Professional Documents
Culture Documents
Internal Control and Risk Assessment
Internal Control and Risk Assessment
3. Which of the following best describes the Foreign Corrupt Practices Act of
1977 (amended 1988)?
A. It recommended that every publicly traded company include a report
in its annual report assessing the effectiveness of the company’s
internal control structure and procedures.
B. This act made it a felony to intercept electronic communications and
a misdemeanor to break into electronic mail storage facilities.
C. In accordance with section 1029, "Fraud and Related Activity in
Connection with Access Devices," this act made it a crime to produce
or use a counterfeit access device.
D. It established provisions for record keeping and internal control for
companies registered with the Securities and Exchange Commission.
D
6. Which of the following is not a reason that an external auditor would have an
interest in an organization's internal control?
A. Internal control provides a measure of protection against erroneous or
fraudulent financial reporting.
B. The external auditor is required to evaluate internal control in
planning an external audit, according to generally accepted auditing
standards.
C. Strong internal control can eliminate the test of controls required to
be performed by the external auditor.
D. The Sarbanes-Oxley Act of 2002 requires the external auditor attest to
and report on management’s assessment of internal control.
C
8. Which of the following documents has become the widely accepted authority
on internal control and is the basis for the others?
A. The AICPA’s Statement of Auditing Standard No. 78
B. COSO’s Internal Control - Integrated Framework
C. Information Systems Audit and Control Foundation’s COBIT
D. Institute of Internal Auditors Research Foundation’s Systems
Auditability and Control Report
B
9. Which of the following is not one of the three categories of entity objectives?
A. Compliance with applicable laws and regulations
B. Effectiveness and efficiency of operations
C. Human resource policies and practices
D. Quality of information
E. Organizational strategy
C
11. Which of the following are some of the characteristics of high quality
information?
A. Accurate, relative, current, and confidential (when necessary)
B. Accurate, complete, operational, and accessible
C. Accurate, confidential (when necessary), complete, and relevant
D. Accurate, explicit, internal, and confidential (when necessary)
C
12. Why do organizational objectives stress the importance of quality
information?
A. Quality information is required for accounting systems to operate
effectively.
B. Investors, creditors, managers, and other users rely on this
information.
C. The organization's reputation depends on the output of quality
information.
D. External auditors insist that the information provided them be of high
quality.
B
13. The five interrelated components of internal control (according to the COSO
framework) include the following:
A. Control environment, risk assessment, control activities,
organizational structure, and monitoring
B. Control environment, risk assessment, integrity and ethical values,
information and communication, and monitoring.
C. Control environment, risk assessment, control activities, information
and communication, and monitoring
D. Control environment, risk assessment, control activities, information
and communication, and human resource policies and practices
C
14. Which of the internal control components provides the foundation for all the
other components of internal control?
A. Risk assessment
B. Information and communication
C. Monitoring
D. Internal environment
D
15. Which of the following factors are included in the internal environment?
A. Human resource policies and practices, integrity and ethical values,
commitment to competence, and board of directors or audit
committee
B. Human resource policies and practices, integrity and ethical values,
risk assessment, and organizational structure
C. Board of directors, management’s philosophy and operating style,
commitment to competence, and quality of information
D. Assignment of authority and responsibility, organizational structure,
effective and efficient operations, and management’s philosophy and
operating style
A
16. Which factor has the most influence on the effectiveness of an organization's
internal control?
A. Competent, dedicated, trustworthy employees
B. Board of directors
C. Written policies and procedures
D. Employee training
A
20. Which of the following is not an essential component of the audit function of
an organization?
A. Senior management
B. Audit committee
C Internal auditors
D. External auditors
A
21. Which of the following statements regarding the audit committee is true?
A. It is a standing subcommittee of the board of directors.
B. Its main objectives are to protect against management wrongdoing
and to increase public confidence in the independent auditor's
opinion.
C. The committee should be composed of independent board members.
D. A, B, and C
E. B and C only
D
22. The audit committee is responsible for all of the following except:
A. Appointing and overseeing the external auditors
B. Directing investigations of possible fraud
C. Establishing internal control
D. Reviewing financial information
C
23. From the following factors, which one is least likely to impact the internal
environment?
