TBChap 010

Chapter 10
Accounting Information Systems and Internal Controls
True / False Questions
1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their
auditors to assess and report on the design and effectiveness of internal control over financial
reporting annually.
True False
2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to
establish and maintain the effectiveness of internal control.
True False
3. In a computerized environment, internal controls can be categorized as general controls and

application controls.
True False
4. Internal controls guarantee the accuracy and reliability of accounting records.
True False
5. Segregation of duties reduces the risk of errors and irregularities in accounting records.
True False
6. The chief executive officer is ultimately responsible for enterprise risk management.
True False
10-1
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount of
revenue on the company's income statement is classified as inherent risk.
True False
8. Processing controls are IT general controls.
True False
9. COBIT (Control Objectives for Information and related Technology) is a generally accepted
framework for IT governance in the U.S.
True False
10. The main objective of the ISO 27000 series is to provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving information security.
True False
11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting
Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide
independent oversight of public accounting firms.
True False
12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages
auditors to start from the basic/bottom of financial records to identify the key controls.
True False
13. Corporate governance is a set of processes and policies in managing an organization with sound
ethics to safeguard the interests of its stakeholders.
True False
10-2
14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not
an end in itself.
True False
15. A firm must establish control policies, procedures, and practices that ensure the firm's business
objectives are achieved and its risk mitigation strategies are carried out.
True False
Multiple Choice Questions
16. According to COSO, which of the following components of the enterprise risk management
addresses an entity's integrity and ethical values?
A. Information and communication

B. Internal environment.
C. Risk assessment.
D. Control activities.
17. Which of the following items is one of the eight components of COSO's enterprise risk
management framework?
A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.
10-3
18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:
A. Accounting management staff who report to the CFO.

B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operation officer.
D. Security management staff who report to the chief facilities officer.
19. Which of the following represents an inherent limitation of internal controls?
A. Bank reconciliations are not performed on a timely basis.

B. The CEO can request a check with no purchase order.
C. Customer credit check not performed.
D. Shipping documents are not matched to sales invoices.
20. Which of the following is the best way to compensate for the lack of adequate segregation of
duties in a small organization?
A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.
21. Review of the audit log is an example of which of the following types of security control?
A. Governance.
B. Detective.
C. Preventive.
D. Corrective.
10-4
22. Which of the following is not a component of internal control as defined by COSO?
A. Control environment.
B. Control activities.
C. Inherent risk
D. Monitoring.
23. Which of the following is considered an application input control?
A. Run control total.

B. Edit check.
C. Reporting distribution log.
D. Exception report.
24. Which of the following control activities should be taken to reduce the risk of incorrect processing
in a newly installed computerized accounting system?
A. Segregation of duties.
B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.
25. Which of the following statement is correct regarding internal control?
A. A well-designed internal control environment ensures the achievement of an entity's control

objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by
management override.
C. A well-designed and operated internal control environment should detect collusion perpetrated
by two people.
D. Internal control in a necessary business function and should be designed and operated to
detect errors and fraud.
10-5
26. Obtaining an understanding of an internal control involves evaluating the design of the control
and determining whether the control has been:
A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.
27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it
decided to relocate its production facilities. According to COSO, this decision represents which of
the following response to the risk?
A. Risk reduction.
B. Prospect theory.
C. Risk sharing.
D. Risk acceptance.
28. Each of the following types of controls is considered to be an entity-level control, except those:
A. Relating to the control environment.

B. Pertaining to the company's risk assessment process.
C. Regarding the company's annual stockholder meeting.
D. Addressing policies over significant risk management practices
29. Controls in the information technology area are classified into preventive, detective, and corrective
categories. Which of the following is preventive control?
A. Contingency planning.
B. Hash total.
C. Echo check.
D. Access control software.
10-6
30. All of the following are examples of internal control procedures except
A. Using pre-numbered documents

B. Reconciling the bank statement
C. Customer satisfaction surveys
D. Insistence that employees take vacations
31. The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related
to:
A. Accounting practice.
B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.
32. Which of the following most likely would not be considered as an inherent limitation of the
effectiveness of a firm's internal control?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
33. According to COSO which of the following is not a component of internal control?
A. Control risk.
C. Monitoring.
D. Control environment.
10-7
34. When considering internal control, an auditor should be aware of reasonable assurance, which
recognizes that
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain
proper accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.
35. Proper segregation of duties calls for separation of the following functions:
A. Authorization, execution, and payment.

