Deck 6: Internal Control and Risk Assessment

A) The AICPA's Statement of Auditing Standard No. 78
B) COSO's Internal Control - Integrated Framework
C) Information Systems Audit and Control Foundation's COBIT
D) Institute of Internal Auditors Research Foundation's Systems Auditability and Control Report

A) A company is required to report on the effectiveness of its internal control only if the company is a bank or a thrift with assets of $150 million or more.
B) Each publicly traded company is required to report on the effectiveness of its internal control.
C) Each publicly traded and privately held company is required to report the effectiveness of its internal control.
D) A company is not required to report on its internal control, but almost every publicly traded company voluntarily reports on the effectiveness of its internal control.

A) Risk assessment
B) Information and communication
C) Monitoring
D) Internal environment

A) Internal control provides a measure of protection against erroneous or fraudulent financial reporting.
B) The external auditor is required to evaluate internal control in planning an external audit, according to generally accepted auditing standards.
C) Strong internal control can eliminate the test of controls required to be performed by the external auditor.
D) The Sarbanes-Oxley Act of 2002 requires the external auditor attest to and report on management's assessment of internal control.

A) Securities and Exchange Act
B) AICPA Professional Standards
C) Foreign Corrupt Practices Act
D) Treadway Commission

A) Quality information is required for accounting systems to operate effectively.
B) Investors, creditors, managers, and other users rely on this information.
C) The organization's reputation depends on the output of quality information.
D) External auditors insist that the information provided them be of high quality.

A) Internal rules and/or regulations with which organizations are expected to comply regarding accounting standards and preparation of financial data.
B) A process by which management gains reasonable assurance that its objectives will be achieved.
C) Procedures for input of and access to information systems used for internal analysis of an organization's short-term and long-term objectives.
D) A system of checks and balances that allows an organization to maintain control over its resources (data, systems, and all other assets).

A) Control environment, risk assessment, control activities, organizational structure, and monitoring
B) Control environment, risk assessment, integrity and ethical values, information and communication, and monitoring.
C) Control environment, risk assessment, control activities, information and communication, and monitoring
D) Control environment, risk assessment, control activities, information and communication, and human resource policies and practices

A) Human resource policies and practices, integrity and ethical values, commitment to competence, and board of directors or audit committee
B) Human resource policies and practices, integrity and ethical values, risk assessment, and organizational structure
C) Board of directors, management's philosophy and operating style, commitment to competence, and quality of information
D) Assignment of authority and responsibility, organizational structure, effective and efficient operations, and management's philosophy and operating style

A) Recommending an external auditor
B) Attesting to the fairness of the financial statements
C) Reviewing significant financial information
D) Seeing that an effective internal control is maintained

A) It recommended that every publicly traded company include a report in its annual report assessing the effectiveness of the company's internal control structure and procedures.
B) This act made it a felony to intercept electronic communications and a misdemeanor to break into electronic mail storage facilities.
C) In accordance with section 1029, "Fraud and Related Activity in Connection with Access Devices," this act made it a crime to produce or use a counterfeit access device.
D) It established provisions for record keeping and internal control for companies registered with the Securities and Exchange Commission.

A) Compliance with applicable laws and regulations
B) Effectiveness and efficiency of operations
C) Human resource policies and practices
D) Quality of information
E) Organizational strategy C

A) Its independence
B) Its superiority to management
C) Its stockholder representation
D) Its legal power to govern the corporation

A) Internal control is encouraged by several regulatory organizations, and it is required by law for publicly traded companies in an enactment in 1978 by the Cohen Commission.
B) Internal control is essential in lowering costs due to errors and irregularities in an organization by using risk assessment and risk management techniques.
C) Internal control enables management to maintain control over all its activities and it provides a measure of protection against erroneous or fraudulent financial reporting.
D) The U.S. Congress has enacted legislation requiring management of publicly-traded companies to report on the effectiveness of their internal control.

