Chapter 7Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control

TRUE/FALSE 1. Organizational governance is a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. ANS: T 2. Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives (or goals). ANS: F 3. Management is legally responsible for establishing and maintaining an adequate system of internal control ANS: T 4. A major reason management must exercise control over an organizations business processes is to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations. ANS: T 5. Expected gross risk is a function of the initial expected gross risk, reduced risk exposure due to controls, and cost of controls. ANS: F 6. Under the Sarbanes Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits. ANS: F 7. Under the Sarbanes Oxley Act of 2002, the section on Corporate Responsibility requires a companys CEO and CFO to certify quarterly and annual reports. ANS: T 8. Under the Sarbanes Oxley Act of 2002, the section on Enhanced Financial Disclosures requires each annual report filed with the SEC to include an internal control report. ANS: T 9. Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns Section 1001, conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer. ANS: F

10. The Sarbanes Oxley Act of 2002 establishes legal responsibility for management to prevent fraud and other irregularities. ANS: T 11. Risks are those events that could have a negative impact on organization objectives. ANS: T 12. Opportunities are events that could have a positive impact on organization objectives. ANS: T 13. Risk assessment is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. ANS: T 14. The control environment reflects the organizations general awareness and commitment to the importance of control throughout the organization. ANS: T 15. External directives are the policies and procedures that help ensure that management directives are carried out. ANS: F 16. Establishing a viable internal control system is the responsibility of management. ANS: T 17. Monitoring is a process that assesses the quality of internal control performance over time. ANS: T 18. The external environment is a system of integrated elements--people, structures, processes, and procedures--acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals. ANS: F 19. The control environment refers to an organization's general awareness of and commitment to the importance of control throughout the organization. ANS: T 20. A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain. ANS: T 21. PCAOB Auditing Standard No. 2 requires that auditors evaluate all controls specifically intended to address risks of fraud.

ANS: T 22. According to the 2006 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by audits or internal controls than through tips. ANS: F 23. A computer crime technique called worm involves the systematic theft of very small amounts from a number of bank or other financial accounts. ANS: F 24. A computer abuse technique called a back door involves a programmer's inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of the program. ANS: T 25. A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program, which, when activated, causes a disaster such as shutting down a system or destroying data. ANS: T 26. A salami is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data. ANS: F 27. Ethical behavior and management integrity are products of the corporate culture. ANS: T 28. The control matrix is a computer virus that takes control of the computers operating system for malicious purposes. ANS: F 29. The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended. ANS: F 30. Ensuring the security of resources is the control goal that seeks to provide protection against loss, destruction, disclosure, copying, sale, or other misuse of an organization's resources. ANS: T 31. The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system. ANS: F

32. An invalid item is an object or event that is not authorized, never occurred, or is otherwise not genuine. ANS: T 33. The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system. ANS: T 34. Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process data. ANS: T 35. A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error. ANS: F 36. A batch of business events is accurately entered into a business event data, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error. ANS: T 37. A corrective control plan is designed to discover problems that have occurred. ANS: F MULTIPLE CHOICE 1. A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance is a. enterprise risk management b. internal control c. organizational governance d. risk assessment ANS: C 2. A process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives: a. enterprise risk management b. internal control c. organizational governance d. risk assessment ANS: A 3. A manager of a manufacturing plant alters production reports to provide the corporate office with an inflated perception of the plant's cost effectiveness in an effort to keep the inefficient plant from being closed. This action would be classified as a(n):

a. b. c. d.