B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.
36. An entity's ongoing monitoring activities often include
A. Periodic audits by the audit committee.

B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.
37. The overall attitude and awareness of a firm's top management and board of directors concerning
the importance of internal control is often reflected in its
A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.
10-8
38. Management philosophy and operating style would have a relatively less significant influence on a
firm's control environment when
A. The internal auditor reports directly to the controller.

B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific duties.
D. The audit committee does not have regular meetings.
39. Control risk should be assessed in terms of
A. Specific controls.
B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.
40. An auditor assesses control risk because it
A. is relevant to the auditor's understanding of the control environment.

B. provides assurance that the auditor's materiality levels are appropriate.
C. indicates to the auditor where inherent risk may be the greatest.
D. affects the level of detection risk that the auditor may accept.
41. The framework could be used by management in its internal control assessment under
requirements of SOX is the:
A. COSO internal framework.

B. COSO enterprise risk management framework.
C. COBIT framework.
D. All of the above are correct.
10-9
42. The internal control provisions of SOX apply to which companies in the United States?
A. All companies.
B. SEC registrants.
C. All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000
of net worth.
D. All nonissuer companies.
43. Reconciliation of cash accounts may be referred to as what type of control?
A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.
44. Sound internal control dictates that immediately upon receiving checks from customers by mail, a
responsible employee should
A. Add the checks to the daily cash summary.

B. Verify that each check is supported by a pre-numbered sales invoice.
C. Prepare a summary listing of checks received.
D. Record the checks in the cash receipts journal.
45. Tracing shipping documents to pre-numbered sales invoices provides evidence that
A. No duplicate shipments or billings occurred.

B. Shipments to customers were properly invoiced.
C. All goods ordered by customers were shipped.
D. All pre-numbered sales invoices were accounted for.
10-10
46. Which of the following input controls is a numeric value computed to provide assurance that the
original value has not been altered in construction or transmission?
A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent
product B. Which of the following controls most likely would detect this error?
A. Validity check
B. Record count
C. Hash total
D. Parity check
48. Which of the following is an example of a validity check?
A. The computer ensures that a numerical amount in a record does not exceed some
predetermined amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes
of the errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of an
existing file record.
D. After data for a transaction are entered, the computer sends certain data back to the terminal
for comparison with data originally sent.
10-11
49. Which of the following is a computer test made to ascertain whether a given characteristic belongs
to the group?
A. Check digit.
B. Validity check.
C. Echo check.
D. Limit check.
Essay Questions
10-12
50. Put the listed steps in the corresponding parentheses in the risk assessment and response
approach diagram below.
(A) Avoid, share or accept risk

(B) Reduce risk by implementing controls
(C) Is it cost beneficial to protect the firm from the risk?
(D) Estimate the likelihood of each risk occurring
(E) Identify control to mitigate the risk
(F) Estimate the costs and benefits from instituting controls
(G) Identify the risks
(H) Estimate the impact or potential loss, from each risk
10-13
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public
accounting firms?
52. Describe the three categories of objectives and five essential components of the COSO 2.0
framework.
53. What are the three main functions of COSO ERM?
10-14
54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?
55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control
environment?
56. The information system of Company ABC is deemed to be 90% reliable. A major threat has been
identified with an exposure of $5,000,000. Two control procedures exist to deal with the threat.
Implementation of control A would cost of $140,000 and reduce the risk to 4%. Implementation of
control B would cost $100,000 and reduce the risk to 6%. Implementation of both controls would
cost $220,000 and reduce the risk to 2%. Given the data and based solely on an economic analysis
of costs and benefits, which control procedure should you choose?
10-15
57. Which internal control(s) would you recommend to prevent the following situations from
occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent
account number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk
entered the same number into the system, and the payment was credited to another customer's
account.
c. After processing a large sales transaction, the inventory records showed negative quantities on
hand for several items.
10-16
Chapter 10 Accounting Information Systems and Internal Controls Answer
Key
True / False Questions
1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and
their auditors to assess and report on the design and effectiveness of internal control over
financial reporting annually.
FALSE
AACSB: Reflective Thinking

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to
establish and maintain the effectiveness of internal control.
FALSE

AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-17
3. In a computerized environment, internal controls can be categorized as general controls and
application controls.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Control and Governance Frameworks
4. Internal controls guarantee the accuracy and reliability of accounting records.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
5. Segregation of duties reduces the risk of errors and irregularities in accounting records.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO
enterprise risk management framework.
Source: Original
10-18
6. The chief executive officer is ultimately responsible for enterprise risk management.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount
of revenue on the company's income statement is classified as inherent risk.
FALSE

AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Remember
Difficulty: 1 Easy
Source: Original
8. Processing controls are IT general controls.
FALSE

AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-19
9. COBIT (Control Objectives for Information and related Technology) is a generally accepted
framework for IT governance in the U.S.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original
10. The main objective of the ISO 27000 series is to provide a model for establishing,
implementing, operating, monitoring, maintaining, and improving information security.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-04 Describe other governance frameworks related to information systems management and security.
Source: Original
11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company
Accounting Oversight Board (PCAOB) established the Securities and Exchange Commission
(SEC) to provide independent oversight of public accounting firms.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-20
12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5)
encourages auditors to start from the basic/bottom of financial records to identify the key
controls.
FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
13. Corporate governance is a set of processes and policies in managing an organization with
sound ethics to safeguard the interests of its stakeholders.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end,
not an end in itself.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-21
15. A firm must establish control policies, procedures, and practices that ensure the firm's business
objectives are achieved and its risk mitigation strategies are carried out.
TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Multiple Choice Questions
16. According to COSO, which of the following components of the enterprise risk management
addresses an entity's integrity and ethical values?
A. Information and communication

B. Internal environment.
C. Risk assessment.
D. Control activities.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: CPA 2009 examination, adapted
10-22
17. Which of the following items is one of the eight components of COSO's enterprise risk
management framework?
A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:
A. Accounting management staff who report to the CFO.

B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operation officer.
D. Security management staff who report to the chief facilities officer.

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Remember
Difficulty: 1 Easy
10-23
19. Which of the following represents an inherent limitation of internal controls?
A. Bank reconciliations are not performed on a timely basis.

B. The CEO can request a check with no purchase order.
C. Customer credit check not performed.
D. Shipping documents are not matched to sales invoices.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
20. Which of the following is the best way to compensate for the lack of adequate segregation of
duties in a small organization?
A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
10-24
21. Review of the audit log is an example of which of the following types of security control?
A. Governance.
B. Detective.
C. Preventive.
D. Corrective.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
22. Which of the following is not a component of internal control as defined by COSO?
A. Control environment.
C. Inherent risk
D. Monitoring.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
10-25
23. Which of the following is considered an application input control?
A. Run control total.

B. Edit check.
C. Reporting distribution log.
D. Exception report.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
24. Which of the following control activities should be taken to reduce the risk of incorrect
processing in a newly installed computerized accounting system?
A. Segregation of duties.
B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
10-26
25. Which of the following statement is correct regarding internal control?
A. A well-designed internal control environment ensures the achievement of an entity's control

objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by
management override.
C. A well-designed and operated internal control environment should detect collusion
perpetrated by two people.
D. Internal control in a necessary business function and should be designed and operated to
detect errors and fraud.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
26. Obtaining an understanding of an internal control involves evaluating the design of the control
and determining whether the control has been:
A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
10-27
27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it
decided to relocate its production facilities. According to COSO, this decision represents which
of the following response to the risk?
A. Risk reduction.
B. Prospect theory.
C. Risk sharing.
D. Risk acceptance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
28. Each of the following types of controls is considered to be an entity-level control, except those:
A. Relating to the control environment.

B. Pertaining to the company's risk assessment process.
C. Regarding the company's annual stockholder meeting.
D. Addressing policies over significant risk management practices

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
10-28
29. Controls in the information technology area are classified into preventive, detective, and
corrective categories. Which of the following is preventive control?
A. Contingency planning.
B. Hash total.
C. Echo check.
D. Access control software.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
30. All of the following are examples of internal control procedures except
A. Using pre-numbered documents

B. Reconciling the bank statement
C. Customer satisfaction surveys
D. Insistence that employees take vacations

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-29
31. The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards
related to:
A. Accounting practice.
B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
32. Which of the following most likely would not be considered as an inherent limitation of the
effectiveness of a firm's internal control?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-30
33. According to COSO which of the following is not a component of internal control?
A. Control risk.
C. Monitoring.
D. Control environment.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
34. When considering internal control, an auditor should be aware of reasonable assurance, which
recognizes that
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain
proper accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be
derived.

AICPA BB: Industry
Blooms: Understand
Difficulty: 2 Medium
Source: Original
10-31
35. Proper segregation of duties calls for separation of the following functions:
A. Authorization, execution, and payment.

B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
36. An entity's ongoing monitoring activities often include
A. Periodic audits by the audit committee.

