full file at http://testbankeasy.com
Chapter 1—Auditing and Internal Control
TRUE/FALSE
1. Corporate management (including the CEO) must certify monthly and annually their organization’s
internal controls over financial reporting.
ANS: F
PTS: 1
2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal
control adequacy.
ANS: F
PTS: 1
3. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal
control adequacy.
ANS: F
PTS: 1
4. A qualified opinion on management’s assessment of internal controls over the financial reporting system
necessitates a qualified opinion on the financial statements?
ANS: F
PTS: 1
5. The same internal control objectives apply to manual and computer-based information systems.
ANS: T
PTS: 1
6. The external auditor is responsible for establishing and maintaining the internal control system.
ANS: F
PTS: 1
7. Segregation of duties is an example of an internal control procedure.
ANS: T
PTS: 1
8. Preventive controls are passive techniques designed to reduce fraud.
ANS: T
PTS: 1
9. The Sarbanes-Oxley Act requires only that a firm keep good records.
ANS: F
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
10. A key modifying assumption in internal control is that the internal control system is the responsibility of
management.
11.
ANS: T
PTS: 1
While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services to their audit
clients, they are not prohibited from performing such services for non-audit clients or privately held
companies.
ANS: T
PTS: 1
12. The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external auditors.
ANS: T
PTS: 1
13. Section 404 requires that corporate management (including the CEO) certify their organization’s internal
controls on a quarterly and annual basis.
ANS: F
PTS: 1
14. Section 302 requires the management of public companies to assess and formally report on the
effectiveness of their organization’s internal controls.
ANS: F
PTS: 1
15. Application controls apply to a wide range of exposures that threaten the integrity of all programs
processed within the computer environment.
ANS: F
PTS: 1
16. IT auditing is a small part of most external and internal audits.
ANS: F
PTS: 1
17. Advisory services is an emerging field that goes beyond the auditor’s traditional attestation function.
ANS: T
PTS: 1
18. An IT auditor expresses an opinion on the fairness of the financial statements.
ANS: F
PTS: 1
19. External auditing is an independent appraisal function established within an organization to examine and
evaluate its activities as a service to the organization.
ANS: F
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
20. External auditors can cooperate with and use evidence gathered by internal audit departments that are
organizationally independent and that report to the Audit Committee of the Board of Directors.
ANS: T
PTS: 1
21. Tests of controls determine whether the database contents fairly reflect the organization's transactions.
ANS: F
PTS: 1
22. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that
are materially misstated.
ANS: T
PTS: 1
23. A strong internal control system will reduce the amount of substantive testing that must be performed.
ANS: T
PTS: 1
24. Substantive testing techniques provide information about the accuracy and completeness of an
application's processes.
ANS: F
PTS: 1
MULTIPLE CHOICE
1. The concept of reasonable assurance suggests that
a. the cost of an internal control should be less than the benefit it provides
b. a well-designed system of internal controls will detect all fraudulent activity
c. the objectives achieved by an internal control system vary depending on the data
processing method
d. the effectiveness of internal controls is a function of the industry environment
