Corporate management including the CEO must certify monthly and annually their organization’s internal controls over financial reporting.. A qualified opinion on management’s assessment
Trang 1Chapter 15—IT Controls Part I: Sarbanes-Oxley and IT Governance
TRUE/FALSE
1 Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting
ANS: F
2 Both the SEC and the PCAOB requires management to use the COBIT framework for assessing internal control adequacy
ANS: F
3 Both the SEC and the PCAOB requires management to use the COSO framework for assessing internal control adequacy
ANS: F
4 A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements?
ANS: F
5 The same internal control objectives apply to manual and computer-based information systems
ANS: T
6 To fulfill the segregation of duties control objective, computer processing functions (like authorization
of credit and billing) are separated
ANS: F
7 To ensure sound internal control, program coding and program processing should be separated
ANS: T
8 Some systems professionals have unrestricted access to the organization's programs and data
ANS: T
9 Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment
ANS: F
10 The Database Administrator should be separated from systems development
ANS: T
11 A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster
Trang 2ANS: T
12 IT auditing is a small part of most external and internal audits
ANS: F
13 Assurance services is an emerging field that goes beyond the auditor’s traditional attestation function ANS: T
14 An IT auditor expresses an opinion on the fairness of the financial statements
ANS: F
15 External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
ANS: F
16 External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the Audit Committee of the Board of Directors ANS: T
17 Tests of controls determine whether the database contents fairly reflect the organization's transactions ANS: F
18 Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated
ANS: T
19 A strong internal control system will reduce the amount of substantive testing that must be performed ANS: T
20 Substantive testing techniques provide information about the accuracy and completeness of an application's processes
ANS: F
MULTIPLE CHOICE
1 Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a Auditors must determine, whether changes in internal control has, or is likely to,
materially affect internal control over financial reporting
b Auditors must interview management regarding significant changes in the design or
operation of internal control that occurred since the last audit
c Corporate management (including the CEO) must certify monthly and annually their
organization’s internal controls over financial reporting
d Management must disclose any material changes in the company’s internal controls that
have occurred during the most recent fiscal quarter
Trang 3ANS: C
2 Which of the following is NOT a requirement in management’s report on the effectiveness of internal controls over financial reporting?
a A statement of management’s responsibility for establishing and maintaining adequate
internal control user satisfaction
b A statement that the organizations internal auditors has issued an attestation report on
management’s assessment of the companies internal controls
c A statement identifying the framework used by management to conduct their assessment
of internal controls
d An explicit written conclusion as to the effectiveness of internal control over financial
reporting
ANS: B
3 In a computer-based information system, which of the following duties needs to be separated?
a program coding from program operations
b program operations from program maintenance
c program maintenance from program coding
d all of the above duties should be separated
ANS: D
4 Supervision in a computerized environment is more complex than in a manual environment for all of the following reasons except
a rapid turnover of systems professionals complicates management's task of assessing the
competence and honesty of prospective employees
b many systems professionals have direct and unrestricted access to the organization's
programs and data
c rapid changes in technology make staffing the systems environment challenging
d systems professionals and their supervisors work at the same physical location
ANS: D
5 Adequate backups will protect against all of the following except
a natural disasters such as fires
b unauthorized access
c data corruption caused by program errors
d system crashes
ANS: B
6 Which is the most critical segregation of duties in the centralized computer services function?
a systems development from data processing
b data operations from data librarian
c data preparation from data control
d data control from data librarian
ANS: A
7 Systems development is separated from data processing activities because failure to do so
a weakens database access security
b allows programmers access to make unauthorized changes to applications during
execution
c results in inadequate documentation
Trang 4d results in master files being inadvertently erased
ANS: B
8 Which organizational structure is most likely to result in good documentation procedures?
a separate systems development from systems maintenance
b separate systems analysis from application programming
c separate systems development from data processing
d separate database administrator from data processing
ANS: A
9 All of the following are control risks associated with the distributed data processing structure except
a lack of separation of duties
b system incompatibilities
c system interdependency
d lack of documentation standards
ANS: C
10 Which of the following is not an essential feature of a disaster recovery plan?
a off-site storage of backups
b computer services function
c second site backup
d critical applications identified
ANS: B
11 A second site backup agreement between two or more firms with compatible computer facilities to assist each other with data processing needs in an emergency is called
a internally provided backup
b recovery operations center
c empty shell
d mutual aid pact
ANS: D
12 The major disadvantage of an empty shell solution as a second site backup is
a the host site may be unwilling to disrupt its processing needs to process the critical
