Share PDF

Search documents:
  Report this document  
    Download as PDF   
      Share on Facebook

Chapter 9

Introduction to Internal Control Systems

True-False Questions

1.Controls that specifically encourage operating efficiency are often called preventive controls.

2.Controls that attempt to safeguard asset resources are often called detective controls.

3.For a specific internal control to be effective, both the preventive and the detective aspect of the control must exist and be interrelated.

4.Preventive and corrective controls are established solely to discourage fraud and embezzlement by an organization's employees.

5.A good internal control system will contribute towards detecting accidental errors made by employees.

6.An organization should always attempt to implement ideal controls into its system.

7.It is normally considered good organizational design to establish the internal audit function within the accounting subsystem.

8.The introduction of a computer into an organization's data processing system will normally eliminate problems associated with following the organization's audit trail.

9.A good audit trail is an important element within a company's internal control system.

10.An audit trail problem associated with computerized data processing is that certain financial data processed by the computer may never be seen by the company's management.

11.Operational audits are performed by a company’s internal audit staff.

12.The separation of duties control would not be violated if a company's cashier was also responsible for recording cash transactions.

13.The separation of duties control does not completely eliminate the possibility of embezzlement by employees.

14.The personnel subsystem has the important function of matching job qualifications to people qualifications.

15.The COSO report failed to define internal control.

16.An effective approach for maintaining a good audit trail for cash disbursements is to utilize a voucher system with coins and currency issued for each disbursement.

17.COBIT extensively examines the internal control area.

TB 9.1

18.Risk assessment is an important component of an internal control system.

19.A company’s control environment is unimportant when developing an internal control system.

20.Timely performance reports contribute towards achieving the monitoring component of an internal control system.

21.Control activities and monitoring are one and the same.

22.The Basel Committee published a framework for the evaluation of internal control systems in banking organizations.

Multiple-Choice Questions

23.Three objectives of a company's internal control system should be safeguarding assets, checking the accuracy and reliability of accounting data, and promoting operational efficiency. A fourth objective of a company's internal control system should be:

a)Preventing embezzlement of assets

b)Encouraging adherence to prescribed managerial policies

c)Avoiding the payment of overtime to company employees

d)Revising standards for production costs on a weekly basis

24.The control environment is a component of a company's internal control system that:

a)Influences the control awareness of a company's employees

b)Stresses the development of control procedures in a company

c)Directly affects the accuracy and reliability of a company’s accounting data

d)Can be ignored when establishing a company's internal control system

25.The preventive controls within a company’s internal control system:

a)Form the foundation for all of a company's other internal control components

b)Focus on management’s philosophy and operating style

c)Ignore the risk factor associated with a company's control procedures

d)Are controls put by the management to prevent problems from occurring

26.A general rule that should be followed when developing control procedures for a company's assets is:

a)The cost of the control procedure will likely exceed the procedure's benefit

b)The procedure should not be designed and implemented unless an asset's cost exceeds $5,000

c)The more liquid an asset is, the greater the risk of its misappropriation

d)The procedure should not be designed and implemented in situations where a risk assessment has been previously performed

TB 9.2

27.Assume that a company designs and implements a control procedure whereby the accountant who is responsible for recording cash receipts transactions does not have access to the cash itself. This control procedure is an example of a:

a)Detective control

b)Preventive control

c)Corrective control

d)Feedback control

28.Control procedures that provide feedback to management regarding the achievement of operational efficiency and adherence to prescribed managerial policies are called:

a)Corrective controls

b)Preventive controls

c)Policy controls

d)Detective controls

29.Control procedures that are designed to remedy problems discovered through detective controls are called:

a)Corrective controls

b)Preventive controls

c)Before-the-fact controls

d)Management-by-exception controls

30.The maintenance of backup copies of a company's important transaction and master files is an example of a:

a)Preventive control procedure

b)Detective control procedure

c)Corrective control procedure

d)Management-by-exception control procedure

31.A control procedure that may be established within the sales department of a company's marketing subsystem is the addition of the sales invoice amounts before these invoices are sent to the information processing subsystem. This control total of invoice amounts is called a:

a)Checksum

b)Random total check

c)Redundant control amount

d)Batch control total

32.Which of the following statements is true regarding preventive control procedures and detective control procedures?

a)They should be interrelated

b)If preventive controls exist, detective controls are unnecessary

c)If detective controls exist, preventive controls are unnecessary

d)Preventive controls should be cost effective, but detective controls do not need to be cost effective

TB 9.3

33.Which of the following statements is true?