ANS: A
PTS: 1
2. Which of the following is not a limitation of the internal control system?
a. errors are made due to employee fatigue
b. fraud occurs because of collusion between two employees
c. the industry is inherently risky
d. management instructs the bookkeeper to make fraudulent journal entries
ANS: C
PTS: 1
3. The most cost-effective type of internal control is
a. preventive control
full file at http://testbankeasy.com
full file at http://testbankeasy.com
b. accounting control
c. detective control
d. corrective control
ANS: A
PTS: 1
4. Which of the following is a preventive control?
a. credit check before approving a sale on account
b. bank reconciliation
c. physical inventory count
d. comparing the accounts receivable subsidiary ledger to the control account
ANS: A
PTS: 1
5. A well-designed purchase order is an example of a
a. preventive control
b. detective control
c. corrective control
d. none of the above
ANS: A
PTS: 1
6. A physical inventory count is an example of a
a. preventive control
b. detective control
c. corrective control
d. Feed-forward control
ANS: B
PTS: 1
7. The bank reconciliation uncovered a transposition error in the books. This is an example of a
a. preventive control
b. detective control
c. corrective control
d. none of the above
ANS: B
PTS: 1
8. Which of the following is not an element of the internal control environment?
a. management philosophy and operating style
b. organizational structure of the firm
c. well-designed documents and records
d. the functioning of the board of directors and the audit committee
ANS: C
PTS: 1
9. Which of the following suggests a weakness in the internal control environment?
a. the firm has an up-to-date organizational chart
b. monthly reports comparing actual performance to budget are distributed to managers
c. performance evaluations are prepared every three years
d. the audit committee meets quarterly with the external auditors
ANS: C
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
10. Which of the following indicates a strong internal control environment?
a. the internal audit group reports to the audit committee of the board of directors
b. there is no segregation of duties between organization functions
c. there are questions about the integrity of management
d. adverse business conditions exist in the industry
ANS: A
PTS: 1
11. According to COSO, an effective accounting system performs all of the following except
a. identifies and records all valid financial transactions
b. records financial transactions in the appropriate accounting period
c. separates the duties of data entry and report generation
d. records all financial transactions promptly
ANS: C
PTS: 1
12. Which of the following is the best reason to separate duties in a manual system?
a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently
ANS: C
PTS: 1
13. Which of the following is not an internal control procedure?
a. authorization
b. management’s operating style
c. independent verification
d. accounting records
ANS: B
PTS: 1
14. The decision to extend credit beyond the normal credit limit is an example of
a. independent verification
b. authorization
c. segregation of functions
d. supervision
ANS: B
PTS: 1
15. When duties cannot be segregated, the most important internal control procedure is
a. supervision
b. independent verification
c. access controls
full file at http://testbankeasy.com
full file at http://testbankeasy.com
d. accounting records
ANS: A
PTS: 1
16. An accounting system that maintains an adequate audit trail is implementing which internal control
procedure?
a. access controls
b. segregation of functions
c. independent verification
d. accounting records
ANS: D
PTS: 1
17. The importance to the accounting profession of the Sarbanes-Oxely Act is that
a. bribery will be eliminated
b. management will not override the company’s internal controls
c. management are required to certify their internal control system
d. firms will not be exposed to lawsuits
ANS: C
PTS: 1
18. The board of directors consists entirely of personal friends of the chief executive officer. This indicates a
weakness in
a. the accounting system
b. the control environment
c. control procedures
d. this is not a weakness
ANS: B
PTS: 1
19. The office manager forgot to record in the accounting records the daily bank deposit. Which control
procedure would most likely prevent or detect this error?
a. segregation of duties
b. independent verification
c. accounting records
d. supervision
ANS: B
PTS: 1
20. Control activities under SAS 109/COSO include
a. IT Controls, preventative controls, and Corrective controls
b. physical controls, preventative controls, and corrective controls.
c. general controls, application controls, and physical controls.
d. transaction authorizations, segregation of duties, and risk assessment
ANS: C
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
21. Internal control system have limitations. These include all of the following except
a. possibility of honest error
b. circumvention
c. management override
d. stability of systems
ANS: D
PTS: 1
22. Management can expect various benefits to follow from implementing a system of strong internal control.
Which of the following benefits is least likely to occur?
a. reduced cost of an external audit.
b. prevents employee collusion to commit fraud.
c. availability of reliable data for decision-making purposes.
d. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.
e. some assurance that important documents and records are protected.
ANS: B
PTS: 1
23. Which of the following situations is not a segregation of duties violation?
a. The treasurer has the authority to sign checks but gives the signature block to the assistant
treasurer to run the check-signing machine.
b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse,
selects the vendor and authorizes purchases when inventories are low.
c. The sales manager has the responsibility to approve credit and the authority to write off
accounts.
d. The department time clerk is given the undistributed payroll checks to mail to absent
employees.
e. The accounting clerk who shares the record keeping responsibility for the accounts
receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger
and the control account.
ANS: B
PTS: 1
24. Which concept is not an integral part of an audit?
a. evaluating internal controls
b. preparing financial statements
c. expressing an opinion
d. analyzing financial data
ANS: B
PTS: 1
25. Which statement is not true?
a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
c. IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.
