2 Internal Control

...

...

3. Petty cash is kept in a high traffic area, and the organization doesn't use an imprest account system.

Which of the following best describes an event that would be placed on a low impact, high likelihood area of a risk map? *
1. Employees could find a way to bypass the automated controls over Web surfing and thus waste time.
2. Computer output sits at the

2. Control is the result of proper planning, organizing and directing by management.

Which of the following best defines control? *
1. Control accomplishes objectives and goals in an accurate, timely and economical fashion.
2. Control is the result of proper planning, organizing and directing by management.
3. Controls are statements of w

4. Major improvement in competitor's product

3. Which of the following is a risk? *
1. Commitment to competence
2. Code of ethics
3. Personnel policy manual
4. Major improvement in competitor's product

2 the amount of risk that an organization is prepared to accept, tolerate or be exposed to at any point in time

Which of the following refers to risk appetite? *
1. The decision to accept, avoid, reduce or share a risk
2 the amount of risk that an organization is prepared to accept, tolerate or be exposed to at any point in time
3. The acceptable variation relative

2. Monitoring and learning activities

Which of the following is not a component of COSO model? *
1. Control environment
2. Monitoring and learning activities
3. Control activities
4. Risk assessment

4. Risk event

In a risk assessment process, if a control objective is to ensure employees protect their passwords, which of the following would describe an employee leaving password on a note taped to the monitor? *
1. Risk response
2. Residual risk
3. Inherent risk
4.

1. Reviewing and cancelling supporting documents when a check is issued

Which of the following controls would help prevent overpaying a vendor? *
1. Reviewing and cancelling supporting documents when a check is issued
2. Requiring the check signer to mail the check directly to the vendoer
3. Reviewing the accounting distribut

1. Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor.

Which of the following describes a control weakness? *
1. Purchasing procedures are well designed and are followed unless otherwise directed by the purchasing supervisor.
2. Pre-numbered blank purchase orders are secured within the purchasing department.

4. Preparing attendance data and preparing the payroll

One payroll engagement objective is to determine whether segregation of duties is proper. Which of the following activities is incompatible? *
1. Hiring employees and authorizing changes in pay rates
2. Preparing the payroll and filing payroll tax forms
3

2. Harm to the firm's reputation

In a risk assessment process regarding the possibility of management override of controls to manipulate reported earnings, which of the following is an impact factor of such an event occurring? *
1. Management turnover levels
2. Harm to the firm's reputat

I and III only

Which of the following is true about risks and risk assessment?
(I) Risk is measured in terms of impact, probability of occurrence & duration.
(II) An organization should assume risks regardless of rewards.
(III) Risk assessment is done consistent with th

3. Employee responsibilities for reporting misconduct

Which of the following best exemplifies a "soft control" in a compliance and ethics program? *
1. A code of conduct
2. Monitoring to detect criminal conduct
3. Employee responsibilities for reporting misconduct
4. A progressive disciplinary process for et

4. Preventive

The procedure requiring preparation of a pre-listing of incoming cash receipts, with copies of the pre-list going to the cashier and to accounting is an example of which type of control? *
1. Detective
2. Directive
3. Corrective
4. Preventive

1. Policy

Which of the following is an example of a 'hard internal control'? *
1. Policy
2. Competence
3. Shared Values
4. Ethics

2. Precise, detailed quantifications of risks can needlessly complicate risk assessments

Which of the following is true of risk management techniques? *
1. Risk assessments should focus on financial hazards rather than soft issues.
2. Precise, detailed quantifications of risks can needlessly complicate risk assessments
3. Because residual ris

1. Elimination of employee fraud

When an organization has strong internal control, management can expect various benefits. The benefit least likely to occur is *
1. Elimination of employee fraud
2. Reduced cost of an external audit
3. Improvement in the reliability and integrity of infor

2. Integrity and ethical values, assignment of authority and human resource policies

Which of the following are elements included in the control environment described in the COSO internal control framework? *
1. Risk assessment, assignment of responsibility and human resource practices
2. Integrity and ethical values, assignment of author

4. Assignment of responsibility for deviations

Which of the following is not implied by the definition of control? *
1. Indication of the need for corrective action
2. Measurement of progress toward goals
3. Uncovering of deviation from plans
4. Assignment of responsibility for deviations

2. Risk assessment, risk mitigation and risk monitoring

Risk management is a combination of the following: *
1. Risk assessment, risk tolerance and risk transfer
2. Risk assessment, risk mitigation and risk monitoring
3. Risk assessment, fraud risks and credit risk
4. Risk assessment, control risk and strategi

4. Objective setting and event identification

Under ERM Framework, risk assessment is expanded to two additional components which are: *
1. Event identification and Monitoring
2. Risk assessment and objective setting
3. Monitoring activities and risk assessment
4. Objective setting and event identifi

3. Monitoring performance

Management has a role in the maintenance of control. In fact management sometimes is a control. Which of the following involves managerial functions as a control? *
1. Establishing an internal audit function.
2. Maintaining a quality assurance program.
3.

