Section D Internal Controls P1

Section D

Internal Controls

Part1

Topic 1 – Risk assessment, controls, and risk management

Topic 2 – Internal auditing

Topic 3 – Systems controls and security measures

Q1:

When management of the sales department has the opportunity to override the system of

internal controls of the accounting department, a weakness exists in

monitoring.

risk management.

the control environment.

information and communication.

The correct answer is: the control environment.

The control environment includes the attitude of management toward the concept of

controls.

Q2:

When planning an audit, the auditor needs to evaluate audit risk where the auditor may

unknowingly fail to appropriately modify his opinion on financial statements that are

materially misstated. Audit risk is composed of

inherent risk, control risk, and detection risk.

risk of incorrect rejection, risk of incorrect acceptance, risk of overreliance, and risk of

underreliance.

r

r

r

r

r

r

tolerable error risk, sampling error risk, and inherent risk.

tolerable rate risk, sampling rate risk, and inherent risk.

The correct answer is: inherent risk, control risk, and detection risk.

Audit Risk = (Inherent Risk x Control Risk x Detection Risk)

Inherent risk is the probability of a misstatement due to an error or fraud. Control risk is the

probability that the misstatement gets by the client’s internal control system. Detection risk

is the probability that the misstatement is not detected by the auditor.

Q3:

Which of the following is a reason for independent checks?

To assess an employee and determine whether he or she is following control

procedures

To ensure that management appears compliant with external audit standards

To ensure that mistakes can be corrected within the fiscal year they are made

To detect and correct errors and misappropriation of assets

The correct answer is: To detect and correct errors and misappropriation of assets

Independent checks are a preventive measure. They try to catch mistakes before they

become integrated into the financial system, thus providing a higher level of assurance of

financial integrity.

Q4:

To prevent or detect potential fraudulent actions that could result from unexecuted

computer program code designed to be activated if an unscrupulous programmer becomes

dissatisfied or is terminated, auditors seek to identify and review unexecuted program

codes. Auditors can accomplish this through the use of which one of the following methods?

Scanning routines.

Mapping programs.

r

r

r

r

r

r

r

r

Test data processing.

Regression testing.

The correct answer is: Mapping programs.

Mapping programs are used to identify those portions of the software application program

code that are not executed and not triggered by some event.

Q5:

Control risk is the risk that a material error in an account will not be prevented or detected

on a timely basis by the client's internal control system. The best control procedure to

prevent or detect fictitious payroll transactions is

personnel department authorization for hiring, pay rate, job status, and termination.

storage of unclaimed wages in a vault with restricted access.

to use and account for prenumbered payroll checks.

internal verification of authorized pay rates, computations, and agreement with the

payroll register.

The correct answer is: personnel department authorization for hiring, pay rate, job status,

and termination.

An independent personnel department responsible for hiring personnel, maintaining

personnel records, and processing and documenting personnel terminations is a key control

needed to prevent or detect fictitious personnel.

Q6:

The chief audit executive has a dynamic role in any organization. The responsibilities of this

role include all of the following except:

Defining the nature and scope of work for internal audit.

Communicate audit results and improvements to management.

Establishing procedures for internal audit.

r

r

r

r

r

r

r

r

r

Assist management in ensuring that profitability expectations are met.

The correct answer is: Assist management in ensuring that profitability expectations are

met.

The chief audit executive’s role is to manage the internal audit activity effectively, ensuring

that it adds value to the organization. The responsibilities of this role include:

Establishing risk-based plans

Communicating plans to senior management and the board

Ensuring that sufficient resources are available to carry out the plans

Establishing policies and procedures to guide audit activity

Coordinating activities and sharing information

Reporting relevant information periodically to senior management and the board

Defining the nature of work

Q7:

Sam needs to send a check to a contract worker. The check number is on the check, and the

computer program adds a second number while printing the check to aid in tracking the

transaction. This is an example of

a program access control.

an output control.

a processing control.

an input control.

The correct answer is: an output control.

Output controls ensure accuracy and validity of information. They include controls for

validating processing results such as activity reports. Output controls regulate the

distribution and disposal of printed output, including pre-numbered checks.

Q8:

Data processed by a computer system are usually transferred to some form of output

medium for storage. However, the presence of computerized output does not, in and of

r

r

r

r

r

itself, ensure the output's accuracy, completeness, or authenticity. For this assurance,

various controls are needed. The major types of controls for this area include

transaction controls, general controls, and printout controls

tape and disk output controls and printed output controls.

hash totals, tape and disk output controls, and printed output controls.

input controls, tape and disk output controls, and printed output controls.

The correct answer is: input controls, tape and disk output controls, and printed output

controls.

Controls necessary to assure the accuracy of system output are called application controls.

Application controls consist of controls over input, processing, and output.

Q9:

Which of the following are responsibilities of the audit committee?

I. Aid in the choice of accounting methods and policies.

II. Document internal control procedures.

III. Sign quarterly and annual financial reports.

IV. Choose the auditor and approve auditor compensation.

V. Review the auditor's suggestions for improved internal control.

I, IV, and V only

I, II, III, IV, and V

I, II, and III only

I, III, IV, and V only

The correct answer is: I, IV, and V only

The audit committee performs the following tasks:

Reviews the company's internal control structure

Aids in the choice of accounting methods and policies

Reviews quarterly reports

r

r

r

r

r

r

r

r

Chooses the auditor and approves auditor compensation

Reviews the audit plan

Reviews the auditor's suggestions for improved internal control

Reviews the audit report and the audited annual report

Q10:

Which input control would be most effective to mitigate risks related to paying large dollar

invoices without management approval?

Passwords

A limit check

Control total

Check digit

The correct answer is: A limit check

A limit check can be set to restrict the maximum dollar amount of an invoice that can be

processed without specific authorization of management.

Q11:

The Internal Control Integrated Framework from 1992 comprises five mutually-reinforcing

components including control activities. Control activities include all of the following except:

Risk Management.

Independent verifications.

Adequate separation of duties.

Adequate documentation and records.

The correct answer is: Risk management

Control activities are policies and procedures established and implemented to help ensure

that the risk responses are effectively carried out. The Internal Control Integrated

Framework from 1992 model lists six control ac�vi�es:

The assignment of authority and responsibility (job descriptions)

r

r

r

r

r

r

r

r

A system of transaction authorizations

Adequate documentation and records

Security of assets

Independent verifications

Adequate separation of duties

Q12:

Procedures to limit the physical access to information systems hardware include all of the

following except:

requiring swipe card assess to restricted areas.

requiring dual control of valuable assets

sending confirmations to satellite offices.

employing security guards

The correct answer is: sending confirmations to satellite offices

Internal controls designed to protect the firm’s physical assets are often the most visible

safeguarding controls. Such controls include door locks, security systems, computer

passwords, and requirements for dual control of valuable assets.

Q13:

Which of the following are examples of systems development controls?

I. Each systems programmer is responsible for only a portion of the total program code.

II. The systems development manager runs a program that checks for unauthorized lines of

code, such as Trojan horses.

III. The computer tracks how long each person is on the Internet.

IV. A pilot review is run when the system is completed, tracking data results against results

from the previous version of the system.

II and IV only

r

r

r

r

r

I, II, and IV only

I, II, III, and IV

I and II only

The correct answer is: I, II, and IV only

Tracking how long an employee is on the Internet is not an example of systems development

controls. It may be an example of internal controls to promote efficiency.

Q14:

A variety of controls can be implemented to limit unauthorized access to an accounting

information system by external users. All of the following are acceptable access controls

except:

segregation of duties.

user IDs and profiles

passwords

encryption of data

The correct answer is: segregation of duties

Companies must use a variety of controls to protect their systems and data from

unauthorized access, beginning, at the most basic, with passwords. Software-based access

controls such as user ID’s and profiles allow the system administrators to manage access

privileges. An additional step many firms take is to encrypt data so that unauthorized users

who have been able to bypass first-level controls are not able to read, change, add to, or

remove the data.

Q15:

Which of the following are responsibilities of management?