ANS: C
PTS: 1
26. Typically, internal auditors perform all of the following tasks except
a. IT audits
full file at http://testbankeasy.com
full file at http://testbankeasy.com
b. evaluation of operational efficiency
c. review of compliance with legal obligations
d. internal auditors perform all of the above tasks
ANS: D
PTS: 1
27. The fundamental difference between internal and external auditing is that
a. internal auditors represent the interests of the organization and external auditors represent
outsiders
b. internal auditors perform IT audits and external auditors perform financial statement audits
c. internal auditors focus on financial statement audits and external auditors focus on
operational audits and financial statement audits
d. external auditors assist internal auditors but internal auditors cannot assist external auditors
ANS: A
PTS: 1
28. Internal auditors assist external auditors with financial audits to
a. reduce audit fees
b. ensure independence
c. represent the interests of management
d. the statement is not true; internal auditors are not permitted to assist external auditors with
financial audits
ANS: A
PTS: 1
29. Which statement is not correct?
a. Auditors gather evidence using tests of controls and substantive tests.
b. The most important element in determining the level of materiality is the mathematical
formula.
c. Auditors express an opinion in their audit report.
d. Auditors compare evidence to established criteria.
ANS: B
PTS: 1
30. All of the following are steps in an IT audit except
a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
ANS: C
PTS: 1
31. When planning the audit, information is gathered by all of the following methods except
a. completing questionnaires
b. interviewing management
c. observing activities
d. confirming accounts receivable
ANS: D
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
32. Substantive tests include
a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
ANS: A
PTS: 1
33. Tests of controls include
a. confirming accounts receivable
b. counting inventory
c. completing questionnaires
d. counting cash
ANS: C
PTS: 1
34. All of the following are components of audit risk except
a. control risk
b. legal risk
c. detection risk
d. inherent risk
ANS: B
PTS: 1
35. Control risk is
a. the probability that the auditor will render an unqualified opinion on financial statements
that are materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or
inadequate to prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the control
structure will also not be detected by the auditor
ANS: C
PTS: 1
36. Which of the following is true?
a. In the CBIS environment, auditors gather evidence relating only to the contents of
databases, not the reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of
information systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized.
ANS: B
PTS: 1
37. Inherent risk
full file at http://testbankeasy.com
full file at http://testbankeasy.com
a.
b.
c.
d.
exists because all control structures are flawed in some ways.
is the likelihood that material misstatements exist in the financial statements of the firm.
is associated with the unique characteristics of the business or industry of the client.
is the likelihood that the auditor will not find material misstatements.
ANS: C
PTS: 1
38. Attestation services require all of the following except
a. written assertions and a practitioner’s written report
b. the engagement is designed to conduct risk assessment of the client’s systems to verify
their degree of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review, and application of agreed-upon
procedures
ANS: B
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
39. The financial statements of an organization reflect a set of management assertions about the financial
health of the business. All of the following describe types of assertions except
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
c. that all transactions on the income statement actually occurred
d. that all allocated amounts such as depreciation are calculated on a systematic and rational
basis
ANS: B
PTS: 1
40. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to, materially
affect internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or
operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their
organization’s internal controls over financial reporting.
d. Management must disclose any material changes in the company’s internal controls that
have occurred during the most recent fiscal quarter.
ANS: C
PTS: 1
SHORT ANSWER
1. List the four broad objectives of the internal control system.
ANS:
safeguard assets,
ensure the accuracy and reliability of accounting records,
promote organizational efficiency,
comply with management’s policies and procedures
PTS: 1
2. Explain the purpose of the PCAOB
ANS:
The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered
accounting firms; to conduct investigations; and to take disciplinary actions.
PTS: 1
3. What are the five internal control components described in the COSO framework
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
the control environment, risk assessment, information and communication, monitoring, and control
activities
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
4. What are management responsibilities under section 302 and 404?
ANS:
Section 302 requires that corporate management (including the CEO) certify their organization’s internal
controls on a quarterly and annual basis. Section 404 requires the management of public companies to
assess and formally report on the effectiveness of their organization’s internal controls.
PTS: 1
5. Indicate whether each procedure is a preventive or detective control.
a.
authorizing a credit sale
Preventive
Detective
b.
preparing a bank reconciliation
Preventive
Detective
c.
locking the warehouse
Preventive
Detective
d.
preparing a trial balance
Preventive
Detective
e.
counting inventory
Preventive
Detective
ANS:
A. preventive; B. detective; C. preventive; D. detective; E. detective
PTS: 1
Use the internal control procedures listed below to complete statements 6 through 12.
segregation of duties
general authorization
access controls
supervision
specific authorization
accounting records
independent verification
6. A clerk reorders 250 items when the inventory falls below 25 items. This is an example of
__________________________.
ANS:
general authorization
PTS: 1
7. The internal audit department recalculates payroll for several employees each pay period. This is an
example of __________________________.
