Professional Documents
Culture Documents
P1 1e.17bbb6c Notes
P1 1e.17bbb6c Notes
P1 1e.17bbb6c Notes
PART 1 UNIT 5
5
1E. Internal Controls
Module
This module covers the following content from the IMA Learning Outcome Statements.
CMA LOS Reference: Part 1—Section E.1. Governance, Risk, and Compliance: Part 1
1 Corporate Governance
Articles of
Incorporation
Bylaws
Policies and
Procedures
1.1.2 Bylaws
In addition to the articles of incorporation, a corporation generally will have bylaws containing
rules for running the corporation. Bylaws include more detailed information than the articles of
incorporation. For example, bylaws may set out the authority of the corporation's officers, how
meetings are conducted, how officers are elected, etc. Bylaws are adopted by the incorporators
or the board of directors and may be repealed or modified by the board of directors. They are
not part of the articles of incorporation and are not required to be filed with the state.
Within a corporation, positions have different rights and responsibilities, including the board of
directors, the audit committee, officers, managers, and shareholders.
1.2.3 Officers
Officers are individual agents (and employees) of the corporation who ordinarily conduct its day-
to-day operation. Officers are selected by the board and may be removed by the board with or
without cause. They are not elected by the shareholders. Corporate officers, like the corporate
board of directors, are subject to fiduciary duties and must discharge their duties in good
faith and with the same care as an ordinarily prudent person in a similar position. Officers will
generally have apparent authority to enter into contracts and act on behalf of the corporation
in the ordinary course of business. Corporate decisions are often made by officers and then are
implemented down the corporate chain. This is often referred to as the top-down approach.
These decisions often relate to achieving goals that will help meet the strategic direction set
by officers.
Officers may vary, but most corporations have a chief executive officer (CEO) and a chief
financial officer (CFO). The CEO is the highest executive and reports directly to the board of
directors. The CEO often has the highest level of authority within a corporation. The CEO is
responsible for all corporate operations and performance, and sets the vision, mission, and
goals for the corporation. In addition, the CEO also determines the strategic direction for the
company and helps create the plan to achieve those goals. The CFO is responsible for the
financial operations of the company, including financial planning and analysis. Typically, the CFO
reports to the CEO.
1.2.4 Managers
Managers are hired by officers or other employees to help with the day-to-day operations.
Management is responsible for the design, implementation, and maintenance of internal
control. Management is also responsible for the preparation and fair presentation of the
financial statements. Management may be given autonomy by the officers to set policy and
procedures related to the day-to-day operations of the company.
1.2.5 Shareholders
Shareholders have the right to vote to elect or remove members of the board of directors. They
also have the right to vote on whether to approve fundamental changes to the corporation, such
as dissolution, and a right to inspect certain corporate records. Generally, shareholders do not
have a right to a distribution (including cash dividends and repurchases of shares) unless and
until it is declared by the board of directors.
The Sarbanes-Oxley Act of 2002 (SOX) had a profound effect on corporate governance. The act
was created in the wake of fraud that was committed by Enron and WorldCom corporations and
which led to their collapse and the restatement of financial statements of a number of other
U.S. Securities and Exchange Commission (SEC) reporting companies, also as the result of fraud.
The provisions in SOX include the creation of the Public Company Accounting Oversight Board
(PCAOB), expanded disclosures by corporations and specific representations required by officers
of public companies, harsher penalties for fraudulent activities, significant internal control
provisions, and additional rules for external auditors.
The board is subject to oversight by the SEC and has the duty to:
register public accounting firms that prepare audit reports for issuers;
establish rules relating to the preparation of audit reports for issuers; and
conduct inspections, investigations, and disciplinary proceedings concerning registered
public accounting firms.
The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 to prohibit U.S. individuals and
entities from paying bribes to advance an individual's or entity's business interests. Compliance
with the act requires following accounting transparency guidelines and placing internal controls
to ensure proper reporting and disclosure of assets.