I. Aid in the choice of accounting methods and policies.

II. Document internal control procedures.

III. Sign quarterly and annual financial reports.

IV. Choose the auditor and approve auditor compensation.

V. Review the auditor's suggestions for improved internal controls.

r

r

r

r

r

r

r


I, II, III, and V only


I and IV only

The correct answer is: I, II, III, and V only

Management must document internal control procedures and provide a written assessment

within 90 days prior to the publica�on of annual reports on the effec�veness of the internal

control structure and procedures. In addition, management must sign quarterly and annual

financial reports, and the chief executive officer must sign tax returns. The audit committee

of the board of directors, not management, chooses the auditor and approves auditor

compensation.

Q16:

Which of the following is true regarding the board of directors?

The board of directors must act in the best interest of the employees.

The board of directors must act in the best interest of the shareholders.

The board of directors must act in the best interest of management.

The board of directors must establish an audit committee to oversee all internal

controls.

The correct answer is: The board of directors must act in the best interest of the

shareholders.

The board of directors' primary responsibility is to act in the best interest of the

shareholders. It is not required to establish an audit committee.

Q17:

A company's management is concerned about computer data eavesdropping and wants to

maintain the confidentiality of its information as it is transmitted. The company should

utilize

r

r

r

r

r

r

r

r

data encryption.

password codes.

dial back systems.

message acknowledgment procedures.

The correct answer is: data encryption.

Data encryption, which uses secret codes, ensures that data transmissions are protected

from unauthorized tampering or electronic eavesdropping.

Q18:

The data entry staff of National Manufacturing Inc. has responsibility for converting all of the

plant’s shipping information to computerized records. The information flow begins when the

shipping department sends a copy of a shipping order to the data entry staff. A data entry

operator scans the shipping order information onto a hand-held data storage device.

Verification clerks then check the computerized record with the original shipping orders.

When a given batch of files has been reviewed and corrected, as necessary, the information

is uploaded to the company’s mainframe system at the home office.

The most effective way to visualize and understand this set of activities would be through

the use of a

* Source: Retired ICMA CMA Exam Questions

document flowchart.

decision table.

Gantt chart.

program flowchart.

Document flowchart. The most effective way to visualize and understand a set of activities

or process is through the use of a document flowchart

Q19:

r

r

r

r

r

r

r

r

Which of the following incidents should the auditor report to management or the board of

directors?

Several employees have been observed coming in late or leaving early.

An error of $0.05 was found in the data entry of one transac�on.

Control procedures require that the same person not enter and ship a transaction, but

both have been observed being done by the same person.

Compensation for the customer service manager is higher than for the internal auditor.

The correct answer is: Control procedures require that the same person not enter and ship a

transaction, but both have been observed being done by the same person.

The auditor must report findings that include inadequate control procedures, lack of

adherence to control procedures, inefficient allocation of resources, etc. The auditor is not

responsible for reporting on personnel behavior that does not affect accuracy of data

reporting or safeguarding of assets, and the auditor has no concern with levels of employee

compensation.

Q20:

The Sarbanes-Oxley Act has multiple sections that outline management's responsibility

regarding

the purchase of securities.

long-term strategic planning.

required education for chief financial officers.

internal controls and external reporting.

The correct answer is: internal controls and external reporting.

The Sarbanes-Oxley Act concentrates on management's responsibility in maintaining internal

controls so that external reports become more reliable.

Q21:

Locked doors, security systems, ID badges, passwords, and similar controls are designed to

ensure that internal controls are followed.

r

r

r

r

r

r

r

r

r

safeguard the firm's assets.

lower production costs.

protect the firm's reputation.

The correct answer is: safeguard the firm's assets.

The most visible safeguarding controls are designed and implemented to protect an

organization's assets.

Q22:

Internal controls are designed to provide reasonable assurance of achieving a corporation’s

control objectives. Several factors may present inherent limitations to otherwise well-

designed policies and procedures. Which one of the following is not a factor that limits the

effectiveness of internal controls?

Management override

Collusion

Segregation of duties

Carelessness

The correct answer is: Segregation of duties

Certain human factors or exceptions may present inherent limitations to otherwise well-

designed and well-supported control policies and procedures. The major ones are

management override of controls and collusion between employees and between

employees and outsiders. Other inherent weaknesses are carelessness, misunderstandings,

and the cost/benefit nature of controls.

Q23:

An operational audit

determines whether the overall financial statements fairly represent the firm's

operations and financial condition.

verifies that the company is following all applicable laws and regulations.

r

r

r

r

r

r

r

r

r

verifies that capital assets are accurately tracked.

appraises the effectiveness of the business against corporate and industry standards.

The correct answer is: appraises the effectiveness of the business against corporate and

industry standards.

The operational audit is technically a non-financial audit. The purpose of an operational

audit is to evaluate the organization and efficiency of the firm or one of its subdivisions.

Operational audits are designed to examine and evaluate systems of internal control and

overall company operations.

Q24:

All of the following are included in the systems implementation process except

systems design.

testing.

conversion.

training.

The correct answer is: systems design.

The steps in systems development are analysis, design, implementation, follow-up,

operations, and maintenance. Implementation consist of training , testing, conversion, and

documentation.

Q25:

Part of the audit planning process is the gathering of evidence about an organization’s

internal controls. The following procedures would be evidence for evaluating the

effectiveness of internal controls except:

Interviewing employees in the accounting department.

Observing procedures as employees complete daily tasks.

r

r

r

r

r

r

r

r

Review documentation, policies, procedures, and user manuals.

Documentation sent to senior management summarizing audit findings

The correct answer is: Documentation sent to senior management summarizing audit

findings

Evidence gathered by auditors is called primary evidence and might be gathered by

observation, surveys, interviews, inspection of documents (cancelled checks to verify

disbursements, timecards to verify hours worked, and so on), or other means.

Q26:

During an audit, an auditor assesses the adequacy of internal controls. An auditor considers

what to audit and the extent of substantive testing based upon the auditor’s assessment of

Preventative controls.

Control risk.

Corrective controls.

Detective controls.

The correct answer is: Control risk

When designing a financial audit, the auditor assesses the adequacy of internal controls as

they relate to financial activities. The nature, timing, and extent of substantive testing will

depend upon the auditor’s assessment of the amount of control risk and the credibility of

assertions regarding the company’s transactions. Substantive tests in the financial audit

might focus on the details of account balances, analytical procedures, transactions, and the

physical security of assets, among other matters.

Q27:

A firm is constructing a risk analysis to quantify the exposure of its data center to various

types of threats. Which one of the following situations would represent the highest annual

loss exposure after adjustment for insurance proceeds?

Frequency of occurrence: 20 years, Loss Amount: $200,000, Insurance coverage: 80%

r

r

r

r

r

r

r


Frequency of occurrence: 1 year, Loss Amount: $15,000, Insurance coverage: 85%


The correct answer is: Frequency of occurrence: 1 year, Loss Amount: $15,000, Insurance

coverage: 85%.

The exposure is the same as the expected loss, which is calculated by taking the “Frequency

of Occurrence,” multiplying it by the loss amount, and then multiplying that by one minus

the “Insurance % coverage” rate.

Expected loss = (frequency of occurrence) (loss amount) (1 - % insurance coverage)

For the 1 year frequency: the expected loss = (1/1)($15,000)(1-0.85) = $2,250.




$2,250 represents the highest annual loss exposure a�er adjus�ng for insurance proceeds.

Q28:

PCAOB Audi�ng Standard No. 5 requires auditors to follow a top-down, risk assessment

(TDRA) approach to auditing financial statements and internal controls. Which item is not

one of the steps in TDRA?

Determining which transaction-based controls compensate for possible entity-level

control failures.

Determining which entity-level controls sufficiently address the risks.

Identifying insignificant accounts or disclosures.

Identifying material misstatement risks within these accounts or disclosures.

The correct answer is: Identifying insignificant accounts or disclosures.

TDRA is a hierarchical approach that applies specific risk factors to determine the scope of

work and evidence required in the assessment of internal controls. The steps in TDRA are as

follows:

r

r

r

r

r

r

r

Identifying significant accounts or disclosures.

Identifying material misstatement risks within these accounts or disclosures.

Determining which entity-level controls sufficiently address the risks.

Determining which transaction-based controls compensate for possible entity-level control

failures.

Determining the nature, extent, and timing of evidence gathering tests needed to complete

the assessment of the internal controls

Q29:

Which of the following statements is false?

Internal controls can be most effective if they are supported by word and example of

management.

The auditor will examine internal controls to determine control risk.

Thorough and well-documented internal controls can result in fewer misstatements of

information.