risk hazard fraud exposure

ANS: C 4. The ERM framework addresses four categories of management objectives. Which category concerns high-level goals, aligned with and supporting its mission? a. compliance b. operations c. reporting d. strategic ANS: D 5. The ERM framework addresses four categories of management objectives. Which category addresses the effective and efficient use of resources? a. compliance b. operations c. reporting d. strategic ANS: B 6. The ERM framework addresses four categories of management objectives. Which category ensures the reliability of the financial statements? a. compliance b. operations c. reporting d. strategic ANS: C 7. The ERM framework addresses four categories of management objectives. Which category of objectives concerns laws and regulations? a. compliance b. operations c. reporting d. strategic ANS: A 8. The ERM framework is comprised of eight components. Which component includes the policies and procedures established and implemented to help ensure the risk responses are effectively carried out? a. control activities b. event identification c. risk assessment d. risk response ANS: A 9. Risk assessment is best described by: a. Internal and external events affecting achievement of an entitys objectives must be identified, distinguishing between risks and opportunities. b. Management selects whether to avoid, accept, reduce, or share risk developing a set of

actions to align risks with the entitys risk tolerances and risk appetite. c. The entirety of enterprise risk management is monitored and modifications made as necessary. d. The likelihood and impact of risks are analyzed, as a basis for determining how they should be managed. ANS: D 10. Which component of the ERM framework is best described here: Management selects whether to avoid, accept, reduce, or share risk developing a set of actions to align risks with the entitys risk tolerances and risk appetite. a. control activities b. event identification c. risk assessment d. risk response ANS: D 11. Which component of the ERM framework is best described here: Internal and external circumstances and incidents affecting achievement of an entitys objectives must be recognized, distinguishing between risks and opportunities. Opportunities are channeled back to managements strategy or objective-setting processes. a. control activities b. event identification c. risk assessment d. risk response ANS: B 12. This component of the ERM framework encompasses the tone of an organization and sets the basis for how risk is viewed and addressed by an entitys people, including risk management philosophy and risk appetite, integrity and ethical values. a. control activities b. internal environment c. risk assessment d. risk response ANS: B 13. This component of the ERM framework concerns the entirety of enterprise risk management and is accomplished through ongoing management activities, separate evaluations, or both. a. control activities b. monitoring c. objective setting d. risk response ANS: B 14. Approvals, authorizations, verifications, reconciliations, reviews of operating performance, security procedures, and segregation of duties are examples of: a. control activities b. event identification c. monitoring d. risk response ANS: A

15. Events that could have a negative impact on organizational objectives: a. controls b. embezzlement c. fraud d. risks ANS: D 16. Events that could have a positive impact on organizational objectives: a. controls b. fraud c. opportunities d. profit ANS: C 17. Who is legally responsible for establishing and maintaining an adequate system of internal control? a. the board of directors b. stakeholders c. investors d. management ANS: D 18. The major reasons for exercising control of the organizations business processes include: a. Provide reasonable assurance that the goals of the business are being achieved b. To mitigate risks of fraud and other intentional and unintentional acts c. To provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations d. All of the above ANS: D 19. The effect of an events occurrence is: a. control b. impact c. risk d. opportunity ANS: B 20. Those events that could have a positive impact on objectives. a. controls b. impacts c. risks d. opportunities ANS: D 21. Those events that could have a negative impact on objectives. a. controls b. impacts c. risks d. opportunities

ANS: C 22. The section of Sarbanes Oxley that establishes an independent board to oversee public company audits is: a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures ANS: A 23. The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging in certain non-audit services is: a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures ANS: B 24. The section of Sarbanes Oxley that requires a companys CEO and CFO to certify quarterly and annual reports is : a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures ANS: C 25. The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an internal control report is: a. Title I Public Company Accounting Oversight Board b. Title II Auditor Independence c. Title III Corporate Responsibility d. Title IV Enhanced Financial Disclosures ANS: D 26. The section of Sarbanes Oxley that requires financial analysts to properly disclose any investments they might hold with the companies they recommend: a. Title V Analysis of Conflicts of Interests b. Title VIII Corporate Criminal Fraud Accountability c. Title IX White Collar Crime Penalty Enhancements d. Title XI Corporate Fraud and Accountability ANS: A 27. The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation and offers legal protection to whistle blowers is: a. Title V Analysis of Conflicts of Interests b. Title VIII Corporate Criminal Fraud Accountability c. Title IX White Collar Crime Penalty Enhancements d. Title XI Corporate Fraud and Accountability ANS: B