A) Effectiveness and efficiency of operations, safeguarding of assets, strategy-setting, and quality of information
B) Organizational strategies, quality of information, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
C) Compliance with applicable laws and regulations, risk assessment objectives, risk response, and quality of information
D) Effectiveness and efficiency of operations, quality of information, safeguarding of assets, and organizational control

A) It recommended that every publicly traded company include a report in its annual report assessing the effectiveness of the company's internal control structure and procedures.
B) This act made it a felony to intercept electronic communications and a misdemeanor to break into electronic mail storage facilities.
C) In accordance with section 1029, "Fraud and Related Activity in Connection with Access Devices," this act made it a crime to produce or use a counterfeit access device.
D) It established provisions for record keeping and internal control for companies registered with the Securities and Exchange Commission.

A) Senior management
B) Audit committee
C) Internal auditors
D) External auditors

A) The controller
B) The treasurer
C) The CEO
D) The board of directors

A) Accurate, relative, current, and confidential (when necessary)
B) Accurate, complete, operational, and accessible
C) Accurate, confidential (when necessary), complete, and relevant
D) Accurate, explicit, internal, and confidential (when necessary)

A) Credit ratings are eroded.
B) Favorable audit opinions are received.
C) Important decisions are based on faulty data.
D) Resources are lost, wasted, or abused.

A) Organizational chart
B) Managerial decision-making framework
C) Responsibility accounting chart
D) Functional model

A) Data are produced that nobody uses or believe.
B) Management spends time dealing with unavoidable problems.
C) Public image is tarnished.
D) Critical information is unavailable when needed.

A) The ERM is primarily focused on the risk aversion of management.
B) The ERM discusses the relationship between risk and strategy-setting.
C) The ERM is an ongoing process that permeates the entire company.
D) The ERM affects strategy-setting through risk identification.

A) As costs of controls increase, costs associated with risks decrease.
B) As costs of controls increase, costs associated with risks increase.
C) As total costs increase, costs associated with risks increase.
D) As total costs decrease, costs of controls decrease.

A) Areas of responsibility
B) Limits of managerial authority
C) Lines of reporting

A) This act requires publicly-traded companies to include a report in its annual report assessing the effectiveness of the company's internal control structures/procedures.
B) This act made it a felony to intercept electronic communications and a misdemeanor to break into electronic mail storage facilities.
C) This act makes it a crime to produce or use a counterfeit access device.
D) This act established provisions for record-keeping and internal control for companies registered with the Securities and Exchange Commission.

A) Management's behavior toward other managers or personnel
B) Management's approach to external political factors
C) Management's attitude toward accounting functions
D) Management's approach to business risk

A) Estimated probable loss and the estimated frequency of occurrence
B) Effectiveness of security measures and the value of the item involved
C) Estimated frequency of occurrence and the nature of the asset
D) Seriousness of the risk and the security measures employed

A) It is a standing subcommittee of the board of directors.
B) Its main objectives are to protect against management wrongdoing and to increase public confidence in the independent auditor's opinion.
C) The committee should be composed of independent board members.
D) A, B, and C
E) B and C only D

A) When all possible controls are implemented
B) When the cost of controls equals the savings on losses from risks
C) When standard costing is used in inventory accounts
D) When no discrepancies exist between the inventory physical count and the inventory account balance

A) Should be part of enterprise governance.
B) Has historically been ignored in corporate governance matters.
C) Refers to issues surrounding technology solutions.
D) All of the above describe IT governance.

A) Appointing and overseeing the external auditors
B) Directing investigations of possible fraud
C) Establishing internal control
D) Reviewing financial information

A) Computer system failure, information security breaches, errors and irregularities in transaction authorization
B) Computer fraud, errors and irregularities in transaction authorization, and internal audit fraud
C) Fraudulent financial reporting, external audit fraud, and concealment of illegal acts
D) Inadequate training, system failure, risk disclosure, and irregularities in transaction authorization

A) Risk assessment allows management to determine the extent of the internal controls required to eliminate inherent risk and to minimize control risk.
B) Risk assessment is necessary to set priorities for risks in order of frequency so the most frequently occurring risks can be eliminated in a cost effective manner.
C) As go the risks, so go the insurance premiums and costs. Risk assessment is management's primary tool to lower insurance premiums and casualty losses.
D) Risk assessment helps management set priorities and determine the organization's risk response.

