Terms

Definitions

What is one reason why AIS threats are

B) Many companies do not realize that

increasing?

data security is crucial to their survival

A) LANs and client/server systems are

easier to control than centralized,
mainframe systems.
B) Many companies do not realize that
data security is crucial to their survival.
C) Computer control problems are often
overestimated and overly emphasized by
management.
D) Many companies believe that
protecting information is a strategic
requirement
Which of the following is not one of the

A) Monitoring

risk responses identified in the COSO

Enterprise Risk Management Framework?
A) Monitoring
B) Avoidance
C) Acceptance
D) Sharing
A control procedure designed so that the
employee that records cash received from
customers does not also have access to
the cash itself is an example of a(n)
A) preventive control.

A) preventive control.

B) detective control.
C) corrective control.
D) authorization control.
At a movie theater box office, all tickets

A) Some customers presented tickets

are sequentially prenumbered. At the end

purchased on a previous day when there

of each day, the beginning ticket number

wasn't a ticket taker at the theater

is subtracted from the ending number to

entrance (so the tickets didn't get torn.)

calculate the number of tickets sold.

Then, ticket stubs collected at the theater
entrance are counted and compared with
the number of tickets sold. Which of the
following situations does this control
detect?
A) Some customers presented tickets
purchased on a previous day when there
wasn't a ticket taker at the theater
entrance (so the tickets didn't get torn.)
B) A group of kids snuck into the theater
through a back door when customers left
after a show.
C) The box office cashier accidentally
gives too much change to a customer.
D) The ticket taker admits his friends
without tickets.
At a movie theater box office, all tickets

C) The box office cashier accidentally gives too m

are sequentially prenumbered. At the end

change to a customer.

of each day, the beginning ticket number

is subtracted from the ending number to

calculate the number of tickets sold. Cash
is counted and compared with the
number of tickets sold. Which of the
following situations does this control
detect?
A) Some customers presented tickets
purchased on a previous day when there
wasn't a ticket taker at the theater
entrance (so the tickets didn't get torn.)
B) A group of kids snuck into the theater
through a back door when customers left
after a show.
C) The box office cashier accidentally
gives too much change to a customer.
D) The ticket taker admits his friends
without tickets.
Which of the following is an example of a

A) approving customer credit prior to approving

preventive control?

a sales order

A) approving customer credit prior to

approving a sales order
B) reconciling the bank statement to the
cash control account
C) counting inventory on hand and
comparing counts to the perpetual
inventory records
D) maintaining frequent backup records to
prevent loss of data

Independent checks on performance

A) data input validation checks

include all the following except

A) data input validation checks.
B) reconciling hash totals.
C) preparing a trial balance report.
D) supervisor review of journal entries
and supporting documentation
A computer operator is allowed to work as

A) Yes, the computer operator could alter the pa

a programmer on a new payroll software

program to increase her salary.

project. Does this create a potential

internal control problem?
A) Yes, the computer operator could alter
the payroll program to increase her salary.
B) Yes, this is a potential problem unless
the computer operator is supervised by
the payroll manager.
C) No, ideal segregation of duties is not
usually possible, and operators are often
the best at programming changes and
updates.
D) No, as long as the computer operator
separately accounts for hours worked in
programming and in operations.
) One of the objectives of the segregation

A) make sure that different people handle differe

of duties is to

parts of the same transaction

A) make sure that different people handle

different parts of the same transaction.

B) ensure that no collusion will occur.

C) make sure that different people handle
different transactions.
D) achieve an optimal division of labor for
efficient operations
Pam is a receptionist for Dunderhead

A) Integrity and ethical values

Paper Co., which has strict corporate

policies on appropriate use of corporate
resources. The first week of August, Pam
saw Michael, the branch manager, putting
pencils, pens, erasers, paper and other
supplies into his briefcase on his way out
the door. This situation best reflects a
weakness in which aspect of internal
environment, as discussed in the COSO
Enterprise Risk Management Framework?
A) Integrity and ethical values
B) Risk management philosophy
C) Restrict access to assets
D) Methods of assigning authority and
responsibility
Which of the following statements is true?