applications of the disaster stricken company
b intense competition for shell resources during a widespread disaster
c maintenance of excess hardware capacity
d the control of the shell site is an administrative drain on the company
ANS: B
13 An advantage of a recovery operations center is that
a this is an inexpensive solution
b the initial recovery period is very quick
c the company has sole control over the administration of the center
d none of the above are advantages of the recovery operations center
ANS: B
14 For most companies, which of the following is the least critical application for disaster recovery purposes?
Trang 5a month-end adjustments
b accounts receivable
c accounts payable
d order entry/billing
ANS: A
15 The least important item to store off-site in case of an emergency is
a backups of systems software
b backups of application software
c documentation and blank forms
d results of the latest test of the disaster recovery program
ANS: D
16 Some companies separate systems analysis from programming/program maintenance All of the following are control weaknesses that may occur with this organizational structure except
a systems documentation is inadequate because of pressures to begin coding a new program
before documenting the current program
b illegal lines of code are hidden among legitimate code and a fraud is covered up for a long
period of time
c a new systems analyst has difficulty in understanding the logic of the program
d inadequate systems documentation is prepared because this provides a sense of job
security to the programmer
ANS: C
17 All of the following are recommended features of a fire protection system for a computer center except
a clearly marked exits
b an elaborate water sprinkler system
c manual fire extinguishers in strategic locations
d automatic and manual alarms in strategic locations
ANS: B
18 Which concept is not an integral part of an audit?
a evaluating internal controls
b preparing financial statements
c expressing an opinion
d analyzing financial data
ANS: B
19 Which statement is not true?
a Auditors must maintain independence
b IT auditors attest to the integrity of the computer system
c IT auditing is independent of the general financial audit
d IT auditing can be performed by both external and internal auditors
ANS: C
20 Typically, internal auditors perform all of the following tasks except
a IT audits
b evaluation of operational efficiency
c review of compliance with legal obligations
d internal auditors perform all of the above tasks
Trang 6ANS: D
21 The fundamental difference between internal and external auditing is that
a internal auditors represent the interests of management and external auditors represent outsiders
b internal auditors perform IT audits and external auditors perform financial statement audits
c internal auditors focus on financial statement audits and external auditors focus on
operational audits and financial statement audits
d external auditors assist internal auditors but internal auditors cannot assist external
auditors
ANS: A
22 Internal auditors assist external auditors with financial audits to
a reduce audit fees
b ensure independence
c represent the interests of management
d the statement is not true; internal auditors are not permitted to assist external auditors with financial audits
ANS: A
23 Which statement is not correct?
a Auditors gather evidence using tests of controls and substantive tests
b The most important element in determining the level of materiality is the mathematical formula
c Auditors express an opinion in their audit report
d Auditors compare evidence to established criteria
ANS: B
24 All of the following are steps in an IT audit except
a substantive testing
b tests of controls
c post-audit testing
d audit planning
ANS: C
25 When planning the audit, information is gathered by all of the following methods except
a completing questionnaires
b interviewing management
c observing activities
d confirming accounts receivable
ANS: D
26 Substantive tests include
a examining the safety deposit box for stock certificates
b reviewing systems documentation
c completing questionnaires
d observation
ANS: A
Trang 727 Tests of controls include
a confirming accounts receivable
b counting inventory
c completing questionnaires
d counting cash
ANS: C
28 All of the following are components of audit risk except
a control risk
b legal risk
c detection risk
d inherent risk
ANS: B
29 Control risk is
a the probability that the auditor will render an unqualified opinion on financial statements
that are materially misstated
b associated with the unique characteristics of the business or industry of the client
c the likelihood that the control structure is flawed because controls are either absent or
inadequate to prevent or detect errors in the accounts
d the risk that auditors are willing to take that errors not detected or prevented by the control
structure will also not be detected by the auditor
ANS: C
30 All of the following tests of controls will provide evidence about the physical security of the computer center except