A. Management philosophy and operating style
B. Human resource policies and practices
C. Job descriptions
D. Integrity and ethical values
C
26. Which of the following is not defined by the formal organizational structure?
A. Areas of responsibility
B. Limits of managerial authority
C. Lines of reporting
D Organizational goals and objectives
D
27. Which of the following best describes the importance of risk assessment?
A. Risk assessment allows management to determine the extent of the
internal controls required to eliminate inherent risk and to minimize
control risk.
B. Risk assessment is necessary to set priorities for risks in order of
frequency so the most frequently occurring risks can be eliminated in
a cost effective manner.
C. As go the risks, so go the insurance premiums and costs. Risk
assessment is management's primary tool to lower insurance
premiums and casualty losses.
D. Risk assessment helps management set priorities and determine the
organization’s risk response.
D
30. Which of the following includes risks that are all related to accounting
information system activities?
A. Computer system failure, information security breaches, errors and
irregularities in transaction authorization
B. Computer fraud, errors and irregularities in transaction authorization,
and internal audit fraud
C. Fraudulent financial reporting, external audit fraud, and concealment
of illegal acts
D. Inadequate training, system failure, risk disclosure, and irregularities
in transaction authorization
A
33. Which of the following is true concerning the cost/benefit model for risk
analysis?
A. As costs of controls increase, costs associated with risks decrease.
B. As costs of controls increase, costs associated with risks increase.
C. As total costs increase, costs associated with risks increase.
D. As total costs decrease, costs of controls decrease.
A
34. What is the optimal point of reasonable assurance for internal control?
A. When all possible controls are implemented
B. When the cost of controls equals the savings on losses from risks
C. When standard costing is used in inventory accounts
D. When no discrepancies exist between the inventory physical count
and the inventory account balance
B
35. IT governance
A. Should be part of enterprise governance.
B. Has historically been ignored in corporate governance matters.
C. Refers to issues surrounding technology solutions.
D. All of the above describe IT governance.
36. Which of the following best describes the Sarbanes-Oxley Act of 2002?
A. This act requires publicly-traded companies to include a report in its
annual report assessing the effectiveness of the company's internal
control structures/procedures.
B. This act made it a felony to intercept electronic communications and
a misdemeanor to break into electronic mail storage facilities.
C. This act makes it a crime to produce or use a counterfeit access
device.
D. This act established provisions for record-keeping and internal control
for companies registered with the Securities and Exchange
Commission.
A
37. Which of the following is TRUE regarding the Enterprise Risk Management
(ERM) framework?
A. The ERM framework replaces the COSO internal control framework.
B. Proper identification of risk can help management properly allocate
resources.
C. The COSO requested the assistance of Ernst and Young for
development of the ERM.
D. All of the above are true statements regarding ERM.
B
38. The audit committee is responsible for all the following EXCEPT:
A. Appointing and overseeing the external auditors.
B. Directing investigations of possible fraud.
C. Establishing internal control.
D. Reviewing financial information.
40. Which of the following statements is FALSE with regard to the Enterprise
Risk Management (ERM) framework?
A. The ERM is primarily focused on the risk aversion of management.
B. The ERM discusses the relationship between risk and strategy-setting.
C. The ERM is an ongoing process that permeates the entire company.
D. The ERM affects strategy-setting through risk identification.
A
42. Which of the following are required by the Sarbanes-Oxley Act of 2002?
A. Rotation of a company's external auditing firms every five years.
B. Limited loans under special circumstances to executive management.
C. Attestation as to the contents of the financial statements by the CEO
and CFO.
D. All of the above.
43. Which of the following is NOT a key area for focus in IT governance?
A. Responsible handling of transactions, events and decisions, to include
management of mobile IT components such as laptops and PDAs.
B. Choice of public accounting firm to perform the annual audits and
provide tax consulting services.
C. Management of contracts and relationships with service providers
(i.e., outsourcing partners).