A) Internal auditors, rather than external auditor

A) Internal auditors, rather than external

can conduct evaluations of effectiveness of

auditors, can conduct evaluations of

Enterprise Risk Management processes

effectiveness of Enterprise Risk

Management processes.
B) Re-adding the total of a batch of

invoices and comparing the total with the

first total you calculated is an example of
an independent check.
C) Requiring two signatures on checks
over $20,000 is an example of
segregation of duties.
D) Although forensic specialists utilize
computers, only people can accurately
identify fraud.
Of the following examples of fraud, which
will be the most difficult to prevent and
detect? Assume the company enforces
adequate segregation of duties.
A) Jim issues credit cards to him and
Marie, and when the credit card balances
are just under $1,000, Marie writes off the
accounts as bad debt. Jim then issues new
cards.
B) An employee puts inventory behind the
dumpster while unloading a vendor's
delivery truck, then picks up the inventory
later in the day and puts it in her car.
C) A mail room employee steals a check
received from a customer and destroys
the documentation.
D) The accounts receivable clerk does not
record sales invoices for friends or family,
so they can receive free goods.

A) Jim issues credit cards to him and Marie,

and when the credit card balances

are just under $1,000, Marie writes off the acco

bad debt.
Jim then issues new cards.

Go-Go Corporation, a publicly traded

A) increases the risk associated with an audit

company, has three brothers who serve

as President, Vice President of Finance
and CEO. This situation
A) increases the risk associated with an
audit.
B) must be changed before your audit
firm could accept the audit engagement.
C) is a violation of the Sarbanes-Oxley
Act.
D) violates the Securities and Exchange
Act.
Which of the following is a control related

A) Sequentially prenumbering sales invoices

to design and use of documents and

records?
A) Sequentially prenumbering sales
invoices
B) Comparing physical inventory counts
with perpetual inventory records
C) Reconciling the bank statement to the
general ledger
D) Locking blank checks in a drawer or
safe
Which of the following duties could be

A) Approving accounting software change reque

performed by the same individual without

testing production scheduling software changes

violating segregation of duties controls?

A) Approving accounting software change

requests and testing production

scheduling software changes
B) Programming new code for accounting
software and testing accounting software
upgrades
C) Approving software changes and
implementing the upgraded software
D) Managing accounts payable function
and revising code for accounting software
to more efficiently process discount due
dates on vendor invoices
With a limited work force and a desire to

D) Entering payments to vendors in the cash dis

maintain strong internal control, which

journal and entering cash received

combination of duties would result in the

from customers in the cash receipts journal

lowest risk exposure?

A) Updating the inventory subsidiary
ledgers and recording purchases in the
purchases journal
B) Approving a sales return on a
customer's account and depositing
customers' checks in the bank
C) Updating the general ledger and
working in the inventory warehouse
D) Entering payments to vendors in the
cash disbursements journal and entering
cash received from customers in the cash
receipts journal

Which of the following is not a factor of

A) Analyzing past financial performance and rep

internal environment according to the

COSO Enterprise Risk Management
Framework?
A) Analyzing past financial performance
and reporting
B) Providing sufficient resources to
knowledgeable employees to carry out
duties
C) Disciplining employees for violations of
expected behavior
D) Setting realistic targets for long-term
performance
Which of the following suggests a
weakness in a company's internal

D) Formal employee performance evaluations

are prepared every three years

environment?
A) The audit committee regularly meets
with the external auditors.
B) The Board of Directors is primarily
independent directors.
C) The company has an up-to-date
organizational chart.
D) Formal employee performance
evaluations are prepared every three
years
Which of the following statements about
internal environment is false?