Businesses subject to the FCPA include corporations, partnerships, limited partnerships,
business trusts, and unincorporated organizations. Penalties for violations of the act include up
to five years in prison, up to $100,000 in fines, or both. Enforcement of the act is shared by the
U.S. Department of Justice and a special unit within the SEC.
Issuers (companies trading on a U.S. stock exchange, "issuers" of audited financial statements)
must comply with specific accounting and control provisions under the FCPA. These include:
Making and keeping detailed accounting records to reflect transactions of the issuer
accurately and fairly; and
Devising and maintaining a system of internal accounting controls sufficient to provide
reasonable assurance that:
y transactions are properly authorized by management;
y transactions are recorded to allow the preparation of financial statements and maintain
accountability for assets;
y access to assets are properly authorized by management; and
y review and reconciliation of assets are regularly performed.
An external auditor is hired to provide financial statement users with an opinion on whether
the financial statements are presented fairly, in all material respects, in accordance with the
applicable financial reporting framework.
Pass Key
The applicable financial reporting framework is the financial reporting framework that is
acceptable in view of the nature of the entity and the objective of the financial statements,
or that is required by law or regulation. Acceptable financial reporting frameworks include
general purpose frameworks designed to meet the needs of a wide range of users (e.g.,
U.S. Generally Accepted Accounting Principles [GAAP] and International Financial Reporting
Standards [IFRSs]), and special purpose frameworks.
The auditor's report gives credibility to the financial statements. The auditors, as a group
independent of management, have an objective view and can report on a company's activities
without bias or conflict of interest. Without a report from an independent auditor, a company's
financial statements would be meaningless, because the public would have little faith in financial
statements issued by the inherently biased company.
The financial statements of an enterprise are prepared by the management of the enterprise,
not by the independent auditor. Further, the financial statements are the product and property
of the enterprise; the independent auditor merely audits and expresses an opinion on the
financial statements and their accompanying notes.
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify the auditor's
opinion on financial statements that are materially misstated. Audit risk should be reduced to an
appropriately low level before an opinion on the financial statements is expressed.
Audit risk is composed of:
Inherent Risk: Risk inherent in certain accounts or transactions.
Control Risk: Risk that an error will not be prevented or detected (and corrected) by the
internal control system in a timely manner.
Detection Risk: Risk that an auditor will conclude that a material error does not exist when,
in fact, one does.
4.8.1 Communication
The auditor should communicate with management and those charged with governance
throughout the audit. There are certain required communications, which include matters
related to the auditor's responsibility, planned scope and timing of the audit engagement, and
significant audit findings.
An auditor should follow certain procedures when errors or irregularities (fraud) are suspected.
Generally, the error or irregularity should be discussed with an appropriate level of management
at least one level above those involved.
ial Statem
Financrially Corr ents
Mate ect
Fi
n
an
cia
Unmodified
es
l
(Unqualified)
St
su
ate
it Is
Qualified Qualified
me
Aud
nt I
ssue
s
Disclaimer Adverse
Materiality of Issue
Material and Material but None or Material but Material and
pervasive not pervasive immaterial not pervasive pervasive
4.8.4 Graphic
Modifications to #1 A1 Forming
the Auditor's an Audit Opinion_VF
Opinion
The auditor's report should be modified when the auditor concludes that the financial
statements as a whole are materially misstated (financial statement issue), or the auditor is
unable to obtain sufficient appropriate audit evidence to conclude that the financial statements
as a whole are free from material misstatement (audit issue).
There are three types of modified opinions: The qualified opinion, the adverse opinion, and the
disclaimer of opinion.
Qualified Opinion: A qualified opinion states that except for the effects of the matter(s)
to which the qualification relates, the financial statements present fairly, in all material
respects, the financial position, results of operations, and cash flows of the entity in
conformity with the applicable financial reporting framework.
Adverse Opinion: An adverse opinion states that the financial statements do not present
fairly the financial position, results of operations, or cash flows of the entity in conformity
with the applicable financial reporting framework.
Disclaimer of Opinion: A disclaimer of opinion states that the auditor does not express an
opinion on the financial statements.