a)The COSO report failed to define internal control

b)The COSO report emphasized that an internal control system is a tool of management

c)SAS 78 rejected the definition of internal control provided in the COSO report

d)COBIT concluded that a company's management is not responsible for establishing and monitoring a company's internal control system

34.Regarding the cost-benefit concept, which of the following statements is true?

a)Every control procedure that offers benefits to a company should be implemented into the company's system

b)An optimal internal control package is developed for a company's system by implementing a standardized package of control procedures

c)A control procedure is considered cost effective if it can be determined that the cost of operating the procedure will be lower in the current period than in the previous period

d)A control procedure is considered cost effective when its anticipated benefits exceed its anticipated costs

35.An ideal control is:

a)A control procedure that reduces to practically zero the risk of an error or an irregularity taking place and not being detected

b)A control procedure that is anticipated to have the lowest possible cost in relation to its benefits

c)A control procedure that should always be implemented into a company's system due to the efficiency and effectiveness that will result from its implementation

d)A control procedure that is always cost effective

36.Due to data errors occurring from time to time in processing the Albert Company's payroll, the company's management is considering the addition of a data validation control procedure that is projected to reduce the risk of these data errors from 13% to 2%. The cost of the payroll reprocessing is estimated to be $11,000. If the data validation control procedure is implemented, the cost of this procedure is expected to be $700 per pay period (employees are paid biweekly). Based on the above data, which of the following statements is true?

a)The data validation control procedure should be implemented because its net estimated benefit is $1,210

b)The data validation control procedure should be implemented because its net estimated benefit is $510

c)The data validation control procedure should not be implemented because the $700 expected cost per pay period exceeds the procedure's expected benefit

d)The data validation control procedure should not be implemented because its net estimated benefit is a negative $1,210, thereby causing the control procedure to fail in terms of being cost effective

TB 9.4

37.Which of the following frameworks is widely used by managers to organize and evaluate their corporate governance structure?

a)COBIT

b)COSO

c)NIST

d)SAS No. 94

38.Which of the following fundamental concepts is stressed by the COSO report?

a)Internal control is not affected by people

b)Internal control is geared to the achievement of a company's objectives in the financial reporting area only

c)Internal control is designed to detect all errors and irregularities that occur within a company's system

d)Internal control is a process

39.A periodic review by internal auditors that stresses the evaluation of the efficiency and effectiveness of a department's procedures is called a (an):

a)Operational audit

b)Financial audit

c)Management-by-exception audit

d)Audit by exception

40.Regarding the internal audit function, which of the following statements is true?

a)Since many internal auditors have accounting backgrounds, the internal audit function should ideally be included within a company's accounting subsystem

b)It is not proper for internal auditors to perform a fraud investigation within any part of their company's system

c)Because of the independence of external auditors, they should never accept previous work of evaluating controls performed by a company's internal auditors

d)Within a company's system, it is preferable to establish the internal audit function as a separate subsystem

41.Regarding a company's audit trail, which of the following statements is true?

a)Because of the complexities involved in establishing an audit trail, a good audit trail normally makes it more difficult for an individual to follow the flow of a company's business transactions through the company's information system

b)In actuality, the audit trail established within a company's information system is an unimportant element of the company's internal control system

c)When a company's audit trail becomes more difficult to follow, this causes an increase in the risk of errors or irregularities taking place in the processing of accounting transactions and not being detected

d)A company's policies and procedures manual should not be part of its audit trail since confidential information is included within this manual

42.An approach used by many companies to reduce the risk of loss caused by the theft of assets by employees is to:

a)Utilize polygraphs

b)Acquire arbitrage loss protection

c)Acquire fidelity bond coverage

d)Institute punitive management

TB 9.5

43.If the same employee is responsible for authorizing a business transaction and recording the transaction in the accounting records, this indicates a weakness in which element of a company's internal control system?

a)A good audit trail

b)Separation of duties

c)Internal review of controls

d)Competent employees

44.Which of the following control procedures provides physical protection for a company's cash asset?

a)Majority of authorized cash disbursements made by check

b)Daily cash receipts deposited intact at bank

c)Voucher system for cash disbursements

d)all of the above

45.Which of the following statements is true regarding timely performance reports?

a)In many companies, these reports are the major means of providing information to management concerning the actual operations of the companies’ internal control systems

b)These reports should only include monetary data

c)Since these reports fail to provide feedback to management on the operations of previously implemented internal control procedures, other techniques are needed to provide this feedback to managers

d)The complexity that a computer introduces into a company's information system will typically prevent the preparation of timely performance reports for the company's management