2. Implementing and monitoring controls designed by the board of directors

TCWG, management, external auditors & internal auditors all play important roles in creating proper control processes. Senior management is primarily responsible for *
1. Establishing and maintaining an organizational culture
2. Implementing and monitorin

1. Policies

Which of the 'Ps' is not part of the control concept? *
1. Policies
2. Procedures
3. People
4. Processes

2. Senior Management

Who coordinates the three lines of defense? *
1. Risk and compliance department
2. Senior Management
3. Board of directors
4. VP for Finance

4. Information and communication

Ensures that all responsible parties are informed of the new controls to ensure continued compliance. Which COSO Control Framework component is described above? *
1. Monitoring activities
2. Control activities
3. Risk assessment
4. Information and communi

1. SWOT Analysis

Which of the following in not considered as approaches to Enterprise Risk Management? *
1. SWOT Analysis
2. Measurement-driven approach
3. Push-Pull approach
4. Process-control approach

2. Prevent the risk

An organization uses a risk map with impact and likelihood values to classify fraud. The classification for the theft of proprietary customer data (ex. credit cards) is high likelihood and high impact. Based on this classification, the organization should

2. Stop an undesirable event before it happens

There are 3 basic types of controls: preventive, detective & corrective. Generally speaking, preventive controls are the most effective. Which of the following is a basic and one of the primary elements of preventive control? *
1. Prompt corrective action

2. Require management review of reports on the cost of consumable items used in relation to budget

A manufacturer uses large quantities of small inexpensive items such as nuts, bolts, washers and gloves in the production process. As these goods are purchased, they are recorded in inventory in bulk amounts. Bins are located on the shop floor to provide

3. Accounting management

Which of the following groups has the primary responsibility for the establishment, implementation and monitoring of adequate controls in the posting of Accounts Receivable? *
1. Internal auditors
2. External auditors
3. Accounting management
4. Accounts

3.ISO

It is an independent, non-governmental international organization with a membership of 164 national standards bodies. *
1.COSO
2.AICPA
3.ISO
4.IIA

4.Push-Pull approach

It is an organizational approach to ERM described as: Corporate management of units or divisions tries to implement ERM throughout the organization and Individual business units adopt ERM at their own pace. *
1.Top-down view of risk management
2.Process-c

1.Strategic

The objectives of Internal Control Framework including the following, except: *
1.Strategic
2.Operations
3.Reporting
4.Compliance

2.Risk assessment

COSO Internal Control Framework speaks of the following principles: a) Specify objectives, (b) identify risks, (c) Consider potential for fraud, and (d) identify and assess changes. *
1.Control environment
2.Risk assessment
3.Control activities
4.Informat

3.Develop awareness, expertise and alignment

The Five-Step Transition of COSO Framework & SOX compliance are presented below. Identify which is Step 1. *
1.Drive continuous improvement
2.Conduct preliminary impact assessment
3.Develop awareness, expertise and alignment
4.Facilitate broad awareness,

1.Training - mentoring

Reinforce the 'Compliance Programs' through emails, meetings, webinar, etc or having a formal mentorship programs". What issue is described above to build a "Culture of Compliance"? *
1.Training - mentoring
2.Accountability
3.Incentives
4.Continuous impro

3.Competitive pressure

Which of the following is not an organizational barriers to implementing ERM? *
1.Organizational culture
2.Unclear benefits
3.Competitive pressure
4.Organizational turf
5.Lack of tools

3.Financial risk

The risks like foreign exchange risk, commodity risk, pricing risk, asset risk and liquidity risk. *
1.Hazard risk
2.Operational risk
3.Financial risk
4.Strategic risk

Likelihood and Impact

It refers to the probability of its existence and potential consequence. *
1.Likelihood and Impact
2.Likelihood that something will go wrong
3.Occurrence and likelihood
4.Severity and Impact

2.Risk awareness

Considerations affecting risk appetite does not include *
1.Existing risk profile
2.Risk awareness
3.Risk capacity
4.Risk tolerance
5.Attitude towards risk

1. Control is the result of proper planning, organizing and directing by management.

Which of the following best defines control? *
1. Control is the result of proper planning, organizing and directing by management.
2. Controls are statements of what the organization chooses to accomplish
3. Control is provided when cost-effective measur

3. Maximize shareholder value

Which of the following goals sets risk management strategies at the optimum level? *
1. Minimize costs
2. Maximize market share
3. Maximize shareholder value
4. Minimize losses

2. Formalized even in small organizations

Risk management processes may be all of the following except *
1. Quantitative or subjective
2. Formalized even in small organizations
3. Embedded in business units or centralized
4. Formal or informal

2. Reactive

Which of the following is not a type of control? *
1. Preventive
2. Reactive
3. Detective
4. Directive