A) Management's attitudes toward

internal control and ethical behavior have only

A) Management's attitudes toward

minimal impact on employee beliefs or actions

internal control and ethical behavior have

only minimal impact on employee beliefs
or actions.
B) Supervision is especially important in
organizations that cannot afford elaborate
responsibility reporting or are too small to
have adequate segregation of duties.
C) An overly complex or unclear
organizational structure may be indicative
of more serious problems.
D) A written policy and procedures
manual is an important tool for assigning
authority and responsibility.
Which of the following is not a reason for

C) Increasing efficiency resulting from more auto

the increase in security problems for AIS?

A) Confidentiality issues caused by
interlinked inter-company networks
B) Difficult to control distributed
computing networks
C) Increasing efficiency resulting from
more automation
D) Increasing numbers of information
systems and users
One reason why many organizations do

B) productivity and cost cutting cause managem

not adequately protect their systems is

to forgo implementing and maintaining internal

because

A) control problems may be

overestimated by many companies.
B) productivity and cost cutting cause
management to forgo implementing and
maintaining internal controls.
C) control technology has not yet been
developed.
D) all of the above
The process that a business uses to

B) internal control

safeguard assets, provide accurate and

reliable information, and promote and
improve operational efficiency is known
as
A) a phenomenon.
B) internal control.
C) an AIS threat.
D) a preventive control.
Safeguarding assets is one of the control
objectives of internal control. Which of the
following is not one of the other control
objectives?
A) providing accurate and reliable
information
B) promoting operational efficiency
C) ensuring that no fraud has occurred
D) encouraging adherence to
management policies

C) ensuring that no fraud has occurred

Internal control is often referred to as a(n)

C) process

________, because it permeates an

organization's operating activities and is
an integral part of management
activities.
A) event
B) activity
C) process
D) system
Which of the following is accomplished by

D) All of the above are accomplished by correcti

corrective controls?
A) Identify the cause of the problem.
B) Correct the resulting errors.
C) Modify the system to prevent future
occurrences of the problem.
D) All of the above are accomplished by
corrective controls
Duplicate checking of calculations is an
example of a ________ control, and
procedures to resubmit rejected
transactions is an example of a ________
control.
A) corrective; detective
B) detective; corrective
C) preventive; corrective
D) detective; preventive

B) detective; corrective

What is not a corrective control

B) Deter problems before they arise

procedure?
A) Identify the cause of a problem.
B) Deter problems before they arise.
C) Correct resulting errors or difficulties.
D) Modify the system so that future
problems are minimized or eliminated
________ controls are designed to make

C) General

sure an organization's control

environment is stable and well managed.
A) Application
B) Detective
C) General
D) Preventive
________ controls prevent, detect and

A) Application

correct transaction errors and fraud.

A) Application
B) Detective
C) General
D) Preventive
A(n) ________ helps employees act
ethically by setting limits beyond which
an employee must not pass.
A) boundary system
B) diagnostic control system
C) interactive control system

A) boundary system

D) internal control system

A(n) ________ measures company progress

B) diagnostic control system

by comparing actual performance to

planned performance.
A) boundary system
B) diagnostic control system
C) interactive control system
D) internal control system
A(n) ________ helps top-level managers

C) interactive control system

with high-level activities that demand

frequent and regular attention.
A) boundary system
B) diagnostic control system
C) interactive control system
D) internal control system
The COSO Enterprise Risk Management

C) compliance with federal, state, or local laws

Framework includes eight components.

Which of the following is not one of
them?
A) control environment
B) risk assessment
C) compliance with federal, state, or local
laws
D) monitoring
Which of the following is not one of the

D) Event assessment

eight interrelated risk and control

components of COSO Enterprise Risk
Management Framework?
A) Internal environment
B) Monitoring
C) Risk response
D) Event assessment
The COSO Enterprise Risk Management
Integrated Framework stresses that
A) risk management activities are an

A) risk management activities are an inherent pa

business operations and should be considered
during strategy setting

inherent part of all business operations

and should be considered during strategy
setting.
B) effective risk management is
comprised of just three interrelated
components; internal environment, risk
assessment, and control activities.
C) risk management is the sole
responsibility of top management.
D) risk management policies, if enforced,
guarantee achievement of corporate
objectives
Which of the following would be

D) All of the above statements would raise "red

considered a "red flag" for problems with

if answered "yes."

management operating style if the

question were answered "yes"?
A) Does management take undue

business risks to achieve its objectives?