D. Timely and transparent disclosure of financial information and
performance measures.
B
48. Which of the following concepts are fundamental to the Enterprise Risk
Management (ERM) framework?
A. The ERM framework is a process applied across the enterprise
B. The ERM framework is effected by people to allow the organization
to achieve its objectives.
C. The ERM framework is applied in strategy setting to identify events
and manage risk within the organization’s risk appetite.
D. All of the above are concepts fundamental to the ERM framework.
D
49. Which of the following describe categories of entity objectives that must
exist before management can identify potential events?
A. High-level strategic goals aligned with and supporting the
organization’s vision or mission.
B. Effectiveness and efficiency of internal reporting.
C. Relevance of non-financial information and reporting.
D. Compliance with all laws and regulations.
E. All of these are categories of entity objectives.
A
50. Event identification includes:
A. Only negative events that impact risk.
B. Only positive events that indicate opportunities.
C. Both positive and negative events.
D. Neither positive nor negative events.
C
Use the following graph of the cost/benefit model for risk analysis to answer the next
five questions.
1
3
2
4
0 10 20 30 40 50 60 70 80 90 100
5
60. What does (1) represent?
A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
A
TRUE/FALSE QUESTIONS
7. Two factors of the internal environment are the board of directors and control
activities.
F
8. Public interest in internal control is not as high now as it was twenty years
ago.
F
11. The Sarbanes-Oxley Act of 2002 requires each member of the audit
committee of a publicly traded company to be an independent member of the
board of directors.
T
12. The Sarbanes-Oxley Act of 2002 requires that a publicly traded company’s
independent auditor report directly to the audit committee.
T
15. The Foreign Corrupt Practices Act was passed to protect investors by
improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws.
F
20. One of the basic factors of the internal environment is the board of directors
or audit committee.
T
24. The Sarbanes-Oxley Act (SOX) allows the director of internal audit to attest
to the internal control system of the company.
F
26. Type II SAS 70 reviews are required for all third party service providers.
T
27. The Sarbanes-Oxley Act (SOX) requires that the external audit firm for a
company be rotated every five years.
F
SHORT ANSWER QUESTIONS
Answer:
The president of the small company should be informed that internal control
deals with risks other than just theft. Internal control will ensure quality of
information, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations. In addition, many people have paid a high
price to learn that intrafamily theft can indeed occur.
Answer:
Key human resource policies and practices that should be included in any
discussion are:
Information security breaches
Hiring. The organization should hire the best people it can and should pay
proper attention to the competency and integrity of prospective employees.
Newly hired employees should be assigned to responsibilities they can
handle and for which they are best suited.
Orientation and Training. Management should recognize the importance of
effectively orienting and training employees and should use a variety of
formal and informal training techniques.
Evaluating and Counseling. Periodic performance review and evaluation
procedures should focus on helping employees improve performance or,
where necessary, transferring the employees to more suitable work or even
terminating them.
Promoting. Promotion policies should reward employees for outstanding
performance. The prospect of promotion helps create an environment in
which employees see the possibility of long-term careers with an
organization.
Compensating. Employees must be properly compensated for their
performance in carrying out their assigned responsibilities.
Remedial Actions. An organization should establish written policies and
procedures stating the disciplinary actions that will follow violations of
expected behavior. Prompt, impersonal disciplinary action sends a message
that violations will not be tolerated.
In addition, employees should have the resources available to them that are
necessary to fulfill their job responsibilities. These resources include a
supportive working environment, appropriate technology, information, and
effective supervisors to whom they can turn for help when needed.
Answer:
The documents are:
a. The Committee of Sponsoring Organizations of the Treadway
Commission’s Internal Control-Integrated Framework (COSO)
b. The Institute of Internal Auditors Research Foundation’s Systems
Auditability and Control Report (SAC)
c. The Information Systems Audit and Control Foundation’s Control
Objectives for Information and Related Technology (COBIT)
d. The American Institute of Certified Public Accountants’ Statement of
Auditing Standards No. 94 - The Effect of Information Technology
on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit: An Amendment to SAS No. 55.
e. The Committee of Sponsoring Organizations Enterprise Risk
Management—Integrated Framework.