Pervasive effects on the financial statements are those which, in the auditor's professional
judgment:
are not confined to specific elements, accounts, or items of the financial statements;
if so confined, represent a substantial proportion of the financial statements; or
are disclosures fundamental to the users' understanding of the financial statements.
Going concern
Material justified change in accounting principle
Material misstatement in prior financial
statements is corrected
Special purpose framework *
Change in audit opinion Or:
Restrict use of report
Prior financial statements audited by prior auditor
and prior auditor's report is not presented
Comparative financial statements where the current
year is audited and prior period is not audited *
Material inconsistency in other information *
Report on supplementary information within
auditor's report *
Refer to required supplementary information *
Report on compliance included in auditor's report *
*Although PCAOB guidelines do not specify the location for the explanatory paragraph for these
circumstances, the explanatory paragraph generally is placed after the opinion paragraph
Issuers are required to have an integrated audit. In an integrated audit, two audits are
simultaneously performed, and two opinions are rendered on (1) the fairness of the financial
statements and (2) the operating effectiveness of internal controls. Nonissuers are not required
to have an integrated audit but may choose to have an integrated audit performed.
There are two methods to the audit of the operating effectiveness of internal controls: the top-
down approach (risk-based approach) or the bottom-up approach.
Question 1 MCQ-12416
Which of the following most likely represents a responsibility of the external auditor?
a. Provide absolute assurance on the fairness of the financial statements.
b. Comply with generally accepted auditing standards, which includes authorizing
transactions on behalf of the client.
c. Issue an opinion on the fairness of the financial statements.
d. Design, implement, and maintain internal control relevant to the preparation and
fair presentation of financial statements.
Question 2 MCQ-12417
Which opinion would an auditor most likely render if the financial statements are materially
and pervasively misstated due to a company departing from the applicable financial
reporting framework?
a. Unmodified
b. Qualified
c. Disclaimer
d. Adverse
Question 3 MCQ-12418
Which of the following responsibilities is least likely to be a responsibility for the board
of directors?
a. Declaring dividends.
b. Determining the policies and procedures related to the day-to-day operations of
the company.
c. Initiating fundamental changes to the corporation's structure.
d. Electing officers.
NOTES
This module covers the following content from the IMA Learning Outcome Statements.
CMA LOS Reference: Part 1—Section E.1. Governance, Risk, and Compliance: Part 2
© Becker Professional Education Corporation. All rights reserved. Module 2 5–19 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
CMA LOS Reference: Part 1—Section E.2. System Controls and Security Measures
Material from Internal Control—Integrated Framework, © 2013 Committee of Sponsoring Organizations of the Treadway
Commission (COSO). Used with permission.
In 2013, the framework received an update to deal with changes in technology, business models,
globalization, outsourcing, and regulatory environment. One significant enhancement to the
2013 update was the formalization of fundamental concepts that were part of the original 1992
framework. Specifically, these fundamental concepts have evolved into 17 principles that have
been categorized within the five major internal control components. COSO's framework is widely
regarded as an appropriate and comprehensive basis to document the assessment of internal
controls over financial reporting.
The framework is used by company management and its board of directors to obtain an initial
understanding of what constitutes an effective system of internal control and to provide insight
as to when internal controls are being properly applied within the organization. The framework
also provides confidence to external stakeholders that an organization has a system of internal
control in place that is conducive to achieving its objectives.
Pass Key
An effective system of internal control requires more than adherence to policies and
procedures by management, the board of directors, and the internal auditors. It requires
the use of judgment in determining the sufficiency of controls, in applying the proper
controls, and in assessing the effectiveness of the system of internal controls. The
principles-based approach of the framework supports the emphasis on the importance of
management judgment.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–21 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Function
Control Environment
Operating Unit
Division
Risk Assessment
Entity Level
Control Activities
Monitoring Activities
2. Reporting Objectives
Reporting objectives pertain to the reliability, timeliness, and transparency of an entity's
external and internal financial and nonfinancial reporting as established by regulators,
accounting standard setters, or the firm's internal policies.