28. The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to $5,000,000 and up to 20 years imprisonment if they certify false or misleading financial statements with the SEC is: a. Title V Analysis of Conflicts of Interests b. Title VIII Corporate Criminal Fraud Accountability c. Title IX White Collar Crime Penalty Enhancements d. Title XI Corporate Fraud and Accountability ANS: C 29. The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the documents integrity or availability for use in an official proceeding, or to otherwise obstruct, influence or impede any official proceeding is: a. Title V Analysis of Conflicts of Interests b. Title VIII Corporate Criminal Fraud Accountability c. Title IX White Collar Crime Penalty Enhancements d. Title XI Corporate Fraud and Accountability ANS: D 30. Which of the following is not a requirement, according to PCAOB Auditing Standard No. 2, for Section 404 implementation. a. Document significant processes, including the flow of transactions from initiation through recording and reporting, and related control activities. b. Identify the key controls that are in place to address the major risks related to financial reporting. c. Implement key controls to determine their operating efficiency. d. Present a written assessment of the effectiveness of internal control over financial reporting. ANS: C 31. According to PCAOB Auditing Standard No. 2 and SOX Section 404, as part of the annual audit, each companys independent auditor must assess the management report and the companys system of internal control by a. Documenting significant processes, including the flow of transactions from initiation through recording and reporting, and related control activities. b. Evaluating and reporting on managements process for assessing the effectiveness of their internal controls. c. Implementing key controls to determine their operating effectiveness. d. All of the above. ANS: B 32. This framework was issued in 1996 (and updated in 2005) by the Information Systems Audit and Control Association because of the influence of technology over information systems. a. COBIT b. COSO c. ERM d. All of the above. ANS: A

33. Elements of a control environment might include the following except: a. organization values and norms b. management philosophy and operating style c. means of communications d. reward systems ANS: C 34. ____ are the policies and procedures that help ensure that management directives are carried out. a. Control environment b. Risk assessment c. Control activities d. Monitoring ANS: C 35. ____ is a process that assesses the quality of internal control performance over time. a. Control environment b. Risk assessment c. Control activities d. Monitoring ANS: D 36. Which of the following statements regarding internal controls systems is false? a. Effective internal control systems provide complete assurance against the occurrence of material frauds and embezzlements. b. Internal control systems depend largely on the competency and honesty of people. c. Because internal control systems have a cost, management should evaluate the cost/benefit of each control plan. d. The development of an internal control system is the responsibility of management. ANS: A 37. ____ sets the tone of the organization, influencing the control consciousness of its people. a. Control environment b. Risk assessment c. Control activities d. Monitoring ANS: A 38. According to the 2006 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by: a. audits b. internal controls c. managers d. tips ANS: D 39. A deliberate act or untruth intended to obtain unfair or unlawful gain is a(n) a. audit b. embezzlement c. fraud d. theft

ANS: C 40. A computer abuse technique called a ____ involves inserting unauthorized code in a program, which, when activated, causes a disaster, such as shutting the system down or destroying files. a. salami b. trap door c. logic bomb d. Trojan horse ANS: C 41. A computer abuse technique called a ____ involves a program that replicates itself on disks, in memory, or across networks. a. worm b. trap door c. logic bomb d. Trojan horse ANS: A 42. Program code that can attach itself to other programs (including macros within word processing documents), thereby infecting those programs and macros, is a. worm b. virus c. logic bomb d. Trojan horse ANS: B 43. A measure of success in meeting a set of established goals is called system: a. effectiveness b. monitoring c. efficiency d. control goals ANS: A 44. Establishing a viable internal control system is primarily the responsibility of: a. The external auditors b. Management c. The programmers d. Government authorities ANS: B 45. As a result of an inadequate design, a production process yields an abnormally high amount of raw material scrapped. Which control goal is being violated? a. ensure effectiveness of operations b. ensure efficient employment of resources c. ensure security of resources d. ensure input accuracy ANS: B