ANS:
independent verification
full file at http://testbankeasy.com
full file at http://testbankeasy.com
PTS: 1
8. Locking petty cash in a safe is an example of __________________________.
ANS:
access controls
PTS: 1
9. Approving a price reduction because goods are damaged is an example of
__________________________.
ANS:
specific authorization
PTS: 1
10. Using cameras to monitor the activities of cashiers is an example of __________________________.
ANS:
supervision
PTS: 1
11. Not permitting the computer programmer to enter the computer room is an example of
_______________________________.
ANS:
segregation of duties
PTS: 1
12. Sequentially numbering all sales invoices is an example of __________________________.
ANS:
accounting records
PTS: 1
13. Both the SEC and the PCAOB have expressed an opinion as which internal control framework an
organization should use to comply with SOX legislation. Explain.
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
Both the SEC and PCAOB endorse the COSO framework but any framework can be used that
encompasses all of the COSO’s general themes
PTS: 1
14. COSO identifies two broad groupings of information system controls. What are they?
ANS:
general; application
PTS: 1
15. The Sarbanes-Oxley Act contains many sections. Which sections are the focus of this chapter?
ANS:
The chapter concentrates on internal control and audit responsibilities pursuant to Sections 302 and 404.
PTS: 1
16. What are the objectives of application controls?
ANS:
The objectives of application controls are to ensure the validity, completeness, and accuracy financial
transactions.
PTS: 1
17. Define general controls.
ANS:
General controls apply to all systems. They are not application specific. General controls include controls
over IT governance, the IT infrastructure, security and access to operating systems and databases,
application acquisition and development, and program changes.
PTS: 1
18. Discuss the key features of Section 302 of the Sarbanes-Oxley Act.
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
Section 302 requires corporate management (including the chief executive officer [CEO]) to certify
financial and other information contained in the organization’s quarterly and annual reports. The rule also
requires them to certify the internal controls over financial reporting. The certifying officers are required
to have designed internal controls, or to have caused such controls to be designed, and to provide
reasonable assurance as to the reliability of the financial reporting process. Furthermore, they must
disclose any material changes in the company’s internal controls that have occurred during the most
recent fiscal quarter.
PTS: 1
19. Explain the relationship between internal controls and substantive testing.
ANS:
The stronger the internal controls, the less substantive testing must be performed.
PTS: 1
20. Distinguish between errors and irregularities. Which do you think concern the auditors the most?
ANS:
Errors are unintentional mistakes; while irregularities are intentional misrepresentations to perpetrate a
fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable
enough to cause the financial statements to be materially misstated. Processes which involve human
actions will contain some amount of human error. Computer processes should only contain errors if the
programs are erroneous, or if systems operating procedures are not being closely and competently
followed. Errors are typically much easier to uncover than misrepresentations, thus auditors typically are
more concerned whether they have uncovered any and all irregularities.
PTS: 1
21.
Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in?
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in
declining industries are considered to have more inherent risk than firms in stable or thriving industries.
Control risk is the likelihood that the control structure is flawed because internal controls are either absent
or inadequate to prevent or detect errors in the accounts. Internal controls may be present in firms with
inherent risk, yet the financial statements may be materially misstated due to circumstances outside the
control of the firm, such as a customer with unpaid bills on the verge of bankruptcy. Detection risk is the
risk that auditors are willing to accept that errors are not detected or prevented by the control structure.
Typically, detection risk will be lower for firms with higher inherent risk and control risk.
PTS: 1
22. Contrast internal and external auditing.
ANS:
Internal auditing is an independent appraisal function established within an organization to examine and
evaluate its activities as a service to the organization. External auditing is often called "independent
auditing" because it is done by certified public accountants who are independent of the organization being
audited. This independence is necessary since the external auditors represent the interests of third-party
stakeholders such as shareholders, creditors, and government agencies.