3. Compliance Objectives
Compliance objectives are established to ensure the entity is adhering to all applicable laws
and regulations.
Pass Key
The COSO framework does not prescribe which controls an entity should implement
for effective internal control. Instead, an organization's selection of controls requires
management's judgment based on factors unique to the entity.
1
Control Environment
2 3 4 5
Risk Information Monitoring Existing
Assessment and Control
by Management Communication Activities
Systems
© Becker Professional Education Corporation. All rights reserved. Module 2 5–23 E.1. Go
Pass Key
Remember that it would be a CRIME if you forgot the five components of internal control:
y Control Environment
y Risk Assessment
y Information and Communication
y Monitoring
y (Existing) Control Activities
Consider Potential for Fraud: The organization considers the potential for fraud in
assessing risks. Points of focus include assessing incentives and pressures, opportunities
and attitudes, and rationalizations.
Identify and Assess Changes: The organization identifies and assesses changes that could
significantly affect the system of internal control. Points of focus include assessing changes
in the external environment, business model, and leadership.
1. Select and Develop Control Activities: The organization selects and develops control
activities that contribute to the mitigation of risks to acceptable levels. Points of focus
include integrating with risk assessment when selecting activities and considering
entity‑specific factors.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–25 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
2. Select and Develop Technology Controls: The organization selects and develops general
control activities over technology to support the achievement of objectives. Points of focus
include determining dependencies between the use of technology in business processes
and establishing relevant technology infrastructure control activities.
3. Deployment of Policies and Procedures: The organization deploys control activities
through policies that establish what is expected and procedures that put policies into action.
Points of focus include establishing responsibility and accountability for executing policies
and procedures and taking corrective action.
Pass Key
The candidate should be familiar with the five components of internal control (in bold) and
each of the 17 principles within the components. (CRIME)
Control Environment
Commitment to ethical values and integrity
Board independence and oversight
Organizational structure
Commitment to competence
Accountability
Risk Assessment
Specify objectives
Identify and analyze risks
Consider the potential for fraud
Identify and assess changes
Information and Communication
Obtain and use information
Internally communicate information
Communicate with external parties
Monitoring Activities
Ongoing and/or separate evaluations
Communication of deficiencies
(Existing) Control Activities
Select and develop control activities
Select and develop technology controls
Deploy through policies and procedures
LOS 1E1g
Internal control risk is the risk that the internal control policies and procedures established by
an organization will not be sufficient to support the achievement of its operating, reporting, or LOS 1E1v
compliance objectives.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–27 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Internal control policies and procedures are checks and balances implemented by management
to protect a company from threats to the achievement of its operating, financial reporting, and
compliance objectives.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–29 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
One employee has sole responsibility for depositing all checks received by an organization.
The employee records, issues, and mails all paper checks as well as reconciles the monthly
bank account statement and updates the accounts payable and accounts receivable
ledgers. The employee has custody of the checks received, and completes the record
keeping for all checks received from customers and mailed out to vendors. This employee
performs the only review over the receipt and payment of funds, the bank reconciliation.
In this scenario, the employee could easily steal from the company in several ways, such
as through cash skimming schemes, using company assets for personal use, or other
records-falsification techniques that would conceal theft.
Opens the mail, endorses the checks, and Prepare the deposit ticket and make the
prepares the list of checks physical deposit in the bank account
Independent checks involve the verification of work performed by others to ensure accuracy
and to prevent errors or fraud. Examples include review of bank reconciliations, comparisons of
accounting records to supporting documentation, and comparisons of physical inventory counts
to inventory records. Due to the smaller number of employees, small businesses often have
difficulty creating a clear division of roles and implementing a rotation of responsibilities.
By using prenumbered documents, management may account for all transactions; each
sequentially numbered transaction is either attached to a transaction or properly voided.
Prenumbered documents assists in segregation of duties. For example, purchasing may receive
a purchase requisition from production to order supplies. If the purchase requisitions are
prenumbered, all transactions can be matched to the supporting documentation and checked
for proper authorization before payment is made. Any missing documents are a control to
alert management that there may be either a purchase requisition that was improperly used or
missing documentation that may indicate error or fraud.