a review of fire marshal records
b review of the test of the backup power supply
c verification of the second site backup location
d observation of procedures surrounding visitor access to the computer center
ANS: C
31 All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except
a inspection of the second site backup
b analysis of the fire detection system at the primary site
c review of the critical applications list
d composition of the disaster recovery team
ANS: B
32 Which of the following is true?
a In the CBIS environment, auditors gather evidence relating only to the contents of
databases, not the reliability of the computer system
b Conducting an audit is a systematic and logical process that applies to all forms of
information systems
c Substantive tests establish whether internal controls are functioning properly
d IT auditors prepare the audit report if the system is computerized
ANS: B
33 Inherent risk
Trang 8a exists because all control structures are flawed in some ways
b is the likelihood that material misstatements exist in the financial statements of the firm
c is associated with the unique characteristics of the business or industry of the client
d is the likelihood that the auditor will not find material misstatements
ANS: C
34 Attestation services require all of the following except
a written assertions and a practitioner’s written report
b the engagement is designed to conduct risk assessment of the client’s systems to verify
their degree of SOX compliance
c the formal establishment of measurements criteria
d the engagement is limited to examination, review, and application of agreed-upon
procedures
ANS: B
35 The financial statement of an organization reflects a set of management assertions about the financial health of the business All of the following described types of assertions except
a that all of the assets and equities on the balance sheet exist
b that all employees are properly trained to carry out their assigned duties
c that all transactions on the income statement actually occurred
d that all allocated amounts such as depreciation are calculated on a systematic and rational
basis
ANS: B
SHORT ANSWER
1 Which of the following statements is true?
a Both the SEC and the PCAOB requires the use of the COSO framework
b Both the SEC and the PCAOB requires the COBIT framework
c The SEC recommends COBIT and the PCAOB recommends COSO
d Any framework can be used that encompass all of COSO’s general themes
ANS:
Both c and d above are true
2 COSO identifies two broad groupings of information system controls What are they?
ANS:
general; application
3 The Sarbanes-Oxley Act contains many sections Which sections are the focus of this chapter?
ANS:
The chapter concentrate on internal control and audit responsibilities pursuant to Sections 302 and 404
4 What control framework is recommended by the PCAOB?
ANS:
The PCAOB’s Auditing Standard No 2 endorses the use of COSO as the framework for control assessment
Trang 95 What are the objectives of application controls?
ANS:
The objectives of application controls are to ensure the validity, completeness, and accuracy financial
transactions
6 Define general controls
ANS:
General controls apply to all systems They are not application specific General controls include controls over IT governance, the IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes
7 Discuss the key features of Section 302 of the Sarbanes-Oxley Act
ANS:
Section 302 requires that corporate management (including the CEO) certify quarterly and annually their organization’s internal controls over financial reporting The certifying officers are required to:
a have designed internal controls
b they must disclose any material changes in the company’s internal controls
that have occurred during the most recent fiscal quarter
8 What the three primary CBIS functions that must be separated?
ANS:
Programming should be separated from computer operations
Programming maintenance should be separated from new systems development
End users should be separate from systems design
9 List three pairs of system functions that should be separated in the centralized computer services organization Describe a risk exposure if the functions are not separated
Functions to Separate Risk Exposure
ANS:
separate systems development from data processing operations (unauthorized changes to application programs during execution),
separate database administrator from systems development (unauthorized access to database files), separate new systems development from systems maintenance (writing fraudulent code and keeping it concealed during maintenance),
separate data library from computer operations (loss of files or erasing current files)
10 For disaster recovery purposes, what criteria are used to identify an application or data as critical? ANS:
Critical application and files are those that impact the short-run survival of the firm Critical items impact cash flows, legal obligations, and customer relations
Trang 1011 Describe the components of a disaster recovery plan.
ANS:
Every disaster recovery plan should:
designate a second site backup
identify critical applications
prepare backup and off-site storage procedures
create a disaster recovery team
test the disaster recovery plan
12 What is a mirrored data center?
ANS:
Duplicating programs and data onto a computer at a separate location Mirroring is performed for backup purposes
13 Why is supervisory control more elaborate in the CBIS environment than in the manual environment? ANS:
The required skills of systems professionals lead to high rates of turnover Systems professionals work
in areas that permit direct and unrestricted access to the organizations programs and data Management
is unable to adequately observe employees in the CBIS environment
14 What are some control implications of the distributed data processing model?
ANS:
Control issues of the DDP model include incompatibility of hardware and software purchased without coordination, redundancy of work with different units duplicating effort, incompatible duties because
of consolidation in small units, difficulty acquiring qualified personnel, and lack of standards
15 What is program fraud?
ANS:
Program fraud involves making unauthorized changes to parts of a program for the purpose of
committing an illegal act
16 The distributed data processing approach carries some control implications of which accountants should be aware Discuss two
ANS:
Incompatibility of hardware and software, selected by users working independently, can result in
system incompatibility that can affect communication
When individuals in different parts of the organization “do their own thing,” there can be significant
redundancy between units
When user areas handle their own computer services functions, there may be a tendency to consolidate
incompatible activities
Small units may lack the ability to evaluate systems professionals and to provide adequate
opportunities and may therefore have difficulty acquiring qualified professionals
As the number of units handling systems tasks, there is an increasing chance that the systems will lack
standards.
17 are intentional mistakes while are unintentional mistakes