Thorough and well documented internal controls can guarantee that fraud cannot be

committed.

The correct answer is: Thorough and well documented internal controls can guarantee that

fraud cannot be committed.

Internal controls are not a guarantee against fraud.

Q30:

Output controls provide assurance that processing is complete and accurate. Which of the

following controls is not an output control?

Reasonableness check

Audit trail

Password protection of document

r

r

r

r

r

r

r

Error listing

The correct answer is: Reasonableness check

A reasonableness check is an input control. The other three items are examples of output

controls.

Q31:

Lynn is entering a transaction on the screen and receives an error message telling her the

account number does not match the customer name. This is an example of


an output control.

an input control.


The correct answer is: an input control.

This is an example of an input control, which processes validity checks to help avoid input of

transactions with inaccurate information.

Q32:

The internal audit function is

responsible for ensuring that all information on financial statements is accurate and

true.

required by the Foreign Corrupt Practices Act.

independent of operations and responsible for reviewing the reliability and integrity of

financial and operating information.

a part of the accounting department and reports directly to the operations manager.

The correct answer is: independent of operations and responsible for reviewing the

reliability and integrity of financial and operating information.

The internal auditing department should remain independent of company operations, so

r

r

r

r

r

r

r

r

r

that it can remain objective. The internal auditor cannot assure that all information is

accurate. The Foreign Corrupt Practices Act (FCPA) does not require a firm to have an

internal audit department.

Q33:

When an internal auditor expresses an opinion as to the efficiency and effectiveness of an

entity’s activities and makes recommendations for improvements, the auditor is conducting

a(n)


financial statement audit of a public company.

operational audit.

compliance audit.

financial statement audit of a municipality.

Operational audit. The type of audit that would focus on the objectives related to the

efficient use of resources is an operational audit.

Q34:

Which one of the following methods, for the distribution of employees’ paychecks, would

provide the best internal control for the organization?


Direct deposit in each employee’s personal bank account.

Delivery of the paychecks to each department supervisor, who in turn would distribute

paychecks directly to the employees in his/her department.

Distribution of paychecks directly to each employee by the payroll manager.

Distribution of paychecks directly to each employee by a representative of the Human

Resource department.

r

r

r

r

r

r

r

r

Direct deposit in each employee’s personal bank account. The best internal control

procedure for the distribution of employee paychecks would be the direct deposit of the

paychecks into each employee’s personal bank account. This would allow the organization to

maintain control of the payroll processing function.

Q35:

Which of the following are potential threats to an information system?

I. Trojan horses

II. Manipulation of input data

III. Computer viruses

IV. Data theft

I, II, and III only

III and IV only

I, II, III, and IV

I and II only

The correct answer is: I, II, III, and IV

There are many threats to information systems, including input manipulation, program

alteration, data theft, sabotage, viruses, Trojan horses, and theft.

Q36:

During the audit of assets, an internal auditor believes that several items were classified as

assets when they should have been classified as expenses. To whom should the internal

auditor report these concerns to?

Consult with legal counsel for advice.

Discuss the matter with senior management to determine if the classifications are

correct.

Discuss the matter with the general accountant who classified the transactions.

Discuss the matter with the chief audit executive.

r

r

r

r

r

r

r

r

The correct answer is: Discuss the matter with the chief audit executive.

An internal auditor should report all concerns they encounter to the chief audit executive

who will then determine the appropriate next course of action.

Q37:

Audit procedures may include a variety of computerized programs and accuracy tests to

confirm that the data processed by computer applications post to the correct general ledger

accounts. These procedures are referred to as:

Output controls

Security controls

Input controls

Processing controls

The correct answer is: Processing controls

Computerized programs and accuracy tests to confirm that data is processed by computer

applications correctly are called processing controls.

Q38:

A computer virus is different from a “Trojan Horse” because the virus can


erase executable files.

corrupt data.

replicate itself.

alter programming instructions.

Replicate itself. A virus is different from a “Trojan Horse” in the way it can replicate itself.

Q39:

r

r

r

r

r

r

r

Which of the following is an example of a completeness control?

Facilities utilization reports

Employees time sheets that must be completed before employees can receive their

paychecks

Pre-numbered forms that allow for reconciliation of form numbers against shipping

reports

Thorough training on proper accounting classes to which transactions should be posted

The correct answer is: Pre-numbered forms that allow for reconciliation of form numbers

against shipping reports

Completeness controls are measures taken to account for all transactions. Poor control over

blank forms, blank checks, or unnumbered forms can provide access to assets and allow

transfers to unauthorized personnel.

Q40:

In entering the billing address for a new client in Emil Company's computerized database, a

clerk erroneously entered a nonexistent zip code. As a result, the first month's bill mailed to

the new client was returned to Emil Company. Which one of the following would most likely

have led to discovery of the error at the time of entry into Emil Company's computerized

database?

Limit test.

Validity text.

Parity test.

Record count test.

The correct answer is: Validity text.

A validity test compares data against a master file for accuracy. Data that cannot possibly be

correct (e.g., a nonexistent zip code) would be discovered at that time.

r

r

r

r

r

r

r

r

Q41:

Detection risk is the risk

that the business will naturally experience, regardless of internal controls.

that measures the effectiveness of a firm's internal controls.

that internal controls will not be followed.

that an internal audit will not uncover incidents where controls have not been

followed.

The correct answer is: that an internal audit will not uncover incidents where controls have

not been followed.

Detection risk can also be planned detection risk and is a measure of the risk that audit

evidence will fail to detect misstatements exceeding an acceptable audit risk.

Q42:

Which of the following is an example of segregation of duties?

The shipping manager can access the order-entry computer software and enter an

order.

A clerk in the order department does not have access to the products and therefore

cannot ship products to customers.

The president of a small company is able to access payroll records and adjust entries.

The person who takes the order from a customer enters the order into the system and

supervises the shipment of the product.

The correct answer is: A clerk in the order department does not have access to the products

and therefore cannot ship products to customers.

One of the purposes of segregation of duties is to safeguard assets. If the same person can

enter an order and then ship it, he or she may be able to steal product by shipping to him or

herself or an accomplice.

Q43:

r

r

r

r

r

r

r

r

The basic concepts implicit in internal accounting controls include the following:

• The cost of the system should not exceed benefits expected to be attained.

• The overall impact of the control procedure should not hinder operating efficiency.

Which one of the following recognizes these two factors?


Reasonable assurance.

Management responsibility.

Limitations.

Methods of data processing.

Reasonable assurance. Reasonable assurance recognizes that the cost of the system should

not exceed the benefits expected to be attained, and the overall impact of the control

procedure should not hinder operating efficiency.

Q44:

Which controls provide reasonable assurance that data is complete, accurate, and

authorized?

Processing controls

Physical controls

Input controls

Output controls

The correct answer is: Input controls

Input controls help to provide reasonable assurance that data is complete, accurate, and

authorized.

Q45:

Which of the following has the most effect on the control environment?

r

r

r

r

r

r

r

r

Organizational structure

Whether controls are changed on a regular basis

Management philosophy and operating style

Size of the company

The correct answer is: Management philosophy and operating style

Management's philosophy and operating style send signals to employees about the

importance of establishing and following internal controls. The size of the company, the

frequency with which controls are changed, and the organizational structure by themselves

do not impact the control environment as much as management's philosophy.

Q46:

Auditors document their understanding of management's internal control system with

questionnaires, flowcharts, and narrative descriptions. A questionnaire consists of a series of

questions concerning controls that auditors consider necessary to prevent or detect errors

and irregularities. The most appropriate question designed to contribute to the auditors'

understanding of the completeness of the expenditure cycle concerns the

use and accountability of prenumbered checks.

qualifications of accounting personnel.

internal verification of quantities, prices, and mathematical accuracy of sales invoices.

use of a check protection device to imprint check amounts.

The correct answer is: use and accountability of prenumbered checks.

All important forms relating to financial transactions such as checks should be prenumbered

and their numerical sequence should be accounted for.

Q47:

Company ABC has installed a software/hardware system that restricts access by outsiders to

the firm's network. This is called

r

r

r

r

r

r

r

r

a firewall.

data encryption.

a disaster recovery procedure.

an intrusion detection system.

The correct answer is: a firewall.