B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-32
37. The overall attitude and awareness of a firm's top management and board of directors
concerning the importance of internal control is often reflected in its
A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
38. Management philosophy and operating style would have a relatively less significant influence
on a firm's control environment when
A. The internal auditor reports directly to the controller.

B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific duties.
D. The audit committee does not have regular meetings.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-33
39. Control risk should be assessed in terms of
A. Specific controls.
B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.

AICPA BB: Industry
Blooms: Understand
Source: Original
40. An auditor assesses control risk because it
A. is relevant to the auditor's understanding of the control environment.

B. provides assurance that the auditor's materiality levels are appropriate.
C. indicates to the auditor where inherent risk may be the greatest.
D. affects the level of detection risk that the auditor may accept.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-34
41. The framework could be used by management in its internal control assessment under
requirements of SOX is the:
A. COSO internal framework.

B. COSO enterprise risk management framework.
C. COBIT framework.
D. All of the above are correct.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
42. The internal control provisions of SOX apply to which companies in the United States?
A. All companies.
B. SEC registrants.
C. All issuer (public) companies and nonissuer (nonpublic) companies with more than
$100,000,000 of net worth.
D. All nonissuer companies.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
10-35
43. Reconciliation of cash accounts may be referred to as what type of control?
A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
44. Sound internal control dictates that immediately upon receiving checks from customers by mail,
a responsible employee should
A. Add the checks to the daily cash summary.

B. Verify that each check is supported by a pre-numbered sales invoice.
C. Prepare a summary listing of checks received.
D. Record the checks in the cash receipts journal.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-36
45. Tracing shipping documents to pre-numbered sales invoices provides evidence that
A. No duplicate shipments or billings occurred.

B. Shipments to customers were properly invoiced.
C. All goods ordered by customers were shipped.
D. All pre-numbered sales invoices were accounted for.

AICPA BB: Industry
Blooms: Understand
Source: Original
46. Which of the following input controls is a numeric value computed to provide assurance that
the original value has not been altered in construction or transmission?
A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-37
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent
product B. Which of the following controls most likely would detect this error?
A. Validity check
B. Record count
C. Hash total
D. Parity check

AICPA BB: Industry
Blooms: Understand
Source: Original
48. Which of the following is an example of a validity check?
A. The computer ensures that a numerical amount in a record does not exceed some
predetermined amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the
causes of the errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of
an existing file record.
D. After data for a transaction are entered, the computer sends certain data back to the
terminal for comparison with data originally sent.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-38
49. Which of the following is a computer test made to ascertain whether a given characteristic
belongs to the group?
A. Check digit.
B. Validity check.
C. Echo check.
D. Limit check.

AICPA BB: Industry
Blooms: Understand
Source: Original
Essay Questions
10-39
50. Put the listed steps in the corresponding parentheses in the risk assessment and response
approach diagram below.
(A) Avoid, share or accept risk

(B) Reduce risk by implementing controls
(C) Is it cost beneficial to protect the firm from the risk?
(D) Estimate the likelihood of each risk occurring
(E) Identify control to mitigate the risk
(F) Estimate the costs and benefits from instituting controls
(G) Identify the risks
(H) Estimate the impact or potential loss, from each risk
G D H E F C A (No) B (yes)
10-40
AICPA BB: Industry
Blooms: Understand
Source: Original
10-41
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public
accounting firms?
SOX requires public companies registered with the SEC and their auditors to annually assess
and report on the design and effectiveness of internal control over financial reporting.
SOX also established the Public Company Accounting Oversight Board (PCAOB) to provide
independent oversight of public accounting firms. The PCAOB issues auditing standards and
oversees quality controls of public accounting firms.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
10-42
52. Describe the three categories of objectives and five essential components of the COSO 2.0
framework.
Objectives:
1) Operations Objectives - effectiveness and efficiency of a firm's operations on financial

performance goals and safeguarding assets.
2) Reporting Objectives - reliability of reporting, including internal and external financial and
non-financial reporting.
3) Compliance Objectives - adherence to applicable laws and regulations.
Five components of internal control:
1) Control Environment include the management's philosophy and operating style, integrity
and ethical values of employees, organizational structure, the role of the audit committee,
proper board oversight for the development and performance of internal control, and
personnel policies and practices.
2) Risk Assessment Risk assessment involves a dynamic process for identifying and analyzing
a firm's risks from external and internal environments.
3) Control Activities A firm must establish control policies, procedures, and practices that
ensure the firm's objectives are achieved and risk mitigation strategies are carried out.
4) Information and Communication Relevant information should be identified, captured, and
communicated in a form and timeframe that enables employees to carry out their duties.
5) Monitoring Activities The design and effectiveness of internal controls should be
monitored by management and other parties outside the process in an ongoing basis.