46. The information system control goal which relates to preventing fictitious events from being recorded is termed: a. ensure input validity b. ensure input accuracy c. ensure input completeness d. ensure effectiveness of operations ANS: A 47. A business event which is not properly authorized is an example of: a. an invalid item b. an inaccurate item c. an incomplete item d. an unusual item ANS: A 48. Achieving which control goal requires that all valid objects or events are captured and entered into a system's database? a. ensure input validity b. ensure update accuracy c. ensure input completeness d. ensure update completeness ANS: C 49. Failing to record a customer's order for the purchase of inventory violates the information system control goal of: a. ensure input accuracy b. ensure input completeness c. ensure input validity d. ensure input accuracy and input validity ANS: B 50. Discrepancies between data items recorded by a system and the underlying economic events or objects they represent are a violation of the information system control goal of: a. ensure input validity b. ensure input completeness c. ensure input accuracy d. ensure input accuracy and input validity ANS: C 51. Assuring that the accounts receivable master data reflects all cash collections recorded in the cash receipts event data addresses the control goal of: a. ensure input accuracy b. ensure input completeness c. ensure update accuracy d. ensure update completeness ANS: D 52. Assuring that cash collections recorded in the cash receipts event data are credited to the right customer in the accounts receivable master data addresses the control goal of: a. ensure input accuracy

b. ensure input completeness c. ensure update accuracy d. ensure update completeness ANS: C 53. Which of the following is a control goal for the information system for the applicable master data? a. ensure input validity b. ensure update accuracy c. ensure input accuracy d. ensure input completeness ANS: B 54. Why is there usually no control goal called update validity? a. Update completeness achieves update validity. b. Input validity guarantees update validity. c. Update accuracy guarantees update validity. d. Input accuracy achieves update validity. ANS: B 55. A programming error causes the sale of an inventory item to be added to the quantity on hand attribute in the inventory master data. Which control goal was not achieved? a. ensure update completeness b. ensure input accuracy c. ensure update accuracy d. ensure input completeness ANS: C 56. The business process objectives that an internal control system is designed to achieve are: a. control goals b. control plans c. general controls d. the control matrix ANS: A 57. These are applied to all IT service activities a. control goals b. control plans c. IT general controls d. the control matrix ANS: C 58. A tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans is: a. ERM b. control plans c. control matrix d. internal controls ANS: C

59. Information processing procedures and policies that assist in accomplishing control goals are known collectively as: a. control plans b. control systems c. control objectives d. control outcomes ANS: A 60. ____ relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process data: a. Control procedures b. Information processing procedures c. Business process control plans d. Operations system control plans ANS: C 61. Control plans that relate to a multitude of goals and applications are called: a. business process control plans b. internal control systems c. pervasive control plans d. management control systems ANS: C 62. A control plan requires that a manager sign his/her approval of timecards for employees in that department. This control plan is an example of: a. a systems control b. the control environment c. a pervasive control plan d. a business process control plan ANS: D 63. Controls that stop problems from occurring are called: a. preventive controls b. detective controls c. corrective controls d. programmed controls ANS: A 64. A control that involves reprocessing transactions that are rejected during initial processing is an example of: a. preventive controls b. detective controls c. corrective controls d. programmed controls ANS: C 65. The programmed verification of a customer number is a ____ control. a. preventive b. detective c. corrective