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
23. What are the components of audit risk?
ANS:
Inherent risk is associated with the unique characteristics of the business itself; control risk is the
likelihood that the control structure is flawed because controls are absent or inadequate; and detection risk
is the risk that auditors are willing to take that errors will not be detected by the audit.
PTS: 1
24. How do the tests of controls affect substantive tests?
ANS:
Tests of controls are used by the auditor to measure the strength of the internal control structure. The
stronger the internal controls, the lower the control risk, and the less substantive testing the auditor must
do.
25.
PTS: 1
Define and contrast attestation services and advisory services.
ANS:
Attest services are engagements in which a practitioner is engaged to issue, or does issue, a written
communication that expresses a conclusion about the reliability of a written assertion that is the
responsibility of another party, e.g., the financial statements prepared by an organization.
Advisory services are professional services that are designed to improve the quality of information, both
financial and non-financial, used by decision makers. The domain of assurance services is intentionally
unbounded.
PTS: 1
ESSAY
1.
What are the key points of the section 404 of the Sarbanes-Oxley Act?
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
Section 404 requires the management of public companies to assess the effectiveness of their
organization’s internal controls. This entails providing an annual report addressing the following points:
(1) a statement of management’s responsibility for establishing and maintaining adequate internal control;
(2) an assessment of the effectiveness of the company’s internal controls over financial reporting; (3) a
statement that the organization’s external auditors have issued an attestation report on management’s
assessment of the company’s internal controls; (4) an explicit written conclusion as to the effectiveness of
internal control over financial reporting1;<ftn> and (5) a statement identifying the framework used in their
assessment of internal controls.
PTS:
1
2. Section 404 requires management to make a statement identifying the control framework used to conduct
their assessment of internal controls. Discuss the options in selecting a control framework.
ANS:
The SEC has made specific reference to the Committee of the Sponsoring Organizations of the Treadway
Commission (COSO) as a recommended control framework. Furthermore, the PCAOB’s Auditing
Standard No. 2 endorses the use of COSO as the framework for control assessment. Although other
suitable frameworks have been published, according to Standard No. 2, any framework used should
encompass all of COSO’s general themes.
PTS: 1
3. Explain how general controls impact transaction integrity and the financial reporting process.
ANS:
Consider an organization with poor database security controls. In such a situation, even data processed by
systems with adequate built in application controls may be at risk. An individual who can circumvent
database security, may then change, steal, or corrupt stored transaction data. Thus, general controls are
needed to support the functioning of application controls, and both are needed to ensure accurate financial
reporting.
PTS: 1
4. Prior to SOX, external auditors were required to be familiar with the client organization’s internal
controls, but not test them. Explain.
ANS:
Auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not
need to test them. Instead auditors could focus primarily of substantive tests. Under SOX, management is
required to make specific assertions regarding the effectiveness of internal controls. To attest to the
validity of these assertions, auditors are required to test the controls.
PTS: 1
1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
5. Does a qualified opinion on management’s assessment of internal controls over the financial reporting
system necessitate a qualified opinion on the financial statements? Explain.
ANS:
No. Auditors are permitted to simultaneously render a qualified opinion on management’s assessment of
internal controls and an unqualified opinion on the financial statements. In other words, it is technically
possible for auditors to find internal controls over financial reporting to be weak, but conclude through
substantive tests that the weaknesses did not cause the financial statements to be materially
misrepresented.
PTS: 1
6. The PCAOB’s standard No. 2 specifically requires auditors to understand transaction flows in designing
their test of controls. What steps does this entail?
ANS:
This involves:
1. Selecting the financial accounts that have material implications for financial reporting. 2. Identify the
application controls related to those accounts. 3. Identify the general that support the application controls.
The sum of these controls, both application and general, constitute the relevant internal controls over
financial reporting that need to be reviewed.
PTS: 1
7. The text describes six internal control activities. List four of them and provide a specific example of each
one.
ANS:
Control Activity
Authorization
Example
general (purchase of inventory when level drops) or specific
(credit approval beyond normal limit)
Segregation of functions
separate authorization from processing separate custody of
assets from record keeping
Supervision
required when separation of duties is not possible, such as
opening the mail (cash receipts)
Accounting records
maintain an adequate audit trail
Access controls
maintain physical security
Independent verification
bank reconciliation, physical inventory count
full file at http://testbankeasy.com
full file at http://testbankeasy.com
PTS: 1
8. Explain the purpose of the PCAOB.
ANS:
The Sarbanes-Oxley Act creates a Public Company Accounting Oversight Board (PCAOB). The
PCAOB is empowered to set auditing, quality control, and ethics standards, to inspect registered
accounting firms, to conduct investigations, and to take disciplinary actions.
