type of audit that would focus on the objectives related to the efficient use of resources
is an operational audit.

r
r
r
r
r
r
r

Section D Internal Controls P1

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Section D Internal Controls P1

Загружено:

Авторское право:

Доступные форматы

Section D

Вам также может понравиться