A firewall restricts access to a network from outside the company but does not guarantee

security. An intrusion detection system alerts the system administrator to unusual activity or

attempts at breaking past the firewall. Data encryption can minimize the risk of

unauthorized access to data but does not restrict access to a network. A disaster recovery

procedure is instituted when the network has been destroyed due to a natural disaster or

purposeful destruction.

Q48:

Inherent risk is the risk

that the business will naturally experience, regardless of internal controls.

that internal controls will not be followed.

that measures the effectiveness of a firm's internal controls.

that an internal audit will not uncover incidents where controls have not been

followed.

The correct answer is: that the business will naturally experience, regardless of internal

controls.

Inherent risk is the normal risk of the business, such as the risk of droughts for farmers or

the risk of a recession.

Q49:

Which of the following best describe the interrelated components of a system of internal

control?

organizational structure, management philosophy, and planning

r

r

r

r

r

r

r

r

r

risk assessment, backup facilities, responsibility accounting, and natural laws

control environment, risk assessment, control activities, information and

communication systems, and monitoring

personnel practices and policies, authorization, and segregation of duties

The correct answer is: control environment, risk assessment, control activities, information

and communication systems, and monitoring.

The five interrelated components or elements of internal control as defined in the 1992

COSO (Committee of Sponsoring Organizations) Model are the control environment, risk

assessment, control activities, information and communication, and monitoring.

Q50:

In securing the client/server environment of an information system, a principal disadvantage

of using a single level sign-on password is the danger of creating a(n)


trap door entry point.

single point of failure.

lock-out of valid users.

administrative bottleneck.

Single point of failure. Advantages of a securing a client/server environment of an

information system using a single level sign-on password is a trap door entry point,

administrative bottleneck and lock-out of valid users. A disadvantage of using such a system

is a single-point of failure.

Q51:

Which one of the following is not the component of the audit risk model commonly used by

auditors in deciding how much evidence to accumulate in each cycle?

Inherent risk

r

r

r

r

r

r

r

r

Control risk

Engagement risk

Planned detection risk

The The correct answer is: Engagement risk.

Audit Risk = Inherent Risk x Control Risk x Detection Risk.

Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk).

Engagement risk relates to whether the auditor should be associated with the client in the

first place, and is not part of the audit risk equation.

Q52:

Which one of the following represents a lack of internal control in a computer-based

system?

Programmers have access to change programs and data files when an error is detected.

Provisions exist to protect data files from unauthorized access, modification, or

destruction.

The design and implementation is performed in accordance with management's

specific authorization.

Any and all changes in applications programs have the authorization and approval of

management.

The correct answer is: Programmers have access to change programs and data files when an

error is detected.

The IT (information technology) function should be separate from the other functional areas

in the organization. In addition, within IT, there should be a separation between

programmers/analysts, operations, and technical support. Change programs and data files

belong to IT operations. Error correction and reentry belongs to the system user.

Q53:

Which of the following might an internal auditor provide as a result of an audit?

r

r

r

r

r

r

r

I. Appraisal of performance

II. Recommendations for changes

III. Advice to management on improving controls

IV. Recommendations to management on changes to their compensation.

I, II, and III only

I, II, III, and IV

I and II only

III and IV only

The correct answer is: I, II, and III only

The internal audit function reports primarily to the board of directors but also provides

analyses, appraisals, recommendations, counsel, and information concerning activities

reviewed to assist management. The audit report does not deal with levels of employee

compensation.

Q54:

All of the following are examples of encryption techniques used for computer security

except


authentication key.

primary key.

private key.

public key.

Primary key. Encryption techniques include a public key, a private key, and an authentication

key.

Q55:

In order to prevent, detect, and correct errors and unauthorized tampering, a payroll system

should have adequate controls. Thebest set of controls for a payroll system includes

r

r

r

r

r

r

r

r

employee supervision, batch totals, record counts of each run, and payments by check.

batch totals, record counts, user codes, proper separation of duties, and online edit

checks.

passwords and user codes, batch totals, employee supervision, and record counts of

each run.

batch and hash totals, record counts of each run, proper separation of duties,

passwords and user codes, and backup copies of activity and master files.

The correct answer is: batch and hash totals, record counts of each run, proper separation of

duties, passwords and user codes, and backup copies of activity and master files.

Transaction processing systems need controls to assure authorization, completeness,

accuracy, and timeliness. The four objectives, in processing payroll, are accomplished by

using batch and hash totals, record counts of each run, proper separation of duties,

passwords and user codes, and backup copies of activity and master files.

Q56:

The Institute of Internal Auditors (IIA) is the leading professional organization that sets

standards and rules for the practice of internal auditing. In light of the definition of internal

auditing adopted by the IIA, the scope of internal auditing includes all of the following

activities except

conducting operational audits to help improve the efficiency and effectiveness of the

company's operations.

providing periodic positive assurance to the board on the effectiveness of the

company's system of internal control.

assisting on consulting projects as needed by the management.

evaluating the effectiveness of the company's risk management processes.

The correct answer is: providing periodic positive assurance to the board on the

effectiveness of the company's system of internal control.

Periodic evaluation of the effectiveness and efficiency of internal controls is a standard

internal audit function. The evaluation, however, may not result in positive assurance.

r

r

r

r

r

r

r

r

Q57:

Accounting controls are concerned with the safeguarding of assets and the reliability of

financial records. Consequently, these controls are designed to provide reasonable

assurance that all of the following take place except

comparing recorded assets with existing assets at periodic intervals and taking

appropriate action with respect to differences.

recording transactions as necessary to permit preparation of financial statements in

conformity with generally accepted accounting principles and maintaining

accountability for assets.

executing transactions in accordance with management's general or specific

authorization.

compliance with methods and procedures ensuring operational efficiency and

adherence to managerial policies.

The correct answer is: compliance with methods and procedures ensuring operational

efficiency and adherence to managerial policies.

An internal control system is concerned with safeguarding assets, accuracy and reliability of

records, operational efficiency, adherence to policy, and compliance with laws and

regulations. The first two are called accounting controls. The latter three are referred to as

administrative controls.

Q58:

Which one of the following functions performed in an organization is a violation of internal

control?


The General Ledger clerk compares the summary journal entry, received from the

Cashier for cash receipts applicable to outstanding accounts, with the batch total for

posting to the Subsidiary Ledger by the Accounts Receivable clerk.

A mail clerk opening the mail compares the check received with the source document

accompanying the payment, noting the amount paid, then forwards the source

documents that accompany the payments (along with a listing of the cash receipts) to

Accounts Receivable, on a daily basis, for posting to the subsidiary ledger.

r

r

r

r

r

r

At the end of the week the Cashier prepares a deposit slip for all of the cash receipts

received during the week.

A mail clerk opening the mail compares the check received with the source document

accompanying the payment, noting the amount paid, then forwards the checks daily

(along with a listing of the cash receipts) to the Cashier for deposit.

At the end of the week the Cashier prepares a deposit slip for all of the cash receipts

received during the week. Internal controls should have effective separation of duties to

prevent fraudulent activities to occur. From the examples provided, a cashier preparing a

deposit slip for all of the cash receipts received during the week is a clear violation of

internal control.

Q59:

Which of the following are objectives of internal controls?

I. Reliability of financial reports

II. Guarantees against fraud

III. Effectiveness of operations

IV. Efficiency of operations

V. Compliance with applicable laws and regulations


I, III, and V only


I, II, and IV only

The correct answer is: I, III, IV, and V only

Internal controls cannot guarantee that fraud will not be perpetrated.

Q60:

Data encryption

is not necessary unless a business is working on government defense contracts.

converts data from easily read local language into a secret code and helps prevent

r

r

r

r

r

r

r

r

unauthorized usage of sensitive information.

is less necessary over the Internet than on a LAN or WAN because e-mail and FTP

cannot be intercepted.

converts graphics into binary code that can be more easily transmitted over the

Internet.

The correct answer is: converts data from easily read local language into a secret code and

helps prevent unauthorized usage of sensitive information.

Data encryption helps prevent unauthorized access to sensitive information and can be used

on data transmissions over the Internet and on a LAN/WAN as well as on files stored on the

LAN/WAN.

Q61:

Which statement is not a requirement of PCAOB Audi�ng Standard No. 5?

Requires auditors to follow a risk-based approach to the development of auditing

procedures.

Requires auditors to scale the audit to the size of the organization.