1. Control environment

Which of the following is the most accurate term for the attitudes and actions of the board and management regarding the significance of control within the organization? *
1. Control environment
2. Control processes
3. Governance processes
4. Management's

3.International Organization for Standardization

Risk is an effect of uncertainty of an event occurring which could be positive, negative or a deviation from the expected. This definition is presented by *
1.Institute of Internal Audit
2.Institute of Risk Management
3.International Organization for Stan

1.Establishing common risk language

According to COSO ERM - Integrated Framework, the chief executive officer (CEO) is usually responsible for all of the following, except *
1.Establishing common risk language
2.Providing leadership and direction to senior managers
3.Monitoring activities a

3.Risk tolerance

The elements of risk management involve the following, except: *
1.Risk assessment
2.Risk mitigation
3.Risk tolerance
4.Risk monitoring

1.Control Environment

ERM Integrated Framework expanded the Internal Control Framework, which item below is excluded? *
1.Control Environment
2.Event Identification
3.Strategic Objectives
4.Objective Setting

3.Review & Revision

ERM Principles such as
(a) Assesses substantial change,
(b) Reviews risk & performance, and
(c) Pursues improvement in ERM, refers to . . . *
1.Governance & culture
2.Strategy & objective-setting
3.Review & Revision
4.Performance

1.Almost certain

In the Risk Model, the likelihood scale describes the following: Strong evidence suggest high probability of occurrence in the near term and evidence presents that it will happen very soon. Which level of likelihood this falls? *
1.Almost certain
2.Likely

2.High

In the Risk Model, the impact scale describes the following: Events and problems require Board and senior management attention, and key alliances are threatened. Which level of impact this presents? *
1.Extremely high
2.High
3.Moderate
4.Low

3.Risk appetite

These are some descriptions about this type of risk:
(a) Level of risk accepted to provide value to stakeholders,
(b) guidepost to set strategy,
(c) acceptable balance between growth, risk and return, and
(d) culture characteristics. *
1.Risk tolerance
2.

2.Assess

Risk assessment can best be described in three steps. Which of the following is least likely part of it? *
1.identify
2.Assess
3.Analyze
4.Evaluate

1.Control environment

COSO Internal Control framework has this principle: Commitment to attract, develop and retain competent individuals. Which component this principle is referred to? *
1.Control environment
2.Risk assessment
3.Control activities
4.Monitoring activities

True

Significant deficiency in internal control refers to a deficiency or combination of deficiencies in internal control that, in the auditor's professional judgment, is of sufficient importance to merit the attention of TCWG. *

False

Formalization of processes, language and cultural diversity, is considered as on of the Motivating factors under the drivers for ERM program. *

False

Strategic risk involves the following reputational, governance, operational, financial, competitive and management practices. *

True

Risk tolerance is an acceptable variation relative to performance to the achievement of the objectives. *

True

Inherent risk is the combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists, assuming there are no internal controls in place. *

False

Effective control system should measure the performance in all areas. *

True

Standards must be accepted by those who carry them out if they are to have maximum effectiveness. *

True

Enterprise risk management deals with risks and opportunities affecting value creation or preservation. *

False

Materiality, brand damage and recovery costs are some of the factors affecting likelihood of risk. *

True

Preventive controls is designed to limit the possibility of an undesirable outcome being realized. *

True

The quality and suitability of objectives established as precondition of internal control and the realities that human judgement in decision making can be faulty are inherent limitations of internal control. *

False

Control procedures should be designed from the 'bottom-up" to ensure attention to detail. *

True

Reviewing and canceling supporting documents when a check is issued is a preventive control. *

True

Control framework defines control in terms of managing risk to objectives and outline specific elements that help management and oversight bodies to achieve the organization's objectives. *

True

The three categories of COSO objectives are operations, reporting and compliance. *

True

Controls need to be evaluated as to its adequacy and effectiveness in achieving the objectives of the organization. *

False

Control is the management function that involves organizing activities to ensure that they're being accomplished as planned and correcting any significant deviations. *

True

The task of COSO of the Treadway Commission is to inspect, analyze, monitor and make recommendations on fraudulent corporate financial reporting

False

According to COSO Integrated Framework Principles, good risk management & internal control are necessary for long term success of specific organizations. *

True

The principle: 'Deploy control activities through policies' is an IC component under 'Monitoring Activities'. *

False

The principle: 'Select, develop and perform evaluations' is an IC component under 'Control Activities'. *

True

Preparing a contingency plan or a fallback plan during the COVID 19 pandemic is an example of Plan Risk Response. *

False

Relating ERM components and Business Model, the phase under 'Adapting' addresses Event Identification, Internal Environment, Risk Assessment and Monitoring. *

False

Are the ERM principles: Analyzes business context, Defines risk, Evaluates Alternative Strategies and Formulates Business Objectives are considered under "Performance? *

False

Deficiency in internal control exist when a control is unable to prevent, detect or eradicate financial statements misstatements on a timely basis. *