Exam 7: Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control

As described in COSO, elements of a control environment might include the following:

COSO's ______________________________ sets the tone of the organization, influencing the control consciousness of its people.

Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of:

Establishing and maintaining a viable internal control system is the responsibility of management.

______________________________ is a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance.

Listed below are 8 descriptions of sections of the Sarbanes-Oxley Act of 2002 (SOX) followed by the names of 8 sections of SOX. Required: On the blank line next to the numbered section description enter a letter of the corresponding section name.

The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.

Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer.

The ______________________________ states that "a fundamental aspect of management's stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled."

The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.

Management selects risk ________________________- avoiding, accepting, reducing or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

The section of Sarbanes Oxley that has received the most press as companies and their auditors have struggled to comply with its requirements is ______________________________.

Salami slicing is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data.

Management is responsible for establishing and maintaining an adequate system of internal control.

The information process control goal which relates to preventing fictitious events from being recorded is termed:

Which component of the ERM framework is best described here: Management selects whether to avoid, accept, reduce, or share risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.

The CFO of Exeter Corporation is very uncomfortable with its current risk exposure related to the possibility of business disruptions. Specifically, Exeter is heavily involved with e-business and its internal information systems are tightly interlinked with its key customers' systems. The CFO has estimated that every hour of system downtime will cost the company about $5,000 in sales. The CFO and CIO have further estimated that if the system were to fail, the average downtime would be about 2 hours per incident. They have anticipated (assume with 100% annual probability) that Exeter will likely experience 10 downtime incidents in a given year due to internal computer system problems, and another 10 incidents per year due to external problems; specifically system failures with the Internet service provider (ISP). Currently, Exeter pays an annualized cost of $25,000 for redundant computer and communication systems, and another $25,000 for Internet service provider (ISP) support just to keep total expected number of incidents to 20 per year. Required: a.Given the information provided thus far, how much ($) is the company's current expected gross risk? b.A further preventative control would be to purchase and maintain more redundant computers and communication lines where possible, at an annualized cost of $30,000, which would reduce the expected number of downtimes per year to 5 per year due to internal computer system problems. What would the dollar amount of Exeter's current residual expected risk at this point?

Who is legally responsible for establishing and maintaining an adequate system of internal control?

The control goal of ensure ______________________________ provides assurance that objects or events which were entered into the computer are in reflected correctly in their respective master data.

The section of Sarbanes Oxley that requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend is ______________________________.