Prenumbering of forms helps to ensure that all transactions are recorded and that no
transaction is recorded more than once. For example, cash receipts need to be prenumbered to
ensure that the cash receipt was posted to the related accounts receivable. If any sequentially
numbered cash receipt is not accounted for, management can investigate to determine whether
that cash receipt was voided or if the cash was misappropriated.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–31 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Information system development controls are designed to enhance the security and accuracy
of data input into the system, strengthening the validity of the outputs from the system. During
the input, processing, and output stages, controls are designed to protect against internal and
external threats. The system development control design that provides this security must be
able to adapt in order to continuously provide protection in an ever-changing environment.
An input file containing sales transactions is loaded into the operations system from a
store at the proper time, carrying the proper credentials for the store and the owner. Input
controls accept the authorization for this file to be read into the system. However, during the
initial read the file is seen to be less than half the size of a typical file for that store during this
time of year. Because the number of sales transactions is too low (outside of the lower limit
for this input control), a contingency trigger interrupts processing and sends notifications
to both the store manager and the operations analyst to check to make sure the entire file
was transmitted. Processing resumes when either authorized person (the store owner or
operations analyst) submits their credentials and replaces or confirms the input file.
An analyst receives transaction reports from each retail store in the corporation and uses
a program to consolidate the files into one report containing all transaction records in
chronological order for the day. Each day, the analyst preserves the individual store reports
and the consolidated reports in the company's cloud-based file storage system.
Another analyst later takes the consolidated file and uses it as input to another program
in order to organize the sales by store owner (some owners have multiple retail stores)
to calculate royalties owed to the parent company. The second analyst also saves the
consolidated file (the output from the first process that is now the input for the second
process) and the new output file detailing sales by owner in the company's file storage
system, where it can be used by other analysts for different purposes.
The benefits of following this process control include error detection, fraud detection, and
promotion of good business continuity practices. The first analyst's output file should be
identical to the second analyst's input file. Any other analyst should be able to run the
same program against the same input file stored on record and get the same output file
stored on record. If the files are not the same or the output results are different, then it
is possible that an error or fraud has occurred, or that the data became corrupted. Lastly,
with backups in existence, if a data file was corrupted, lost or stolen, then work can proceed
from the most recent backup.
Interest rates on loans are calculated from economic factors such as national savings rates,
the consumer price index, currency exchange rates, and stock and bond market activities.
These calculations may occasionally result in a recommended interest rate being negative,
meaning that the bank should pay the borrower interest to take out a loan. It is sometimes
appropriate for a bank to use negative interest rates, but less often than such calculations
may recommend. A prudent output control would require an executive-level bank manager
to approve or modify any system recommendation for a negative interest rate.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–33 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Computer servers should also be stored in locked rooms, accessible only by authorized
employees. This control exists to prevent anyone without authorized credentials from accessing,
stealing, altering, or destroying sensitive company data by either stealing a hard drive or
destroying a server. Another physical security feature in a server room is a lack of physical
labeling. An unauthorized individual would have a difficult time searching for a particular set of
files or data to steal in a server room where every server is essentially physically identical.
Peripheral devices may create vulnerabilities that are just as significant as exposed core hardware
and software. They could be assets that allow indirect access to core systems, such as an IoT
(Internet of Things) piece of equipment. Or peripheral devices could be more supportive in nature,
particularly central heating and cooling systems, which are critical to maintain low temperature
levels for servers, switches, and other items found in a data center. Access to central cooling
systems that support such equipment should be given the same level of physical access controls
because tampering with it could be just as detrimental, potentially causing equipment to overheat.