B) Does management attempt to
manipulate performance measures such
as net income?
C) Does management pressure
employees to achieve results regardless
of the methods?
D) All of the above statements would
raise "red flags" if answered "yes."
Which component of the COSO Enterprise

A) Information and communication

Risk Management Integrated Framework

is concerned with understanding how
transactions are initiated, data are
captured and processed, and information
is reported?
A) Information and communication
B) Internal environment
C) Event identification
D) Objective setting
The COSO Enterprise Risk Management
Integrated Framework identifies four
objectives necessary to achieve corporate
goals. Objectives specifically identified
include all of the following except
A) implementation of newest
technologies.
B) compliance with laws and regulations.

A) implementation of newest technologies

C) effective and efficient operations.

D) reliable reporting.
The audit committee of the board of

C) provides a check and balance on managemen

directors
A) is usually chaired by the CFO.
B) conducts testing of controls on behalf
of the external auditors.
C) provides a check and balance on
management.
D) does all of the above.
The definition of the lines of authority and

B) organizational structure

responsibility and the overall framework

for planning, directing, and controlling is
laid out by the
A) control activities
B) organizational structure
C) budget framework
D) internal environment
Reducing management layers, creating
self-directed work teams, and
emphasizing continuous improvement are
all related to which aspect of internal
environment?
A) Organizational structure
B) Methods of assigning authority and
responsibility

A) Organizational structure

C) Management philosophy and operating

style
D) Commitment to competence
Personnel policies such as background

B) employee fraud or embezzlement

checks, mandatory vacations, and

rotation of duties tend to deter
A) unintentional errors.
B) employee fraud or embezzlement.
C) fraud by outsiders.
D) disgruntled employees
The SEC and FASB are best described as

C) internal environment

external influences that directly affect an

organization's
A) hiring practices.
B) philosophy and operating style.
C) internal environment.
D) methods of assigning authority
Which attribute below is not an aspect of
the COSO ERM Framework internal
environment?
A) Enforcing a written code of conduct
B) Holding employees accountable for
achieving objectives
C) Restricting access to assets
D) Avoiding unrealistic expectations

C) Restricting access to assets

The amount of risk a company is willing to

C) Risk appetite

accept in order to achieve its goals and

objectives is
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
The risk that remains after management

B) Residual risk

implements internal controls is

A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
The risk that exists before management

A) Inherent risk

takes any steps to control the likelihood or

impact of a risk is
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
When undertaking risk assessment, the
expected loss is calculated like this.
A) Impact times expected loss
B) Impact times likelihood
C) Inherent risk times likelihood
D) Residual risk times likelihood

B) Impact times likelihood

Generally in a risk assessment process,

A) identify the threats that the company current

the first step is to

A) identify the threats that the company
currently faces.
B) estimate the risk probability of
negative events occurring.
C) estimate the exposure from negative
events.
D) identify controls to reduce all risk to
zero
Store policy that allows retail clerks to

A) general authorization

process sales returns for $300 or less,

with a receipt dated within the past 60
days, is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization
Corporate policy that requires a
purchasing agent and purchasing
department manager to sign off on asset
purchases over $1,500 is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization

B) specific authorization

A document that shows all projects that

D) strategic master plan

must be completed and the related IT

needs in order to achieve long-range
company goals is known as a
A) performance evaluation.
B) project development plan.
C) data processing schedule.
D) strategic master plan
A ________ is created to guide and oversee

C) steering committee

systems development and acquisition.