Answer:
The components of internal control are:
a. Internal environment
b. Objective setting
c. Event identification
d. Risk assessment
e. Risk response
f. Control activities
d. Information and communication
e. Monitoring
Answer:
Indicators of management’s philosophy and operating style are:
a. Behavior toward other managers or personnel
b. Approach to business risk
c. Attitude toward accounting functions
d. Attitude toward information processing
6. Define what a SAS 70 review is used for AND describe what the two
different types of reports that can result from one of these reviews will
contain.
Answer:
SAS 70 examinations enable service organizations to obtain a single report
for all/most of its user organizations' audit responses. It is essential to the
due diligence required for potential outsourced activities, and for the
requirements of Sarbanes-Oxley. The type I report describes the controls at a
specific point in time, with an audit opinion regarding whether the
descriptions present fairly the relevant aspects and whether the controls were
suitably designed for specified control objectives. The type II report also
includes an opinion of whether the controls tested were operating with
sufficient effectiveness to provide reasonable assurance that control
objectives were achieved during specified period (usually 6-12 months).
Answer:
Any four of these: Management attestation to internal controls, auditor
attestation to internal controls, firms cannot provide non-audit services
contemporaneously with audit, PCAOB formed with 5 "financially literate"
members--3 non-CPAs, audit partner on job must be rotated every 5 years,
audit committee membership requirements/duties (at least one financially
iterate member), no personal loans to executives, criminal penalties for
destroying/creating documents that impede investigation, disclosure of
material adjustments/off-balance sheet transactions with unconsolidated
entities.
Answer:
There are four responses to identified risk: avoid, reduce/mitigate, share, or
accept. Management determines the response to identified risks in an attempt
to achieve a residual risk level aligned with the organization’s risk tolerance
or appetite, and reviews the relation to the costs v. benefits of those risk
responses. In addition to considering responses to risk on an individual or
group basis, management also considers the aggregate effect of risk
responses across the organization (portfolio approach).
9. Define Enterprise Risk Management.
Answer:
It is a process that is applied in a strategy setting that is effected by
the board of directors, management and other personnel. It is applied across
the entity, and includes an identification of potential events (both
positive/opportunities and negative/risks) as well as the response to those
events. The ERM allows management to manage risk within the
organization’s risk appetite and provides reasonable assurance of the entity
objectives related to strategy, information reporting, effectiveness/efficiency
of operations, and compliance with applicable laws and regulations.
Answer:
Information security breaches
Computer system failure and/or improper backup of the system
Accounting system’s inability to meet the organization’s and users’ needs
Excessive hardware and software acquisition costs
Excessive operating and maintenance costs
Inadequate training, development, and supervision of personnel
Errors and inappropriate acts in transaction and master file maintenance
authorizations
Errors and inappropriate acts in data input, processing, and output
Fraudulent financial reporting
Concealment of illegal acts
11. List some examples of things that would change the risk profile of an
organization.
Answer:
Changes in the operating environment
New personnel (especially changes in executive management)
New or modified accounting systems/new technology
Rapid growth
Corporate reengineering
Expansion into new markets or product lines
Expanded foreign operations
New accounting pronouncements
Government legislation (e.g., Sarbanes-Oxley Act)
12. Define the following risk responses: avoid, reduce, share, accept.
Answer:
Avoiding risk means stopping or quitting the activity so as to get rid of the
risk. Reducing the risk means that management takes steps to reduce the
likelihood and/or impact of the identified risk, through control activities or
other means. Sharing the risk means reducing the likelihood or impact of the
risk by transferring some of the risk, such as is done when insurance is
purchased to protect an organization from losses due to fire. Accepting the
risk means taking no action to reduce the likelihood and/or impact of the risk.
In some cases, a risk cannot be avoided, but the organization decides to
ignore the risk because it is either impossible to control for, it is too
expensive to control, or the realization of the risk will have little impact on
the achievement of management objectives.