A health care organization's lead IT engineer received what appeared to be a voice mail
sent to his e-mail, with a link taking him to a page that prompted him to enter his domain
username and password. Once the attacker obtained the engineer's credentials from this
phishing attack, the attacker was able to gain access to the company's internal network using
the employee's user information on an open port accessible via the public Web. This attacker
then encrypted all files in the company's shared drives, rendering all files inaccessible by
company employees. The fraudster then sent an e-mail to the company's management
requesting $80,000 to be paid in digital currency and sent to a private key. After being
advised by its legal counsel to pay, the company's forensic accountant paid the attacker, and
in return the company received the decryption key to regain access to all of its files.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–35 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Disaster recovery planning (DRP) differs from business continuity planning in that business
continuity planning is the creation of strategies to cover every likely potential disruption to
business, whereas disaster recovery is the execution of one or more of those plans in the
moment when they are needed. Disasters cause business continuity issues; therefore, disaster
recovery plans are a significant part of business continuity planning. DRP is more tactical
compared with continuity planning, which is more strategic.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–37 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Data backups are necessary both for recovery in a disaster scenario and for recovery from
processing problems. Copies of key master files and records should be stored in safe places
located outside of the company. Copies of files kept on-site should be stored in fireproof
containers or rooms.
Backup of Systems That Can Be Shut Down: The backup process is relatively simple when
a system can be shut down for backup and maintenance. When this is the case, files or
databases that have changed since the last backup (or just all data) can be backed up, using
the son-father-grandfather or similar concept.
Backups of Systems That Do Not Shut Down: Effective backups are more difficult when
an information system cannot be shut down. Recovery often includes applying a transaction
log (a file of the transactions that had been applied to the databases) and reapplying those
transactions to get back to the point immediately before the failure.
Mirroring: Mirroring is the use of a backup computer to duplicate all of the processes and
transactions on the primary computer. Mirroring, which can be expensive, is sometimes
used by banks and other organizations for which downtime is unacceptable.
© Becker Professional Education Corporation. All rights reserved. Module 2 5–39 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
Question 1 MCQ-12420
Question 2 MCQ-12421
Endurant Co. is preparing an alternative location where it can run business operations
in the event of a catastrophic loss of its main operations center. This alternative location
contains basic furniture, telephone, and network connections and computer hardware.
Because Endurant uses cloud data services for its main operations center, the computers
at the alternative location are not loaded with current versions of the information system
or the underlying data. This saves time in maintaining those systems when no disaster is
in process. According to the disaster recovery plan, systems at the alternative site will be
loaded while most personnel are on the way to the alternative center.
Which of the following best describes this type of backup location?
a. Hot site
b. Warm site
c. Cool site
d. Cold site
Question 3 MCQ-12422
Employees at ProductivMax Co. are generally only allowed access to intranet sites, specific
company-approved Web pages, and applications hosted within the company's network.
Employees are blocked from accessing any external Internet site unless they submit
a written request to the IT department for review and approval. Once the request is
approved, other employees may access the approved sites. ProductivMax has never had a
data breach; however, employees complain that the policies are too restrictive.
Which of the following best describes the security technology used by ProductivMax?
a. Solid-state communications network
b. Default-allow firewall
c. Default-deny firewall
d. End-to-end encryption
Question 4 MCQ-12423
Which of the following is not a viable strategy that management can use to manage risk at
a company?
a. Management can avoid the risk.
b. Management can monitor the risk.
c. Management can reduce the risk.
d. Management can share the risk.
Question 5 MCQ-12424
© Becker Professional Education Corporation. All rights reserved. Module 2 5–41 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
NOTES
UNIT 5
Unit 5, Module 1
1. MCQ-12416
Choice "c" is correct. The external auditor provides creditability to the financial statements. The
auditors, as a group independent of management, provide an objective view and can report on
a company's activities without bias or conflict of interest. To report on the financial statements,
the auditor must maintain professional skepticism, comply with ethical requirements, exercise
professional judgment throughout the planning and performance of the audit, and comply with
generally accepted auditing standards, which includes planning and performing an audit that
obtains sufficient and appropriate audit evidence.
The auditor's report on the financial statements includes an opinion on whether the financial
statements are presented fairly in accordance with the applicable financial reporting framework.
Choice "a" is incorrect. The external auditor provides reasonable, not absolute, assurance on the
fairness of the financial statements.