A) performance evaluation
B) project development plan
C) steering committee
D) strategic master plan
The organization chart for Geerts

A) Assigning the programming and operating

Corporation includes a controller and an

of the computer system to an independent contr

information processing manager, both of

whom report to the vice president of
finance. Which of the following would be a
control weakness?
A) Assigning the programming and
operating of the computer system to an
independent control group which reports
to the controller
B) Providing for maintenance of input data
controls by an independent control group
which reports to the controller

which reports to the controller

C) Periodically rotating assignment of

application processing among machine
operators, who all report to the
information processing manager
D) Providing for review and distribution of
system-generated reports by an
independent control group which reports
to the controller
Chuck Hewitt was relaxing after work with

D) diagnostic control system

a colleague at a local watering hole. Well

into his second martini, he began
expressing his opinions about his
company's budgeting practices. It seems
that, as a result of "budget handcuffs"
that require managers to explain material
deviations from budgeted expenditures,
his ability to creatively manage his
department's activities have been
curtailed. The level of control that the
company is using in this case is a
A) boundary system.
B) belief system.
C) interactive control system.
D) diagnostic control system.
Chuck Hewitt was relaxing after work with
a colleague at a local watering hole. Well

A) boundary system

into his second martini, he began

expressing his opinions about his work
environment. It seems that, as a result of
"feminazi" interference, the suggestive
banter that had been prevalent in the
workplace during his youth was no longer
acceptable. He even had to sit through a
sexual harassment workshop! The level of
control that the company is using in this
case is a
A) boundary system.
B) belief system.
C) interactive control system.
D) diagnostic control system.
FranticHouse Partners, L.L.C., does home

B) shared.

remodeling and repair. All employees are

bonded, so the firm's risk exposure to
employee fraud is
A) reduced.
B) shared.
C) avoided.
D) accepted.
FranticHouse Partners, L.L.C., does home
remodeling and repair. The firm does not
accept jobs that require the installation of
slate or copper roofing because these

C) avoided

materials often require costly postinstallation services. The firm's risk

exposure to costly post-installation
services is
A) reduced.
B) shared.
C) avoided.
D) accepted
Which of the following is an independent

C) The General Manager compares budgeted am

check on performance?

with expenditure records from all departments

A) The Purchasing Agent physically

reviews the contents of shipments and
compares them with the purchase orders
he has placed.
B) Production teams perform quality
evaluations of the products that they
produce.
C) The General Manager compares
budgeted amounts with expenditure
records from all departments.
D) Petty cash is disbursed by Fred
Haynes. He also maintains records of
disbursements, places requests to finance
to replace expended funds, and
periodically reconciles the petty cash
balance

Change management refers to

A) disbursement controls on petty cash.

D) controls designed to ensure that updates in in

technology do not have negative consequences

B) operational controls applied to

companies after mergers or acquisitions.
C) replacement of upper management
and their introduction to the organization.
D) controls designed to ensure that
updates in information technology do not
have negative consequences.
According to the ERM, these help the

A) Compliance objectives

company address all applicable laws and

regulations.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
According to the ERM, high level goals

D) strategic objectives

that are aligned with and support the

company's mission are
A) compliance objectives.
B) operations objectives.
C) reporting objectives.
D) strategic objectives
According to the ERM, these deal with the
effectiveness and efficiency of company
operations, such as performance and

B) Operations objectives

profitability goals.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
According to the ERM, these objectives

C) Reporting objectives

help ensure the accuracy, completeness

and reliability of internal and external
company reports.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
Which of the following is not a risk

D) Adequate casualty insurance

reduction element of a disaster recovery

plan?
A) Identification of alternate work site
B) Off-site storage of backup files and
programs
C) Documentation of procedures and
responsibilitie
D) Adequate casualty insurance
Internal control control objectives 7

1. Safeguard assets
2. maintain records accurately and fairly
3.provide accurate and reliable information

4.prepare financial reports in accordance with es

criteria
5.promote and improve operational efficiency

6.encourage adherence to prescribed manageria

7.Comply with applicable laws and regulations
Functions of internal controls

1.preventive controls- deter problems before the

(segregating employee duties)

2.detective controls- discover problems that are

not prevented (monthly trial balances)

3.corrective controls-identify and correct problem

(resubmitting transactions for subsequent proce

Internal control categories

1.general controls-make sure an organizations c

environment is stable and well managed

2.application controls-make sure transactions ar

processed correctly, the accuracy, completeness

and authorization of the data captured
4 levels of control

1.belief system: core values communicated to e

company values, want employees to live by them

2.Boundary system set limits for employees.