PTS: 1
9. Why is an Independent Audit Committee important to a company?
ANS:
The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit
committee to hire and oversee the external auditors. This provision is consistent with many investors who
consider the board composition to be a critical investment factor. For example, Thompson Financial
survey revealed that most institutional investors want corporate boards to be comprised of at least 75% of
independent directors
PTS: 1
10. What are the key points of the “Issuer and Management Disclosure” of the Sarbanes-Oxley Act?
ANS:
1. Public companies must report all off balance-sheet transactions.
2. Annual reports filed with the SEC must include a statement by management asserting that it is
responsible for creating and maintaining adequate internal controls and asserting to the effectiveness
of those controls.
3. Officers must certify that the company’s accounts ‘fairly present’ the firms financial condition and
results of operations.
4. Knowingly filing a false certification is a criminal offence.
PTS: 1
11. In this age of high technology and computer based information systems, why are accountants concerned
about physical (human) controls?
ANS:
full file at http://testbankeasy.com
full file at http://testbankeasy.com
Virtually all systems, regardless of their sophistication, employ human activities that need to be
controlled. This class of controls relates primarily to the human activities employed in accounting
systems. These activities may be purely manual, such as the physical custody of assets, or they may
involve the use of computers to record transactions or update accounts. Physical controls do not relate to
the computer logic that actually performs these accounting tasks. Rather, they relate to the human
activities that initiate such computer logic. In other words, physical controls do not suggest an
environment in which clerks update paper accounts with pen and ink.
PTS: 1
12. Discuss the advisory services that external auditors are no longer permitted to render to audit clients
under SOX legislation.
ANS:
The Act addresses auditor independence by creating more separation between a firm’s attestation and
non-auditing activities. This is intended to specify categories of services that a public accounting firm
cannot perform for its client. These include the following nine functions:
 Bookkeeping or other services related to the accounting records or financial statements;
 Financial information systems design and implementation;
 Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
 Actuarial services;
 Internal audit outsourcing services;
 Management functions or human resources;
 Broker or dealer, investment adviser, or investment banking services;
 Legal services and expert services unrelated to the audit; and
 Any other service that the PCAOB determines is impermissible.
While the Sarbanes-Oxley Act prohibits auditors from providing the above services to their audit clients,
they are not prohibited from performing such services for non-audit clients or privately held companies.
PTS: 1
13. Internal control in a computerized environment can be divided into two broad categories. What are they?
Explain each.
ANS:
Internal controls can be divided into two broad categories. General controls apply to all or most of a
system to minimize exposures that threaten the integrity of the applications being processed. These
include operating system controls, data management controls, organizational structure controls, system
development controls, system maintenance controls, computer center security, Internet and Intranet
controls, EDI controls, and PC controls. Application controls focus on exposures related to specific parts
of the system: payroll, accounts receivable, etc.
PTS: 1
full file at http://testbankeasy.com
full file at http://testbankeasy.com
14. Define the management assertions of: existence or occurrence, completeness, rights and obligations,
valuation or allocation, presentation and disclosure.
ANS:
The existence or occurrence assertion affirms that all assets and equities contained in the balance sheet
exist and that all transactions in the income statement actually occurred.
The completeness assertion declares that no material assets, equities, or transactions have been omitted
from the financial statements.
The rights and obligations assertion maintains that assets appearing on the balance sheet are owned by
the entity and that the liabilities reported are obligations.
The valuation or allocation assertion states that assets and equities are valued in accordance with
generally accepted accounting principles and that allocated amounts such as depreciation expense are
calculated on a systematic and rational basis.
The presentation and disclosure assertion alleges that financial statement items are correctly classified
(e.g.; long term liabilities will not mature within one year) and that footnote disclosures are adequate to
avoid misleading the users of financial statements.
PTS: 1
full file at http://testbankeasy.com
Chapter 2— Auditing IT Governance Controls
TRUE/FALSE
1. To fulfill the segregation of duties control objective, computer processing functions (like
authorization of credit and billing) are separated.