A) Management philosophy and operating style
B) Human resource policies and practices
C) Job descriptions
D) Integrity and ethical values

A) To achieve the lowest possible losses associated with risks identified in the assessment process
B) To reduce risks to the minimum level possible consistent with factors of assessment involved
C) To provide "reasonable assurance" and an acceptable level of risk while achieving the lowest total cost (cost of controls added to loss from risk)
D) To establish the most comprehensive control activities possible at a reasonable cost to the organization

A) A process designed to guarantee that objectives related to organizational strategy, quality of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved.
B) A process designed to provide reasonable assurance that objectives related to organizational strategy, quality of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved.
C) A process designed to provide reasonable assurance that objectives related to ethical values and integrity, quality of reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved.
D) A process designed to guarantee that objectives related to ethical values and integrity, quality of reporting, SOX compliance, and efficiency of operations will be achieved.

A) The ERM framework replaces the COSO internal control framework.
B) Proper identification of risk can help management properly allocate resources.
C) The COSO requested the assistance of Ernst and Young for development of the ERM.
D) All of the above are true statements regarding ERM.

A) Appointing and overseeing the external auditors.
B) Directing investigations of possible fraud.
C) Establishing internal control.
D) Reviewing financial information.

A) Evidential matter to use in reducing detection risk.
B) Knowledge necessary to plan the audit and related testing.
C) A basis from which to modify tests of controls.
D) Information necessary to prepare flowcharts.

A) High-level strategic goals aligned with and supporting the organization's vision or mission.
B) Effectiveness and efficiency of internal reporting.
C) Relevance of non-financial information and reporting.
D) Compliance with all laws and regulations.
E) All of these are categories of entity objectives. A

A) The director of internal auditing.
B) The chief executive officer.
C) The information systems audit manager.
D) All of these individuals are ultimately responsible for the implementation of cost-effective internal controls.

A) Only negative events that impact risk.
B) Only positive events that indicate opportunities.
C) Both positive and negative events.
D) Neither positive nor negative events.

A) The ERM framework is a process applied across the enterprise
B) The ERM framework is effected by people to allow the organization to achieve its objectives.
C) The ERM framework is applied in strategy setting to identify events and manage risk within the organization's risk appetite.
D) All of the above are concepts fundamental to the ERM framework.

A) Total cost
B) Loss area
C) Cost of controls
D) Level of assurance
E) Optimal point of reasonable assurance E

A) They include the company's opinion of the internal control system of a third-party service provider.
B) They include the results of testing of the third-party service provider's internal control system.
C) The report must cover the third-party service provider's audit period.
D) All of the above are true statements regarding the Type II SAS 70 report.

A) Rotation of a company's external auditing firms every five years.
B) Limited loans under special circumstances to executive management.
C) Attestation as to the contents of the financial statements by the CEO and CFO.
D) All of the above.

A) Responsible handling of transactions, events and decisions, to include management of mobile IT components such as laptops and PDAs.
B) Choice of public accounting firm to perform the annual audits and provide tax consulting services.
C) Management of contracts and relationships with service providers (i.e., outsourcing partners).
D) Timely and transparent disclosure of financial information and performance measures.

A) Total cost
B) Loss area
C) Cost of controls
D) Level of assurance
E) Optimal point of reasonable assurance A

A) Total cost
B) Loss area
C) Cost of controls
D) Level of assurance
E) Optimal point of reasonable assurance B

A) Total cost
B) Loss area
C) Cost of controls
D) Level of assurance
E) Optimal point of reasonable assurance D

A) The auditor engaged to examine the financial statements must report to the SEC all illegal payments.
B) A publicly-held company must establish an independent audit committee to monitor the effectiveness of a company's internal controls.
C) U.S. firms doing business abroad must report sizable payments to non-U.S. citizens to the U.S. Justice Department.
D) A company registered with the SEC must devise and maintain an adequate internal control.
E) All of these are required by the Foreign Corrupt Practices Act. E

A) Total cost
B) Loss area
C) Cost of controls
D) Level of assurance
E) Optimal point of reasonable assurance C

A) Exceptional strong internal control is enough for the auditor to eliminate substantive tests on a significant account balance.
B) Properly maintained internal control reasonably ensures that collusion among employees cannot occur.
C) The cost-benefit relationship is a primary criterion that should be considered in designing internal control.
D) The establishment and maintenance of internal control is an important responsibility of the internal auditor.
E) All of these are correct statements about internal control. C