Requires auditors to follow a rules-based approach to determine the extent of audit

testing.

Requires the auditors to follow prescribed approaches to perform the audit.

The correct answer is: Requires auditors to follow a rules-based approach to determine the

extent of audit testing.

PCAOB Audi�ng Standard No. 5 requires auditors to follow a risk-based approach to the

development of audi�ng procedures and performing a Sec�on 404 audit. It also requires the

auditor to scale the audit to the size of the organization under audit, and to follow a

principles-based approach to determine when and to what extent he or she can rely on the

work of others.

Q62:

Which of the following are required under the Foreign Corrupt Practices Act?

r

r

r

r

r

r

I. A firm must design internal control procedures.

II. A firm must have an internal audit department.

III. Transactions must be executed with management's authorization.

IV. Access to assets must be authorized.

I and III only

I and II only

I, III, and IV only

I, II, III, and IV

The correct answer is: I, III, and IV only

The Foreign Corrupt Practices Act (FCPA) does not require a firm to have an internal audit

department.

Q63:

Flowcharts of activities are used to

visually inspect, observe, and document a process in order to assess effectiveness of

control procedures.

help ensure that data transmitted over the Internet is not intercepted by unauthorized

personnel.

ensure that data can be recovered if it is lost.

help detect intrusion past the firewall into the network.

The correct answer is: visually inspect, observe, and document a process in order to assess

effectiveness of control procedures.

A flowchart is used by the internal auditor to review the information system and related

control procedures for adequacy as well as efficiency of operations.

Q64:

Which of the following is NOT an internal control?

Requirements for accurate recording of vacations

r

r

r

r

r

r

r

r

r

Required dress code

Employee pay records

Pre-numbered forms

The correct answer is: Required dress code

All of the choices except required dress code are internal controls.

Q65:

The chief audit executive believes that the company has accepted an unacceptably high level

of risk related to their assessment of uncollectible accounts receivables. To whom should the

chief audit executive report this concern to?

The CFO.

The board of directors.

The CEO.

The external audit team.

The correct answer is: The board of directors.

If the chief audit executive believes that senior management has accepted an unacceptably

high level of risk for the organization’s risk appetite, then the chief audit executive and

senior management should report the matter to the board.

Q66:

A critical aspect of a disaster recovery plan is to be able to regain operational capability as

soon as possible. In order to accomplish this, an organization can have an arrangement with

its computer hardware vendor to have a fully operational facility available that is configured

to the user's specific needs. This is best known as a(n)

hot site.

parallel system.

r

r

r

r

r

r

r

r

r

cold site.

uninterruptible power system.

The correct answer is: hot site.

A hot site is a back-up site in another location, that has the company’s hardware and

software and is ready to run on a moment’s notice.

Q67:


regarding






The Sarbanes-Oxley Act concentrates on management's responsibility in maintaining internal

controls so that external reports become more reliable.

Q68:

Which of the following could a compliance audit verify?

I. Compliance with GAAP

II. Compliance with employment laws

III. Compliance with OSHA laws

IV. Compliance with tax laws

I and II only

III and IV only

II, III, and IV only

r

r

r

r

r

r

r

r

r

I, II, III, and IV


The auditor could verify compliance with any law or regulation.

Q69:

Which one of the following would be most effective in deterring the commission of fraud?


Policies of strong internal control, segregation of duties, and requiring employees to

take vacations.

Policies of strong internal control and punishments for unethical behavior.

Hiring ethical employees, employee training, and segregation of duties.

Employee training, segregation of duties, and punishment for unethical behavior.

Policies of strong internal control, segregation of duties, and requiring employees to take

vacations. The most effective policy to deter the commission of fraud is to provide policies of

strong internal control, segregation of duties, and requiring employees to take vacations.

Q70:

Which of the following statements is true?

Higher-paid employees tend to follow control procedures more carefully and

consistently.

Control procedures can completely make up for careless employees.

Control procedures are ineffective if employees are not all highly educated and trained.

Hiring, promoting, and training competent personnel are integral to an efficient control

environment.

The correct answer is: Hiring, promoting, and training competent personnel are integral to

an efficient control environment.

Hiring, promoting, and training competent personnel are integral to an efficient control

r

r

r

r

r

r

r

r

r

environment. However, control procedures will not be ineffective without this, and

adherence to control procedures does not necessarily follow with higher levels of education

or pay.

Q71:

Which of the following is true regarding the board of directors?

The board of directors must act in the best interest of management.

The board of directors must act in the best interest of the shareholders.

The board of directors must act in the best interest of the employees.

The board of directors must establish an audit committee to oversee all internal

controls.

The correct answer is: The board of directors must act in the best interest of the

shareholders.

The board of directors' primary responsibility is to act in the best interest of the

shareholders. It is not required to establish an audit committee.

Q72:

The Sarbanes-Oxley Act of 2002 increased management’s responsibility for accurate

financial repor�ng. Which of the following is not a requirement of Sec�on 404 of the

Sarbanes-Oxley Act?

Document management’s responsibility to refuse to accept contracts or business

through the payment of bribes.

Document management’s responsibility for establishing adequate internal control

policies.

Document management’s assessment of the effectiveness of the internal control

structure and procedures.

Document management’s responsibility for maintaining adequate internal control

policies.

The correct answer is: Document management’s responsibility to refuse to accept contracts

or business through the payment of bribes.

r

r

r

r

r

r

r

r

The 1977 Foreign Corrupt Prac�ces Act forbids companies from accep�ng contracts or

business through the payment of bribes to foreign governments. The other answers are all

requirements of SOX Sec�on 404.

Q73:

There are many ways that realtime accounts receivable systems differ from batch accounts

receivable systems. Which one of the following is not correct?

Realtime systems: Must use direct-access files; Batch systems: Can use simple

sequential files.

Realtime systems: Invoicing is performed as goods are shipped; Batch systems:

Invoicing is performed through scheduled billing runs.

Realtime systems: Processing is done on demand; Batch systems: Processing is done

during scheduled computer runs.

Realtime systems: Processing choices are menu-driven; Batch systems: Processing is

interactive.

The correct answer is: Realtime systems: Processing choices are menu-driven; Batch

systems: Processing is interactive.

Real-time processing is menu driven, but the batch system processing is not interactive.

Batch processing is the aggregation of several transactions over a period of time with the

subsequent processing of these data as a group. The system feedback in batch processing

can be received only after such processing with a substantial delay.

Q74:


regarding





r

r

r

r

r

r

r

r


Sec�on 404 of the 2002 Sarbanes-Oxley Act requires management to establish and

document internal control procedures and to provide a wri�en assessment within 90 days

prior to publication of annual reports of the effectiveness of the internal control structure

and procedures. Sec�on 906 of the act requires management cer�fica�on of the financial

statements.

Q75:

Systems security controls

include blocking physical access to computers, protecting computer systems from

environmental effects (cold, floods), and logical controls that block unauthorized

access.

are not necessary if proper software controls are maintained.

are not required in a small company.

require only that the computer is in a climate-controlled room and behind a locked

door.

The correct answer is: include blocking physical access to computers, protecting computer

systems from environmental effects (cold, floods), and logical controls that block

unauthorized access.

Systems security controls encompass both the physical access to the hardware and the

logical (ability to use) access to the hardware.

Q76:

Which of the following is true?

Disaster recovery will be effective only for firms with subsidiaries in a different region.

A firewall system guarantees that unauthorized users will not be able to access the

backup data.

Data backups should be regularly stored off site for recovery in the event of the loss of

the facility in which the data resides.

r

r

r

r

r

r

r

Automated backup systems are often ineffective; backups should be instituted every

day by an authorized computer manager.

The correct answer is: Data backups should be regularly stored off site for recovery in the

event of the loss of the facility in which the data resides.

Data backup tapes should be regularly transferred to off-site storage so that recovery

procedures can be instituted in case a disaster destroys the data center. Automated backup

systems work fine. Nothing guarantees that hackers will not be able to access the system.

Disaster recovery can be effective for many types and sizes of businesses.

Q77:

The primary reason an auditor considers the strengths and weaknesses of internal control

systems in conjunction with financial statement audits is to

appraise the efficiency with which resources are employed.

identify the controls that could likely prevent or detect errors or irregularities.

identify the causes of errors or irregularities in an internal control system.

provide a basis for reliance in determining the nature, timing, and extent of substantive

tests.