ANS: F PTS: 1
2. To ensure sound internal control, program coding and program processing should be separated.
ANS: T PTS: 1
3. Some systems professionals have unrestricted access to the organization's programs and data.
ANS: T PTS: 1
4. 44IT governance focuses on the management and assessment of strategic IT resources
ANS: T PTS: 1
5. Distributed data processing places the control IT recourses under end users.
ANS: T PTS: 1
6. An advantage of distributed data processing is that redundant tasks are greatly eliminated
ANS: F PTS: 1
7. Certain duties that are deemed incompatible in a manual system may be combined in a
computer-based information system environment.
ANS: T PTS: 1
8. To improve control and efficiency, the CBIS tasks of new systems development and program
maintenance should be performed by the same individual or group.
ANS: F PTS: 1
9. In a CBIS environment, data consolidation protects corporate data from computer fraud and
losses from disaster.
ANS: F PTS: 1
10. The database administrator should be separated from systems development.
ANS: T PTS: 1
11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a
disaster.
ANS: T PTS: 1
12. RAID is the use of parallel disks that contain redundant elements of data and applications.
ANS: T PTS: 1
13. Transaction cost economics (TCE) theory suggests that firms should outsource specific
noncore IT assets
ANS: F PTS: 1
14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the
core competency theory.
ANS: F PTS: 1
15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data
files.
ANS: F PTS: 1
16. A ROC usually involves two or more user organizations that buy or lease a building and
remodel it into a computer site, but without the computer and peripheral equipment.
ANS: F PTS: 1
17. Fault tolerance is the ability of the system to continue operation when part of the system fails
due to hardware failure, application program error, or operator error.
ANS: T PTS: 1
18. An often-cited benefit of IT outsourcing is improved core business performance.
ANS: T PTS: 1
19. Commodity IT assets include such things are network management.
ANS: T PTS: 1
20. Specific IT assets support an organization’s strategic objectives.
ANS: T PTS: 1
21. A generally accepted advantage of IT outsourcing is improved security.
ANS: F PTS: 1
22. An advantage of distributed data processing is that individual end user groups set specific IT
standards without concern for the broader corporate needs.
ANS: F PTS: 1
23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and
low risk.
ANS: F PTS: 1
24. Critical applications should be identified and prioritized by the user departments,
accountants, and auditors.
ANS: T PTS: 1
25. A widespread natural disaster is a risk associated with a ROC.
ANS: T PTS: 1
MULTIPLE CHOICE
1. All of the following are issues of computer security except
a. releasing incorrect data to authorized individuals
b.
permitting computer operators unlimited access to the computer
room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals
ANS: B PTS: 1
2. Segregation of duties in the computer-based information system includes
a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
ANS: A PTS: 1
3. In a computer-based information system, which of the following duties needs to be separated?
a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated
ANS: D PTS: 1
4. Supervision in a computerized environment is more complex than in a manual environment for
all of the following reasons except
rapid turnover of systems professionals complicates management's
a. task of assessing the competence and honesty of prospective
employees
b.
many systems professionals have direct and unrestricted access
to the organization's programs and data
c.
rapid changes in technology make staffing the systems
environment challenging
d.
systems professionals and their supervisors work at the same
physical location
ANS: D PTS: 1
5. Adequate backups will protect against all of the following except
a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
ANS: B PTS: 1
6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
ANS: A PTS: 1
7. Systems development is separated from data processing activities because failure to do so
a. weakens database access security
b.
allows programmers access to make unauthorized changes to
applications during execution
c. results in inadequate documentation
d. results in master files being inadvertently erased
ANS: B PTS: 1
8. Which organizational structure is most likely to result in good documentation procedures?
a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
ANS: A PTS: 1
9. All of the following are control risks associated with the distributed data processing structure
except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards
ANS: C PTS: 1
10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
ANS: B PTS: 1
11. A cold site backup approach is also known as
a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact
ANS: C PTS: 1
12. The major disadvantage of an empty shell solution as a second site backup is
the host site may be unwilling to disrupt its processing needs
a. to process the critical applications of the disaster stricken
company
b.
intense competition for shell resources during a widespread
disaster
c. maintenance of excess hardware capacity
d.