Choice "b" is incorrect. The external auditor should comply with GAAS and must remain
objective and independent of the client. Authorizing transactions on behalf of the client would
impair the auditor's independence.
Choice "d" is incorrect. Management, not the auditor, is responsible for the design,
implementation, and maintenance of internal control relevant to the preparation and fair
presentation of financial statements.
2. MCQ-12417
Choice "d" is correct. An auditor is responsible for issuing an opinion on the fairness of the
financial statements. The auditor can issue an unmodified, qualified, adverse, or disclaimer
opinion. The auditor will render an unmodified opinion when the financial statements are
presented fairly, in all material respect, in accordance with the financial reporting framework.
The auditor's report is modified when the auditor concludes the financial statements as a whole
are materially misstated or the auditor is unable to obtain sufficient audit evidence to conclude
that the financial statements as a whole are free from material misstatement. Qualified, adverse,
and disclaimers are modified opinions.
An auditor most likely will render an adverse opinion when the financial statements are
materially and pervasively misstated due to a departure from the applicable financial
reporting framework.
Choice "a" is incorrect. The auditor will render an unmodified opinion when the financial
statements are presented fairly, in all material respect, in accordance with the financial
reporting framework.
Choice "b" is incorrect. A qualified opinion is issued either when the financial statements are
materially (but not pervasively) misstated or when the auditor is unable to obtain sufficient
appropriate audit evidence on which to base an opinion and the auditor concludes that the
possible effects of any undetected misstatements are material but not pervasive.
Choice "c" is incorrect. A disclaimer of opinion is rendered when the auditor is unable to obtain
sufficient appropriate audit evidence on which to base an opinion and the auditor concludes
that the possible effects of any undetected misstatements could be both material and pervasive.
3. MCQ-12418
Choice "b" is correct. The board of directors is elected by shareholders and directors have a
fiduciary duty to act in the best interest of shareholders. The board of directors has the highest
governing authority in a corporation and is responsible for overseeing the organization's
activities. Board members meet periodically to discuss and vote on strategic decisions of
the entity. The board of directors' responsibilities also include overseeing the obligations of
an entity, including accurate financial reporting and disclosure. Among the specific duties
of directors are the election, removal, and supervision of officers; adoption, amendment,
and repeal of bylaws; declaring dividends; determining officer compensation; and initiating
fundamental changes to the corporation's structure.
The board of directors is unlikely to be responsible for determining the policies and procedures
related to the day-to-day operations of a company. The board elects officers, who have the
responsibility to oversee the day-to-day operations of the company. Officers then hire managers
to help them with the day-to-day operations.
Choice "a" is incorrect. The board of directors' responsibilities include declaring dividends.
Choice "c" is incorrect. The board of directors' responsibilities include initiating fundamental
changes to the corporation's structure.
Choice "d" is incorrect. The board of directors' responsibilities include electing officers.
Unit 5, Module 2
1. MCQ-12420
Choice "b" is correct. Phishing attacks have been the most common form of cyberattack for
many years because an employee is often an easier target than a system. After gaining access,
an attacker can steal, alter, or destroy data or systems files to achieve a goal.
A situation in which an outside attacker claims to be a trusted source and asks for private
information that will enable the attacker to gain access is called a phishing attack. Any employee
who responds to such an e-mail unwittingly gives a password to an outsider who intends to
harm the company.
Choice "a" is incorrect. Passwords are intended to be secret and never shared. Employees
should never e-mail a list of their passwords to anyone, including the IT department.
Choice "c" is incorrect. A Trojan horse is malware hidden within an attachment, and when
an individual opens an innocent-looking image or link, the malware is installed on the
victim's computer.
Choice "d" is incorrect. A virus is a self-replicating, invasive computer program that gives an
attacker access to the computer or system.
2. MCQ-12421
Choice "b" is correct. When disaster strikes, it is crucial that computer programs and data are
current to within a day in order to switch seamlessly to a new operations site. A hot site requires
the work to perform both of these operations, often meaning that the hot backup site must
have its own permanent employees to handle daily integrations of updates to the computers
there (operations resume within minutes). A warm site would take longer to become operational
during a disaster than a hot site, because the data and the system is not maintained, but other
assets are there and the site could be up and running fairly quickly (operations resume in hours).