The correct answer is: provide a basis for reliance in determining the nature, timing, and

extent of substantive tests.

The purpose of the auditor’s study and evaluation of the internal control system is to

determine the nature, extent, and timing of the other audit tests needed to collect sufficient

evidence upon which to base his/her opinion. The nature, extent, and timing of the other

tests depends on the strengths and weaknesses in the system.

Q78:

When assessing a company’s internal control structure policies and procedures, the primary

consideration is whether they


relate to the control environment.

r

r

r

r

r

r

reflect management’s philosophy and operating style.

affect the financial statement assertions.

prevent management override.

Affect the financial statement assertions. The primary consideration when assessing a

company’s internal control structure policies and procedures is whether they affect the

financial statement assertions.

Q79:

In designing systems of internal control, which of the following types of controls are

the best to include in the design in order to be fully effective?

systems development, operations, and access controls

management, personnel, and administrative controls

edit, input verification, and output controls

preventative, detective, and corrective controls

The correct answer is: preventative, detective, and corrective controls.

There are five types of internal controls. They are preventive, detective, corrective, directive,

and compensating. The first three are the ones designed into the sytem.

Q80:

A compliance audit verifies

whether employees are wearing appropriate attire.

that transactions are accurately recorded and financial information is fairly reported.

whether internal control policies and procedures are adequate for safeguarding assets.

that the company is following all applicable laws and regulations.

r

r

r

r

r

r

r

r

r

r

r

The correct answer is: that the company is following all applicable laws and regulations.

The compliance audit verifies that the company has complied with all applicable laws and

regulations.

Q81:

Which of the following is a risk of using the Internet to transmit data?

Data wires connecting a LAN can easily be breached by hackers.

Data is easily intercepted and can be stolen or altered when being sent on an

unsecured line.

Telecommunication lines connecting a WAN may corrupt data due to the long distances

between computers.

Encrypted files cannot be sent via the Internet.

The correct answer is: Data is easily intercepted and can be stolen or altered when being

sent on an unsecured line.

Data transmitted via the Internet generally is considered to have a low level of integrity due

to the possibility of interception or data scrambling. Encrypted files can be sent via the

Internet and are better protected from interception. Wired LANs and WANs do not rely on

Internet technology to connect computers and are therefore not open to the same risks for

data transmission.

Q82:

The relationship between inherent risk, planned detection risk, and planned audit evidence

is best described as follows.

Inherent risk is positively related to planned detection risk and not at all related to

planned evidence.

Inherent risk is inversely related to planned detection risk and directly related to

planned evidence.

Inherent risk is inversely related to planned detection risk and planned audit evidence.

There is no relationship between inherent risk, planned detection risk, and planned

audit evidence.

r

r

r

r

r

r

r

r

The correct answer is: Inherent risk is inversely related to planned detection risk and directly

related to planned evidence.

Audit Risk = (Inherent Risk x Control Risk x Detection Risk).

Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk).

Since detection risk is the probability that a misstatement will not be discovered by the

auditor, as detection risk decreases, the planned audit evidence required will decrease. The

formula for detection risk shows that inherent risk is inversely related to planned detection

risk and directly related to planned evidence.

Q83:

Alex is an unhappy employee, and he writes a line of code into the company's software

system that will erase every tenth transaction entered into the system. Which of the

following is this called?

Virus

Trojan horse

Saboteur

Revenge line

The correct answer is: Trojan horse

A Trojan horse is a computer program containing an intentional line of code created by a

programmer for personal gain (transferring funds without the company knowing) or

revenge.

Q84:

In situations where it is crucial that data be entered correctly into an accounting information

system, the best method of data control would be to use


reasonableness tests.

r

r

r

r

r

key verification.

limit checks.

compatibility tests.

Key verification. The best method of data control in situations where it is crucial that data be

entered correctly into an accounting information system is through the use of key

verification.

Q85:

Segregation of duties controls are examples of

compensating controls.

preventive controls.

administrative controls.

detective controls.

The correct answer is: preventive controls.

Proper segregation of duties is a control designed to prevent threats, errors and

irregularities by separating the incompatible functions of authorization, execution,

recording, and custody of assets between four people.

Q86:

Sandy opens an e-mail that she doesn't realize contains a line of code that enters the

company LAN via her computer. Three days later, all the data files on the LAN and

everybody's computers are erased. This is an example of

a prototype.

a computer virus.

a computer spam.

r

r

r

r

r

r

r

r

r

r

a Trojan horse.

The correct answer is: a computer virus.

A computer virus can move through a network deleting or altering files before it is even

detected. Computer viruses have become a concern to companies.

Q87:

Many organizations participating in e-commerce have serious concerns about security,

therefore a new subdiscipline, internet assurance services, has evolved. Its main objective is

to

provide value to data being transmitted by making it secure.

provide assurance that electronic data transmissions reach their destinations and on

time.

insure against fraud and hackers by charging a fee per transmitted transaction.

provide assurances that web sites are reliable and transaction security is reasonable.

The correct answer is: provide assurances that web sites are reliable and transaction security

is reasonable.

Internet assurance is a service of providing a limited assurance to users of the vendor's web

site that the site is reliable and event data security is reasonable

Q88:

During the audit of inventory, an internal auditor suspects that the stores clerk may be

stealing inventory. What is the best way for the internal auditor to proceed?

Consult ethics policy.

Interview the stores clerk to determine if they stole the inventory.

Consult with senior management to determine the best application of company policy.

Consult with legal counsel for advice regarding local laws.

The correct answer is: Consult ethics policy

r

r

r

r

r

r

r

r

r

Since this is an ethical issue, the auditor should first consult the company’s ethics policy and

if the matter is still unresolved, he or she should then discuss with the store clerk’s

immediate supervisor.

Q89:

Which one of the following represents a weakness in the internal control system of an

electronic data processing system?


The accounts receivable clerk prepares and enters data into the computer system and

reviews the output for errors.

The systems analyst designs new systems and supervises testing of the system.

The data control group reviews and tests procedures and handles the reprocessing of

errors detected by the computer.

The computer operator executes programs according to operating instructions and

maintains custody of programs and data files.

The computer operator executes programs according to operating instructions and

maintains custody of programs and data files. A weakness in the internal control system of

an electronic data processing system is a computer operator executing programs according

to operating instructions and maintains custody of programs and data files.

Q90:

Which of the following is not a function of an internal auditor?

Verifying that transactions are correctly recorded

Verifying that the computer system controls are effective

Verifying that laws and regulations are followed

Verifying that management compensation is reasonable

r

r

r

r

r

r

r

r

The correct answer is: Verifying that management compensation is reasonable

The auditor is not responsible for judging the reasonableness of executive compensation,

only for verifying that it is recorded and reported accurately.

Q91:

What is the role of the PCAOB in providing guidance on the auditing of internal controls?

The PCAOB is responsible for the setting of standards for audits of privately held

corporations.

The PCAOB is responsible for the setting of standards for audits of governmental

organizations.

The PCAOB is responsible for the setting of standards for audits of both publicly held

and privately held corporations

The PCAOB is responsible for the setting of standards for audits of publicly held

corporations.

The correct answer is: The PCAOB is responsible for the setting of standards for audits of

publicly held corporations.

The Public Company Accounting Oversight Board (PCAOB) is a private sector, nonprofit

corporation, created by the Sarbanes-Oxley Act of 2002, to oversee the auditors of (public)

companies in order to protect the interests of investors and further the public interest in the

preparation of informative, fair and independent audit reports. The Act required that

auditors of U.S. companies be subject to external and independent oversight for the first

time in history. Previously, the profession was self-regulated.

Q92:

Segregation of duties is a fundamental concept in an effective system of internal control.

Nevertheless, the internal auditor must be aware that this safeguard can be compromised

through

irregular employee reviews.

lack of training of employees.

absence of internal auditing.

r

r

r

r

r

r

r

collusion among employees.

The correct answer is: collusion among employees.

Effective segregation of duties means that no single employee has control over

authorization, recording and custody. If two or more employees are in collusion, these

controls can be overridden.

Q93:

Processing controls provide reasonable assurance that only approved data are processed.

Which of the following controls is not a processing control?

Sequence checks

Completeness checks

Error report

Run-to-run totals

The correct answer is: Error report

Completeness checks, sequence checks, and run-to-totals are all processing controls. Error

reports are an output control.