3.Diagnostic control system measures progres

comparing expectations to results actual progre

budgets and performance goals.

4.Interactive system have subordinates focuse

items that demand frequent attention.
COSO (Committee of Sponsoring
Organizations)

defined internal controls and provides guidance

evaluating and enhancing internal controls syst

internal control-integrated framework

issued by COSO a widely accepted as the author

internal controls and is incorporated into policie

regulations used to control business activities.
COSOs Enterprise Risk Management

second control framework developed to help org

(ERM)

avoid damage to reputation

5 components of COSO's internal control

1.control environment-core of any business is its

model

their individual attributes including integrity, eth

and competence
2.control activities-policies and procedures that
ensure that actions are effectively carried out;

3.risk assessment-must identify, analyze, and m

risks. Setting objectives so that the organization

in concert;

4.information and communication-these systems

and exchange the information needed to manag

organizations operations;

5monitoring-the entire process must be monitor

Companies should be performing these with a hi

of quality implementation
8 different attributes of the risk

1. Internal environment

management model

2. Objective setting
3.event identification
4. Risk assessment
5.risk response
6. Control activities
7. Information and communication

8. Monitoring
4types of objectives management must

strategic; operations; reporting; compliance

meet to achieve goals

companys units

subsidiary, business unit, division, and entity lev

7 components of an internal environment

1. Managements philosophy, operating style, an

risk appetite-shared beliefs of risks that affects p

Risk appetite-the amount of risk they are willing

philosophy and operating style. Ask 3 questions

achieve its objectives, are there risks? 2 do they

achieve results regardless of methods used?

2. The board of directors-must be involved and a

check and balance on its actions.
3. Commitment to integrity, ethnical value, and

-a culture that stresses integrity and commitmen

values. They can do it by.. teaching and requirin

unrealistic expectations, rewarding honesty, ma

written code of conduct, requiring reporting of d

making a commitment to competence.

4. Organizational structure-framework for planni

executing, controlling and monitoring operation

5. Methods of assigning authority and responsib

authority and hold them accountable

6. Human resource standards-policies governing

conditions, to encourage honesty, (hiring the rig

employees, fair compensating, evaluating and p

training, managing disgruntled employees, disch

vacation and rotation of duties, confidentiality a

and prosecute perpetrators

7. External influences-such as stock exchange, F

Like requirements imposed by regulatory agenci

four (4) responses to risk

reduce-reduce likelihood of risk by implementain

accept-accept the likelihood and imapact of the

share-share the risk or transfer it to someone els

avoid-aviod risk by not engaging in activities tha

seven (7) Control Activities

Proper authorization of transactions and activitie

establish policies for employees to follow and th

empowers them. (approving transactions..etc)

Segregation of duties- follow these functions 1) a

3)custody-handling assets. No one person shoul

Project development and acquisition controls-a p

methods to govern the information systems.
Should include..

Streering committee- guides and oversees the s

Strategic master plan-align an organizations info

with its business strategies

Project development plan-shows the tasks to be

and who to perform them

Data processing schedule-when tasks should be

System performance measurements-to evaluate

Post implementation review-to determine at the

whether the benefits were achieved.

Change management controls- modify existing s

Design and use of documents and records-prope

documents will help ensure accuracy reporting

Safeguarding assets, records, and data-protect c

physical assets as well as information

Independent checks on performance-done by so

other than the person who performs the origina