d. application ANS: A 66. Which of the following business scandals involved special purpose entities to hide billions of dollars in corporate liability? a. Enron b. WorldCom c. Adelphia Communications d. Tyco ANS: A COMPLETION 1. ________________________________________ is a process for organizational governance. ANS: Enterprise Risk Management 2. ___________________________________ is a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. ANS: Organizational governance 3. ____________________ is the possibility that an event will occur. ANS: Likelihood 4. ____________________ is a deliberate act or untruth intended to obtain unfair or unlawful gain. ANS: Fraud 5. ____________________ are those events that would have a negative impact on organization objectives. ANS: Risks 6. ____________________ are events that would have a positive impact on objectives. ANS: Opportunities 7. The _____________________________________________ Act establishes legal responsibility for management to prevent, through adequate control, fraud and other irregularities. ANS: Foreign Corrupt Practices 8. The section of Sarbanes Oxley that establishes an independent board to oversee public company audits is _________________________________________________________________. ANS: Public Company Accounting Oversight Board, Section 101 9. The section of Sarbanes Oxley that has received the most press as companies and their auditors have struggled to comply with its requirements is ______________________________.

ANS: Section 404 10. The section of Sarbanes Oxley that prohibits audit firms from providing a wide array of non-audit services to audit clients is ________________________________________. ANS: Auditor Independence, Section 201 11. The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging in certain non-audit services is ________________________________________. ANS: Auditor Independence, Section 201 12. The section of Sarbanes Oxley that requires a companys CEO and CFO to certify quarterly and annual reports is _____________________________________________. ANS: Corporate Responsibility, Section 302 13. The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an internal control report is _____________________________________________. ANS: Enhanced Financial Disclosures, Section 404 14. The section of Sarbanes Oxley that requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend is _____________________________________________. ANS: Analysis of Conflicts of Interests, Section 404 15. The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation and offers legal protection to whistle blowers is _______________________________________________________. ANS: Corporate and Criminal Fraud Accountability, Section 802 16. The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to $5,000,000 and up to 20 years imprisonment if they certify false or misleading financial statements with the SEC is _______________________________________________________. ANS: White Collar Crime Penalty Enhancements, Section 906 17. The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the documents integrity or availability for use in an official proceeding, or to otherwise obstruct, influence or impede any official proceeding is _______________________________________________________. ANS: Corporate Fraud and Accountability, Section 1102 18. __________________________________________________ provides guidance on how an organizations IT might affect any of COSOs five components of internal control. This standard guides auditors in understanding the impact of IT on internal control and assessing IT-related control risks.

ANS: Statement on Auditing Standards No. 94 19. PCAOB Auditing Standard No. 2 uses ____________________ in its description of the conduct of an integrated audit under SOX 404. ANS: COSO 20. The ____________________ framework suggests that organizations and auditors should continue to use COSO as a basis for internal control. ANS: ERM 21. ______________________________ is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. ANS: Risk assessment 22. The _________________________ sets the tone of the organization, influencing the control consciousness of its people. ANS: control environment 23. ______________________________ are the policies and procedures that help ensure that management directives are carried out. ANS: Control activities 24. Establishing a viable internal control system is the responsibility of ____________________. ANS: management 25. ____________________ is a process that assesses the quality of internal control performance over time. ANS: Monitoring 26. ____________________ is a series of actions or operations leading to a particular and usually desirable result. ANS: Process 27. ______________________________ is a processeffected by an entitys board of directors, management, and other personneldesigned to provide reasonable assurance regarding the achievement of objectives such as: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. ANS: Internal control 28. The ___________________________________ refers to an organization's general awareness of and commitment to the importance of control throughout the organization. ANS: control environment