Q94:

Online access controls are critical for the successful operation of today's computer systems.

To assist in maintaining control over such access, many systems use tests that are

maintained through an internal access control matrix which consists of

a list of controls in the online system and a list of those individuals authorized to

change and adjust these controls along with a complete list of files in the system.

authorized user code numbers, passwords, lists of all files and programs, and a record

of the type of access each user is entitled to have to each file and program.

a complete listing of system tests and the applicable programs.

authorized user code numbers and passwords.

r

r

r

r

r

r

r

r

r

The correct answer is: authorized user code numbers, passwords, lists of all files and

programs, and a record of the type of access each user is entitled to have to each file and

program.

An access control mechanism defines object and action privileges for a user. Object

privileges define the resources the user may access. Action privileges define what the user

may do with a resource. Access controls often employ user ID codes and passwords.

Q95:

Which one of the following statements about an accounting information system (AIS)

is incorrect?

AIS is best suited to solve problems where there is great uncertainty and ill-defined

reporting requirements.

The information produced by AIS is made available to all levels of management for use

in planning and controlling an organization's activities.

AIS supports day-to-day operations by collecting and sorting data about an

organization's transactions.

AIS is a subsystem of the management information system.

The correct answer is: AIS is best suited to solve problems where there is great uncertainty

and ill-defined reporting requirements.

A decision support system, not an accounting information system (AIS), is best suited to

solve problems where there is great uncertainty and ill-defined reporting requirements.

Q96:

The most critical aspect of the separation of duties within a mainframe information systems

environment is between

programmers and users.

programmers and project leaders.

programmers and computer operators.

r

r

r

r

r

r

r

programmers and systems analysts.

The correct answer is: programmers and computer operators.

The IT (information technology) function should be separate from the other functional areas

in the organization. In addition, within IT, there should be a separation between

programmers/analysts, operations, and technical support. Separation of programmers from

computer operators is critical.

Q97:

The Sarbanes-Oxley Act of 2002 (SOX) established increased requirements for audit

committees. These requirements include all of the following except:

the audit committee must have at least one financial expert.

the audit committee must consist of independent directors.

the CEO of the company can be a member of the audit committee.

the audit committee is responsible for selecting the external auditor.

The correct answer is: The CEO of the company can be a member of the audit committee.

Audit committees need independent directors with sophisticated financial backgrounds. The

Sarbanes-Oxley Act of 2002 (SOX) requires that the audit commi�ee consist entirely of

directors who are independent of the issuer, meaning that they cannot accept any

consulting, advisory, or other compensatory fee from the issuer or be affiliated with the

issuer or any of its subsidiaries. At least one of the audit committee members should qualify

as a “financial expert.”

Q98:

During the annual review of internal controls in the HR department, an internal auditor may

complete all of the following procedures to confirm the existence of adequate policies and

procedures except

inspect documents.

limit access to confidential data.

confirm proper segregation of duties.

r

r

r

r

r

r

r

r

review job descriptions.

The correct answer is: limit access to confidential data

Evidence gathered by auditors is called primary evidence and might be gathered by

observation, surveys, interviews, inspection of documents (cancelled checks to verify

disbursements, timecards to verify hours worked, and so on), or other means.

Q99:


components. An organization’s management philosophy and ethical values is a part of the


risk assessment.

control environment.

Monitoring.

The correct answer is: Control environment

The control environment refers to the organization’s management philosophy and appetite

for risk, and includes integrity, ethical values, and the environment in which an organization

operates.

Q100:

In planning an audit, the auditor considers audit risk. Audit risk is the

risk that a material error in an account will not be prevented or detected on a timely

basis by the client's internal control system.

susceptibility of an account balance to material error assuming the client does not have

any related internal control.

risk that the auditor's procedures for verifying account balances will not detect a

material error when in fact such error exists.

risk that the auditor may unknowingly fail to appropriately modify his opinion on

r

r

r

r

r

r

r

r

r

financial statements that are materially misstated.

The correct answer is: risk that the auditor may unknowingly fail to appropriately modify his

opinion on financial statements that are materially misstated.

Audit risk is the probability of an audit failure. An audit failure occurs when the auditor’s

opinion states that the financial statements “fairly present, in all material respects, in

accordance with GAAP (Generally Accepted Accounting Principles)” when, in fact, they are

materially misstated.

Q101:

If a corporation may be violating federal and state laws governing environmental concerns,

which one of the following types of audit will best assist in ascertaining whether such

situations may exist?


Financial audit.

Operational audit.

Management Audit.

Compliance Audit.

Compliance Audit. The type of audit that will assist an auditor in determining whether or not

a corporation may be violating federal and state laws governing environmental concerns is a

Compliance Audit.

Q102:

Which of the following provides protection from unauthorized use of databases?

Data encryption

Input entry screens with validity checks

File transfer protocol

r

r

r

r

r

r

r

Storing the data center in a secured area

The correct answer is: Data encryption

Data encryption protects data while it is stored and while it is being transmitted. Locating

the data center in a secured area protects hardware, not access to programs and data. File

transfer protocol is a standard method of transferring files over the Internet, and it does not

protect data from unauthorized use unless transmitted data is encrypted. Input entry

screens with validity checks are effective controls for accuracy of input but do not protect

programs or the system from unauthorized use.

Q103:

An inherent risk specifically related to conducting business over the internet includes:

exposure to viruses

website denial of service attack

unauthorized access by hackers, exposure to viruses, and website denial of service

attacks.

unauthorized access by hackers.

The correct answer is: unauthorized access by hackers, exposure to viruses, and website

denial of service attacks.

The Internet has introduced risks to computer systems that do not exist on private networks.

Among the threats is a greatly increased risk of unauthorized access, as hackers have grown

both numerous and more sophisticated in their attacks. Internet presence also exposes

systems to “malware”—including viruses, worms, spyware, spam, and Trojan horses.

Q104:

Which one of the following would most compromise the use of the grandfather-father-son

principle of file retention as protection against loss or damage of master files?

Use of magnetic tape.

Inadequate ventilation.

r

r

r

r

r

r

r

Storing of all files in one location.

Failure to encrypt data.

The correct answer is: Storing of all files in one location.

Storing all files in one location undermines the concept of multiple backups inherent in the

grandfather-father-son principle.

Q105:

There are three components of audit risk: inherent risk, control risk, and detection risk.

Inherent risk is

the risk that a material misstatement that could occur in an assertion will not be

prevented or detected on a timely basis by the entity's internal control structure

policies or procedures.

the risk that the auditor will not detect a material misstatement that exists in an

assertion.

the risk that the auditor may unknowingly fail to appropriately modify his or her

opinion on financial statements that are materially misstated.

the susceptibility of an assertion to a material misstatement, assuming that there are

no related internal control structure policies or procedures.

The correct answer is: the susceptibility of an assertion to a material misstatement,

assuming that there are no related internal control structure policies or procedures.

Inherent risk is the probability of an error or irregularity causing a material misstatement in

an assertion. This is also referred to as the probability that a threat to the system will occur.

Q106:


components. An organization’s ongoing management activities, evaluations, and internal

audits are a part of

monitoring.

risk assessment.


r

r

r

r

r

r

r

r

r

control environment.

The correct answer is: Monitoring

Monitoring is accomplished through ongoing management activities, separate evaluations,

or both. Internal auditors, the audit committee, and the disclosure committee, as well as

management, may all be involved in monitoring controls.

Q107:

Effective controls designed to catch errors and improve the accuracy of data processing in

batches before new information is written to the master file includes all of the following

except:

A record count

A control total

A hash total

A check digit

The correct answer is: A check digit

A check digit is an input control used during the data entry process of an individual record.

The other three items are all examples of batch input controls.

Q108:

The internal auditors should report all of the following control breakdowns or risks to

management except for:

Penetration of information security

Illegal acts

Immaterial weaknesses

Fraud

The correct answer is: Immaterial weaknesses

r

r

r

r

r

r

r

r

r

The internal auditors should report fraud, material weaknesses, illegal acts and any

penetration of information security.

Q109:

A data backup

should be run every day but is not helpful in the event of a data loss due to a computer

virus.

helps recover data after data losses but is done only if a company has a very large

database of information to recover.

helps prevent hacking and should be run on a daily basis.

helps recover data after data loss due to viruses, natural disasters, and hardware

failures and should be run on a daily basis.