the control of the shell site is an administrative drain on the
company
ANS: B PTS: 1
13. An advantage of a recovery operations center is that
a. this is an inexpensive solution
b. the initial recovery period is very quick
c.
the company has sole control over the administration of the
center
d.
none of the above are advantages of the recovery operations
center
ANS: B PTS: 1
14. For most companies, which of the following is the least critical application for disaster
recovery purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing
ANS: A PTS: 1
15. The least important item to store off-site in case of an emergency is
a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
ANS: D PTS: 1
16. Some companies separate systems analysis from programming/program maintenance. All of
the following are control weaknesses that may occur with this organizational structure except
systems documentation is inadequate because of pressures to
a. begin coding a new program before documenting the current
program
b.
illegal lines of code are hidden among legitimate code and a
fraud is covered up for a long period of time
c.
a new systems analyst has difficulty in understanding the logic
of the program
d.
inadequate systems documentation is prepared because this
provides a sense of job security to the programmer
ANS: C PTS: 1
17. All of the following are recommended features of a fire protection system for a computer
center except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations
ANS: B PTS: 1
18. All of the following tests of controls will provide evidence about the physical security of the
computer center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d.
observation of procedures surrounding visitor access to the
computer center
ANS: C PTS: 1
19. All of the following tests of controls will provide evidence about the adequacy of the disaster
recovery plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team
ANS: B PTS: 1
20. The following are examples of commodity assets except
a. network management
b. systems operations
c. systems development
d. server maintenance
ANS: C PTS: 1
21. The
following are examples of specific assets except
a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance
ANS: D PTS: 1
22. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core
business competencies
c. Core competency theory argues that an organization should not outsource specific commodity
assets.
d. Core competency theory argues that an organization should retain certain specific noncore
assets in-house.
ANS: B PTS: 1
23. Which of the following is not true?
A. Large-scale
IT outsourcing involves transferring specific assets to a vendor
B. Specific assets, while valuable to the client, are of little value to the vendor
C. Once an organization outsources its specific assets, it may not be able to return to its preoutsource state.
D. Specific assets are of value to vendors because, once acquired, vendors can achieve
economies of scale by employing them with other clients
ANS: D PTS: 1
24. Which of the following is not true?
A.
B.
C.
D.
When management outsources their organization’s IT functions, they also outsource
responsibility for internal control.
Once a client firm has outsourced specific IT assets, its performance becomes linked to the
vendor’s performance.
IT outsourcing may affect incongruence between a firm’s IT strategic planning and its
business planning functions.
The financial justification for IT outsourcing depends upon the vendor achieving economies
of scale.
ANS: A PTS: 1
25. Which of the following is not true?
A.
B.
C.
D.
Management may outsource their organizations’ IT functions, but they cannot outsource their
management responsibilities for internal control.
section 404 requires the explicit testing of outsourced controls.
The SAS 70 report, which is prepared by the outsourcer’s auditor, attests to the adequacy of
the vendor’s internal controls.
Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II
report.
ANS: C PTS: 1
26. Segregation of duties in the computer-based information system includes
a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
ANS: A PTS: 1
27. A disadvantage of distributed data processing is
a. the increased time between job request and job completion.
b. the potential for hardware and software incompatibility among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.
ANS: B PTS: 1
28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards
ANS: B PTS: 1
29. Which of the following disaster recovery techniques may be least optimal in the case of a
disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial
ANS: B PTS: 1
30. Which of the following is a feature of fault tolerance control?
a. interruptible power supplies
b. RAID
c. DDP
d. MDP
ANS: B PTS: 1
31. Which of the following disaster recovery techniques is has the least risk associated with it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky
ANS: C PTS: 1
32. Which of the following is NOT a potential threat to computer hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
ANS: C PTS: 1
33. Which of the following would strengthen organizational control over a large-scale data
processing center?
a. Requiring the user departments to specify the general control standards necessary for
processing transactions.
b. Requiring that requests and instructions for data processing services be submitted directly to
the computer operator in the data center.
c. Having the database administrator report to the manager of computer operations.
d. Assigning maintenance responsibility to the original system designer who best knows its logic.
ANS: A PTS: 1
34. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core
business competencies
c. Core competency theory argues that an organization should not outsource specific commodity
assets.
d. Core competency theory argues that an organization should retain certain specific non-core
assets in-house.
ANS: B PTS: 1