29. ______________________________ includes crime in which the computer is the target of the crime or the means used to commit the crime. ANS: Computer crime 30. A computer crime techniques called ____________________ involves the systematic theft of very small amounts from a number of bank or other financial accounts. ANS: salami 31. A computer abuse technique called a ____________________ involves a program that replicates itself on disks, in memory, or across networks. ANS: worm 32. A computer abuse technique called a(n) _________________________ involves a programmer's inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of the program. ANS: trap door 33. A(n) _________________________ is a computer abuse technique in which unauthorized code is inserted in a program, which, when activated, causes a disaster such as shutting down a system or destroying data. ANS: logic bomb 34. A(n) ______________________________ is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data. ANS: computer virus 35. A(n) ______________________________ is a tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans. ANS: control matrix 36. _________________________ are business process objectives that an internal control system is designed to achieve. ANS: Control goals 37. The control goal called ________________________________________ strives to ensure that a given operations system is fulfilling the purpose(s) for which it was intended. ANS: ensure effectiveness of operations 38. The control goal called _______________________________________________________ strives to ensure that a given operation is completed with a minimum of resources. ANS: ensure efficiency employment of resources

39. The control goal that seeks to provide protection against loss, destruction, disclosure, copying, sale, or other misuse of an organization's resources is called ________________________________________. ANS: ensure security of resources 40. The control goal of ensure input ____________________ strives to prevent fictitious items from entering an information system. ANS: validity 41. A(n) ____________________ item is an object or event that is not authorized, never occurred, or is otherwise not genuine. ANS: invalid 42. The control goal that is concerned with the correctness of the transaction data that are entered into a system is called ensure _________________________. ANS: input accuracy 43. A missing data field on a source document or computer screen is an example of an error that could undermine the achievement of the control goal of ensure ______________________________. ANS: input accuracy 44. The control goal of ensure ___________________________________ provides assurance that all valid objects or events which were entered into the computer are in turn reflected in their respective master data. ANS: update completeness 45. The control goal of ensure ___________________________________ provides assurance that objects or events which were entered into the computer are in reflected correctly in their respective master data. ANS: update accuracy 46. The control goal of ensure input ____________________ requires that all valid objects or events are captured and entered into the computer. ANS: completeness 47. Information policies and procedures which assist in accomplishing control goals are known as ______________________________. ANS: control plans 48. ___________________________________ relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process data. ANS: Business control plans 49. ______________________________ are applied to all IT service activities.

ANS: IT general controls 50. ___________________________________ are automated business process controls contained within IT application systems. ANS: Application controls 51. Control plans that relate to a multitude of goals and applications are called ________________________________________. ANS: pervasive control plans 52. A control plan requires that a manager sign his/her approval of timecards for employees in that department. This control plan is an example of a ________________________________________. ANS: business process control plan 53. A batch of business events is accurately entered into a business event data, but the computer operator fails to use the data to update master data. This type of processing error would be classified as a(n) ____________________ error. ANS: operational 54. Three terms used in the chapter to refer to when a control plan is exercised are ____________________, ____________________, and corrective control plans. ANS: preventive, detective 55. A(n) ___________________________________ is designed to discover problems that have occurred. ANS: detective control plan 56. A(n) ___________________________________ is designed to rectify problems that have occurred. ANS: corrective control plan PROBLEM 1. Below is an alphabetical list of sources with information and guidance on internal controls. The second list contains descriptions or information provided by these sources. Required: On the blank line to the left of each numbered item, place the capital letter of the source that best matches that description. HINT: Some letters may be used more than once. Conversely, some letters may not apply at all. Sources of Internal Control Information A. B. C. Enterprise Risk Management Framework Foreign Corrupt Practices Act PCAOB Auditing Standard No. 2

D. E. F.

Sarbanes-Oxley Act Section 201 Sarbanes-Oxley Act Section 404 Statement on Auditing Standards No. 94

Descriptions Answers _____ 1. A fundamental aspect of managements stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. This was developed to help management identify, assess and manage risk. This addressed four categories of management objectives: strategic, operations, reporting and compliance. This prohibits a CPA firm that audits a public company to engage in certain nonaudit services with the same client. This requires management to document significant processes, including the flow of transactions from initiation through recording and reporting, and related control activities. This provides guidance on how an organizations IT might affect any of COSOs five components of internal control. This requires each annual report filed with the SEC to include an internal control report. This requires management to test key controls to determine their operating effectiveness.