The correct answer is: helps recover data after data loss due to viruses, natural disasters,

and hardware failures and should be run on a daily basis.

A data backup should be run on a daily basis. It is necessary for any business with stored

data and helps with recovery regardless of how data is lost. A data backup does not prevent

hacking.

Q110:

Internal auditors can evaluate the effectiveness of internal controls over the revenue and

cash collection process by completing all of the tasks except:

verify information in the sales journal and on sales invoices.

reconcile the accounts payable detail to the general journal.

reconcile accounts receivable detail with the general ledger.

send confirmations to customers requesting current account balances

The correct answer is: reconcile the accounts payable detail to the general journal.

Reconciling the accounts payable detail to the general ledger would be appropriate to an

audit of the cash disbursements process. The other activities mentioned are appropriate to

an audit of revenue and cash collection processes.

r

r

r

r

r

r

r

r

Q111:

In order to properly segregate duties, which function within the computer department

should be responsible for reprocessing the errors detected during the processing of data?


Data control group.

Systems analyst.

Department manager.

Computer programmer.

Data control group. To properly segregate duties, the data control group should be

responsible for reprocessing the errors detecting during the processing of data within the

computer department.

Q112:

Edit checks in a computerized accounting system

should be performed on transactions prior to updating a master file.

are preventive controls.

should be performed immediately prior to output distribution.

are easier to install after a system is operational.

The correct answer is: should be performed on transactions prior to updating a master file.

Edit checks are executed upon data entry. Their purpose is to detect and correct problems in

data input. They are performed upon data entry prior to updating a file to assure accuracy of

the update. The edit checks prevent the phenomenon of “garbage in, garbage out.”

Q113:

Under the Sarbanes-Oxley Act of 2002, companies are now required to implement an�-fraud

programs and controls that they evaluate on an annual basis as part of their integrated

r

r

r

r

r

r

r

r

audit. A common component of such anti-fraud programs and controls is the effective

design and implementation of codes of ethics and conduct. Which one of the following

is not a characteristic of the operating effectiveness of a code of conduct?

The existence of a plan to communicate the code of conduct to all (or covered)

employees of the company

Audit committee involvement and oversight of non-compliance with the company's

code of conduct

The existence of an appropriate "hot-line" or whistle blowing to report any violations

with the company's code of conduct

Lack of employee training in the company's code of conduct upon hiring and

periodically thereafter

The correct answer is: Lack of employee training in the company's code of conduct upon

hiring and periodically thereafter.

Lack of employee training in the company's code of conduct upon hiring and periodically

thereafter is not a characteristic of operating effectiveness of a code of conduct.

Q114:

Which of the following is not a requirement regarding a company's system of internal

control under the Foreign Corrupt Prac�ces Act of 1977?

Management must annually assess the effectiveness of its system of internal control.

Transactions are executed in accordance with management's general or specific

authorization.

Transactions are recorded as necessary (1) to permit prepara�on of financial

statements in conformity with GAAP or any other criteria applicable to such

statements, and (2) to maintain accountability for assets.

The recorded accountability for assets is compared with the existing assets at

reasonable intervals, and appropriate action is taken with respect to any differences.

The correct answer is: Management must annually assess the effectiveness of its system of

internal control.

Management’s annual assessment of internal control is not a requirement of the Foreign

r

r

r

r

r

r

r

r

Corrupt Prac�ces Act. It became a requirement with the passage of the 2002 Sarbanes-Oxley

Act.

Q115:

Which of the following are provisions of the Sarbanes-Oxley Act?

I. The board of directors of an issuer must appoint an audit committee.

II. Management must certify financial statements.

III. Management must provide a written report on the effectiveness of internal control

procedures within 90 days of the publica�on of the annual report.

IV. A public accounting firm may not audit the books of an issuer of public securities if any

officer or director of the issuer was employed by the public accounting firm and participated

in any audit activity with the issuer within one year.

II and IV only

I, II, III, and IV

IV only

I, II, and IV only


All of the listed requirements are provisions of the Sarbanes-Oxley Act.

Q116:

Ellen is processing a group of transactions and indicates as she begins running the program

that there are 15 transac�ons in the batch, totaling $150,000 in orders. This batch control is

related to all of the following except


an input control.


an output control.

r

r

r

r

r

r

r

r

The correct answer is: a program access control.

Processing controls are often interdependent with input and output controls. Processing

controls are checks that are run by the computer program while it processes the data to

verify that the information is accurate. In this example, the computer system will re-verify

that the batch was input properly. The output controls would tie the batch back to the input.

Q117:

Consider the following types of controls.

I. Preventive

II. Corrective

III. Feedback

IV. Feedforward

V. Detective

Which one of the following groups of controls are generally considered the most cost-

effective controls?


I, III, and V.

III, IV, and V.

I, II, and V.

I, II, and III.

I, II, and IV. The most cost-effective controls to implement in an accounting information

system is preventative, corrective, and detective controls.

Q118:

Disaster recovery policies and procedures are designed to enable a company to carry on

business in the event of an unplanned disaster where the business would not be able to

function normally. A company’s disaster recovery plan should include all of the following

except:

appoint a primary leader for the process.

specify backup sites for alternate computer processing.

r

r

r

r

r

r

define the roles of all members of the disaster recovery team.

document all processing and output controls.

The correct answer is: document all processing and output controls.

Disaster recovery policies and procedures—also called business continuance plans—are

designed to enable the firm to carry on business in the event that an emergency, such as a

natural disaster, disrupts normal function. A company’s disaster recovery plan should define

the roles of all members of the disaster recovery team, appointing both a primary leader and

an alternate leader for the process. The plan should specify backup sites for alternate

computer processing.

Q119:

The principal impetus for the enactment of the Foreign Corrupt Act by the U.S. Congress was

to


promote the mandates issued by the United Nations with regard to global trade

between its member nations.

discourage unethical behavior by foreigners employed by U.S. firms.

require mandatory documentation of the evaluation of internal controls by the

independent auditors.

prevent the bribery of foreign officials by U.S. firms seeking to do business overseas.

Prevent the bribery of foreign officials by U.S. firms seeking to do business overseas. The

enactment of the Foreign Corrupt Act by the U.S. Congress was implemented to prevent the

bribery of foreign officials by U.S. firms seeking to do business overseas.

Q120:

Of the following, the primary objective of compliance testing is to determine whether

procedures are regularly updated.

r

r

r

r

r

r

r

financial statement line items are properly stated.

controls are functioning as planned.

collusion is taking place.

The correct answer is: controls are functioning as planned.

A compliance audit is a review of controls to see how they conform with established laws,

standards, and procedures.

Q121:

The objective of a disaster recovery plan is to

provide for continuing business in the event of an emergency that results in the

inability to use the facility or the data center.

set forth procedures to follow if the building needs to be evacuated in the event of a

disaster.

provide a plan in the event of a union strike when there are no operators for the data

and processing systems.

provide protection against losses during times of severe recession.

The correct answer is: provide for continuing business in the event of an emergency that

results in the inability to use the facility or the data center.

The objective of a disaster recovery plan is to provide for continuing business in the event of

an emergency that results in the inability to use the facility or the data center.

Q122:

A public corporation that must meet the provisions of the Foreign Corrupt Practices Act of

1977 should have a compliance program that includes all of the following steps except


documentation of the corporation’s existing internal accounting control systems.

r

r

r

r

r

r

r

r

an authorized and properly signed agreement that it will abide by the Act.

a system of quality checks to evaluate the internal accounting control system.

a cost/benefit analysis of the controls and the risks that are being minimized.

An authorized and properly signed agreement that it will abide by the Act. A compliance

program to meet the provisions provided in the Foreign Corrupt Prac�ces Act of 1977

include documentation of the corporation’s existing internal accounting control systems, a

cost/benefit analysis of the controls and the risks that are being minimized, and a system of

quality checks to evaluate the internal accounting control system.

Q123:

Which one of the following types of audits would be most likely to focus on objectives

related to the efficient use of resources?


Independent audit.

Operational audit.

Compliance audit.

Information systems audit.

The type of audit that would focus on the objectives related to the efficient use of resources

is an operational audit.

r

r

r

r

r

r

r

Section D Internal Controls P1

Documents

Transcript of Section D Internal Controls P1