A cold site chooses neither, opting to purchase hardware and load software only in the event it is
needed. A cold site is therefore the least expensive and the least immediately useful (operations
resume in one to three days).
A warm site is one where computer hardware and networking infrastructure is present, but the
most current version of the information system and/or the most current data is not present.
This is the compromise position between hot and cold sites.
Choice "a" is incorrect. This facility does not have the most current software and data ready in
anticipation of a disaster. It is not immediately ready for use and is not a hot site.
Choice "c" is incorrect. The term cool site is not used in business continuity planning.
Choice "d" is incorrect. This facility is equipped with computers and networking, which a cold site
would lack.
3. MCQ-12422
Choice "c" is correct. A firewall is a software program that selectively denies or allows access
into or out of the company's network. Firewalls can be configured to the specifications of the
IT department to block or deny traffic into or out of the network based on the IP address of
the outside party. This can be used to exclude individuals, regions or nations, or topics such as
gaming or adult content.
In the situation described, this firewall appears to be set up to deny all traffic by default and to
only allow traffic that is specifically permitted. This method can be safer than default-allow, but
there is the necessary initial setup period in which every site that employees legitimately need to
access must be identified and recorded.
Choice "a" is incorrect. Solid-state communications refer to the use of uninterrupted wire
or cable-based transmissions, avoiding any use of wireless networks, the Internet, or other
networks not owned by the company. Solid-state communications are highly secure and highly
expensive, and their use would result in a different use case than ProductivMax's.
Choice "b" is incorrect. This situation does describe a firewall; however, a default-allow firewall
would allow ProductivMax's employees to visit any site except for those sites specifically
excluded by IT. Default-allow firewalls have more problems with viruses and other cyberattacks
because this policy leads IT to update the firewall to decline access to sites where the company
has already experienced a negative event.
Choice "d" is incorrect. End-to-end encryption means that the data is encrypted before leaving
the communication source, by the company's own encryption standard and only decrypted
after it arrives at its destination, no matter how many different networks it passes through
from source to destination. End-to-end encryption would not affect the employees' use
of the Internet.
4. MCQ-12423
Choice "b" is correct. Control risk is the possibility that one or more internal controls will
fail, causing the entity to not attain one or more of its objectives. Management has several
alternatives that are available to manage risk: avoiding the risk, reducing the risk, sharing the
risk, or accepting the risk.
Monitoring risk is not a risk strategy but a process of determining how the risk management
strategy is working at a company.
Choice "a" is incorrect. Avoiding the risk is a risk management strategy whereby management
removes the risk entirely.
Choice "c" is incorrect. Reducing the risk is a risk management strategy whereby management
allocates resources to drop the risk to an acceptable level.
Choice "d" is incorrect. Sharing the risk is a risk management strategy whereby management
outsources an activity associated with the risk or purchases insurance.
5. MCQ-12424
Choice "d" is correct. Functional responsibilities should be segregated by job function, person, or
department to prevent errors or fraud or both.
The following four categories of functional responsibilities should be segregated:
yyAuthorization: The process of reviewing and approving transactions.
yyRecord keeping: The process of creating and maintaining the books and records related to
revenues, expenditures, inventory, and personnel transactions.
yyCustody of assets: Access to or control over cash, checks, and any physical asset.
yyReconciliation: The process of verifying the transactions processed in the record-keeping
function. Reconciliation will ensure all transactions are valid, properly authorized, and
properly recorded.
Choice "a" is incorrect. Although authorization, record keeping, and custody of assets are three
of the four categories of functional responsibilities that should be segregated within a company,
verification is not.
Choice "b" is incorrect. Although reconciliation and custody of assets are two of the four
categories of functional responsibilities that should be segregated within a company, verification
and monitoring are not.
Choice "c" is incorrect. Although record keeping, custody of assets, and reconciliation are three
of the four categories of functional responsibilities that should be segregated within a company,
authorization is not.