_____ 2. _____ 3.

_____ 4.

_____ 5.

_____ 6.

_____ 7.

_____ 8.

ANS: Possible Exposure Cause 1 2 3 4 5 6 7 8

Answer B A A D C F E C

2. Below is a list of control goals followed by a list of short scenarios describing system failures (i.e., control goals not met) and/or instances of successful control plans (i.e., plans that helped to achieve control goals). Required: On the blank line to the left of each numbered scenario, place the capital letter of the control goal that best matches the situation described. HINT: Some letters may be used more than once. Conversely, some letters may not apply at all. Control Goals Ensure effectiveness of operations. Ensure efficient employment of resources. Ensure security of resources. Ensure input validity. Ensure input accuracy. Ensure input completeness. Ensure update accuracy. Ensure update completeness. SCENARIOS Answers _____ 1. A batch of documents sent by the mail room to the accounts receivable department were lost in the intercompany mail and never recorded. A flaw in the processing logic of a computer program resulted in cash received from customers being added to their accounts receivable balances rather than subtracted. A mail room clerk fabricated a phony document for a friend to make it look like the friend had paid his account receivable balance. The phony document got recorded. An accounts receivable clerk made a copy of the company's accounts receivable master data and sold this customer information to a competing company. Customer checks received in the mail room are batched and sent to the cashier several times a day so that they can be deposited as fast as possible. In a manual bookkeeping system, an accounts receivable clerk failed to post an entire page of transactions from the cash receipts journal to the accounts receivable subsidiary ledger. In a manual bookkeeping system, cash receipts recorded correctly in the cash receipts journal on December 31st were inadvertently posted to customer accounts under a date of January 1st. In keying remittance advices into his computer terminal, an accounts receivable clerk entered a receipt of $200 as $2,000. The cost of the people and computers needed to process incoming checks is less than the benefit obtained from the incoming funds.

A. B. C. D. E. F. G. H.

_____ 2.

_____ 3.

_____ 4.

_____ 5.

_____ 6.

_____ 7.

_____ 8.

_____ 9.

_____ 10.

The companys accounts receivable system was infiltrated by a hacker.

ANS: Scenario Number 1 2 3 4 5 Scenario Number 6 7 8 9 10

Answer F G D C A

Answer H G E B C

3. Figure TB-7.1 depicts the objective setting process shown in Chapter 7 but with all labels removed. Required: Complete Figure TB-7.1 by inserting the following labels where they belong in the model: Box Title Related objectives Strategy Mission, vision, purpose Box Description e.g., to be in the top quartile of product sales for retailers of our products e.g., to be the leading producer of household products in the regions in which we operate increase production of x by 15% hire 180 qualified new staff maintain product quality e.g., expand production of our top-five selling retail products to meet increased demand

Strategic objectives

ANS:

For solution, see Figure 7.1 in Chapter 7 of the text. 4. Listed below are 13 specific fraud examples taken from some well-known fraud cases: MiniScribe, ZZZZ Best Carpet Cleaning, Lesley Fay, and Equity Funding. Required: For each fraud example, enter a letter corresponding to which information control goal was initially violated--Validity, Completeness, or Accuracy. Some examples might involve more than one violation. NOTE: When we say initially, we mean what control goal failure led to this example, not what is the present condition. For example, master data might contain information that is inaccurate, but it might have been an inaccurate input that initially caused the data to be inaccurate. Fraud Examples: Control Goal Initially Violated 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