AICPA BB: Industry
Blooms: Understand
Source: Original
10-43
53. What are the three main functions of COSO ERM?
Identifies potential events that may affect the firm

Manages risk to be within the firm's risk appetite
Provides reasonable assurance regarding the achievement of the firm's objectives.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?
COBIT 5.0 defines "governance" as ensuring that firm objectives are achieved by evaluating
stakeholder needs; setting direction through decision making; and monitoring performance,
compliance and progress. In most firms, the board of directors is responsible for governance.
Per COBIT 5, "management" includes planning, building, running and monitoring activities in
alignment with the direction in achieving the firm objectives.

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Understand
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original
10-44
55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control
environment?
Students' answers may vary.

AICPA BB: Industry
Blooms: Understand
Source: Original
56. The information system of Company ABC is deemed to be 90% reliable. A major threat has
been identified with an exposure of $5,000,000. Two control procedures exist to deal with the
threat. Implementation of control A would cost of $140,000 and reduce the risk to 4%.
Implementation of control B would cost $100,000 and reduce the risk to 6%. Implementation of
both controls would cost $220,000 and reduce the risk to 2%. Given the data and based solely
on an economic analysis of costs and benefits, which control procedure should you choose?
Estimate value of control A: 5,000,000*(10% - 4%) = $300,000 (problem states that Control A
reduces the risk TO 4%)
Estimate value of control B: 5,000,000*(10% - 6%) = $200,000 (problem states that Control A
reduced the risk TO 6%)
Estimate value of control A&B: 5,000,000*(10% - 2%) = $400,000
Benefits exceed cost of A: 300,000 - 140,000 = 160,000
Benefits exceed cost of B: 200,000 - 100,000 = 100,000
Benefits exceed cost of A&B: 400,000 - 220,000 = 180,000
Choose Control C.

AICPA BB: Industry
10-45
Blooms: Apply
Difficulty: 3 Hard
Source: Original
57. Which internal control(s) would you recommend to prevent the following situations from
occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent
account number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk
entered the same number into the system, and the payment was credited to another
customer's account.
c. After processing a large sales transaction, the inventory records showed negative quantities
on hand for several items.
a. Use Validity check for actual customer records.

b. Use Closed-loop verification when entering customers' account numbers.
c. Use sign check on quantity on hand.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original
10-46

TBChap 010

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

TBChap 010

Transféré par

Droits d'auteur :

Formats disponibles

Chapter 10

Accounting Information Systems and Internal Controls

True / False Questions

3. In a computerized environment, internal controls can be categorized as general controls and

4. Internal controls guarantee the accuracy and reliability of accounting records.

8. Processing controls are IT general controls.

Multiple Choice Questions

A. Information and communication

A. Accounting management staff who report to the CFO.

19. Which of the following represents an inherent limitation of internal controls?

A. Bank reconciliations are not performed on a timely basis.

23. Which of the following is considered an application input control?

A. Run control total.

25. Which of the following statement is correct regarding internal control?

A. A well-designed internal control environment ensures the achievement of an entity's control

A. Relating to the control environment.

A. Using pre-numbered documents

A. Authorization, execution, and payment.

36. An entity's ongoing monitoring activities often include

A. Periodic audits by the audit committee.

A. The internal auditor reports directly to the controller.

39. Control risk should be assessed in terms of

40. An auditor assesses control risk because it

A. is relevant to the auditor's understanding of the control environment.

A. COSO internal framework.

43. Reconciliation of cash accounts may be referred to as what type of control?

A. Add the checks to the daily cash summary.

A. No duplicate shipments or billings occurred.

48. Which of the following is an example of a validity check?

(A) Avoid, share or accept risk

53. What are the three main functions of COSO ERM?

True / False Questions

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

4. Internal controls guarantee the accuracy and reliability of accounting records.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

8. Processing controls are IT general controls.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

Multiple Choice Questions

A. Information and communication

AACSB: Reflective Thinking

AACSB: Reflective Thinking

A. Accounting management staff who report to the CFO.

AACSB: Reflective Thinking

A. Bank reconciliations are not performed on a timely basis.

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

AACSB: Reflective Thinking

A. Run control total.

AACSB: Reflective Thinking

AACSB: Reflective Thinking