Scenario MiniScribe: Sales were inflated by shipping disk drives that were not ordered by customers. MiniScribe: Sales of goods were recorded prior to the passing of title. MiniScribe: Some sales returns were never recorded. MiniScribe: Defective disk drives were included in inventory. MiniScribe: Auditors' workpapers were altered to inflate inventory values. ZZZZ Best Carpet Cleaning: Phony receivable/sales documents were created to overstate sales. ZZZZ Best Carpet Cleaning: Payments were recorded to fictitious vendors. Lesley Fay Cos.: Inventory was overstated, thereby understating cost of goods sold. Lesley Fay: Markdown allowances to retailers were understated or omitted. Lesley Fay: Suppliers' invoices were not recorded. Lesley Fay: Revenues and profits were inflated by recording sales entries for several days after a quarter had ended. Equity Funding: 63,000 bogus insurance policies were created and recorded. Other: A bank teller stole $1.5 million by pocketing customer deposits. He covered his theft by accessing an unsecured computer terminal and transferring funds from dormant bank accounts into the accounts of customers from whom he had received deposits.

ANS: Scenario 1. 2. 3. 4. 5. Control Goal Initially Violated V A or V C V or A V or A

6. 7. 8. 9. 10. 11. 12. 13.

V V V or A A or C C A or V V V

5. The CFO of Exeter Corporation is very uncomfortable with its current risk exposure related to the possibility of business disruptions. Specifically, Exeter is heavily involved with e-Business and its internal information systems are tightly interlinked with its key customers systems. The CFO has estimated that every hour of system downtime will cost the company about $5,000 in sales. The CFO and CIO have further estimated that if the system were to fail, the average downtime would be about 2 hours per incident. The have anticipated (assume with 100% annual probability) that Exeter will likely experience 10 downtime incidents in a given year due to internal computer system problems, and another 10 incidents per year due to external problems; specifically system failures with the Internet service provider (ISP). Currently, Exeter pays an annualized cost of $25,000 for redundant computer and communication systems, and another $25,000 for Internet service provider (ISP) support just to keep total expected number of incidents to 20 per year. Required: a. Given the information provided thus far, how much ($) is the companys current expected gross risk? A further preventative control would be to purchase and maintain more redundant computers and communication lines where possible, at an annualized cost of $30,000, which would reduce the expected number of downtimes per year to 5 per year due to internal computer system problems. What would the dollar amount of Exeters current residual expected risk at this point?

b.

ANS: a. $5,000 2 hours = $10,000 per incident. $10,000 per incident 20 incidents 100% probability = $200,000 for expected gross risk. b. Expected gross risk $200,000 (5 less internal incidents $10,000) = $150,000 plus add the cost of the additional computers and communication lines of $30,000 = $180,000 residual expected risk. 6. Listed below are 8 descriptions of sections of the Sarbanes-Oxley Act of 2002 (SOX) followed by the names of 8 sections of SOX. Required: On the blank line next to the numbered section description enter a letter of the corresponding section name. Section Descriptions 1. _____ Section makes it a felony to knowingly destroy, alter, or create records and/or documents with the intent to impede, obstruct, or influence and ongoing or

contemplated federal investigation and provides protection for whistle blowers. 2. _____ Section prohibits a CPA firm that audits a public company to engage in certain non-audit services with the same client. Corporate federal income tax returns should be signed by the CEO. Section requires each annual report filed with the SEC to include an internal control report. Section that requires the companys CEO and CFO to certify quarterly and annual report. Section requires financial analysts to properly disclose in research reports any conflicts of interest they might hold with the companies they recommend. Section establishes an independent board to oversee public company audits. Section authorizes the General Accounting Office (GAO) to study the consolidation of public accounting firms since 1989 and offer solutions to any recognized problems.

3. _____ 4. _____

5. _____

6. _____

7. _____ 8. _____

Section Titles a. Public Company Accounting Oversight Board b. Auditor Independence c. Corporate Responsibility d. Enhanced Financial Disclosures e. Analysts Conflicts of Interest f. Studies and Reports g. Corporate and Criminal Fraud Accountability h. Corporate Tax Returns ANS: 1. g 2. b 3. h 4. d

5. c 6. e 7. a 8. f