46.A responsibility that should be assigned to a specific employee and not shared is that of:

a)Access to the company's safe deposit box

b)Placing orders and maintaining relationships with a prime supplier

c)Attempting to collect a particular delinquent account

d)Custodianship of the petty cash fund

47.For control purposes, the quantities of materials ordered may be omitted from the copy of the purchase order which is:

a)Forwarded to the accounting department

b)Retained in the purchasing department's files

c)Returned to the requisitioner

d)Forwarded to the receiving department

48.Freije Refrigeration Company has an inventory of raw materials and parts consisting of thousands of different items which are of small dollar value individually but significant in total. A fundamental control requirement of Freije's inventory system is that:

a)Perpetual inventory records be maintained for all inventory items

b)The taking of physical inventories be conducted on a cycle basis rather than at year-end

c)The storekeeping function not be combined with the production and inventory record-keeping functions

d)Material requisitions be approved by an officer of the company

TB 9.6

49.The sales department bookkeeper has been crediting house-account sales to her brother-in-law, an outside salesman. Commissions are paid on outside sales but not on house-account sales. This might have been prevented by requiring that:

a)Sales order forms be prenumbered and accounted for by the sales department bookkeeper

b)Sales commission statements be supported by sales order forms and approved by the sales manager

c)Aggregate sales entries be prepared by the general accounting department

d)Disbursement vouchers for sales commissions be reviewed by the internal audit department and checked to sales commission statements

In each one of the following four questions (questions 50-53), you are given a well-recognized procedure of internal control. You are to identify the irregularity that will be discovered or prevented by each procedure.

50.The voucher system requires that invoices be compared with receiving reports and express bills before a voucher is prepared and approved for payment.

a)Unrecorded checks appear in the bank statement

b)The treasurer takes funds by preparing a fictitious voucher charging "Miscellaneous General Expenses"

c)An employee in the purchasing department sends through fictitious invoices and receives payment

d)A cash shortage is covered by underfooting outstanding checks on the bank reconciliation

e)A cash shortage is covered by omitting some of the outstanding checks from the bank reconciliation

51.Both cash and credit customers are educated to expect a sales ticket. Tickets are serially numbered. All numbers are accounted for daily.

a)Customers complain that their monthly bills contain items that have been paid

b)Some customers have the correct change for the merchandise purchased; they pay and do not wait for a sales ticket

c)Customers complain that they are billed for goods they did not purchase

d)Customers complain that goods ordered are not received

e)Salesclerks destroy duplicate sales tickets for the amount of cash stolen

52.At a movie-theater box office, all tickets are prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to give the number of tickets sold. Cash is counted and compared with the number of tickets sold.

a)The box office gives too much change

b)The ticket taker admits his friends without a ticket

c)The manager gives theater passes for personal expenses, which is against company policy

d)A test check of customers entering the theater does not reconcile with ticket sales

e)Tickets from a previous day are discovered in the ticket taker's stub box despite the fact that tickets are stamped "Good on Date of Purchase Only"

TB 9.7

53.The duties of cashier and accounts-receivable bookkeeper should be separated.

a)There are two cashiers. At the end of a certain day, there is a sizable cash shortage; each cashier blames the other and it is impossible to fix responsibility

b)A cash shortage is covered by overfooting (overadding) cash in transit on the bank reconciliation

c)A cash shortage is covered by charging it to "Miscellaneous General Expenses"

d)Customers who paid their accounts in cash complain that they still receive statements of balances due

e)The accounts-receivable bookkeeper charges off the accounts of friends to "Allowance for Uncollectible Accounts"

54.The COSO report stresses that:

a)Internal control is a process

b)An internal control system, if properly designed, can become a substitute for management

c)People only at high levels of an organization are an important part of an internal control system

d)An internal control system should consist of three interrelated components: the control environment, risk assessment, and control activities

55.Regarding COBIT, which of the following statements is true?

a)COBIT means Cost Objectives for Information and Related Technology

b)COBIT rejects the definition of internal control from the COSO report

c)COBIT states that a company’s management should play a minor role in establishing an internal control system

d)COBIT classifies people as one of the primary resources managed by various IT processes

56.The component of an internal control system that concerns itself with the way a company’s management assigns authority and responsibility is called:

a)Monitoring

b)Control environment

c)Risk assessment

d)Information

57._________________ describes the policies, plans, and procedures implemented by a firm to protect its assets.

a)Internal control

b)SAS No. 94

c)SOX, Section 404

d)Enterprise risk management

TB 9.8

58.The 1992 COSO report identifies five components for an effective internal control system. These are:

a)Control environment, risk assessment, control activities, information and communication, and monitoring

b)Control environment, control procedures, control activities, communication, and monitoring

c)Control procedures, control activities, information, communication, and monitoring

d)Control procedures, risk assessment, control activities, information and communication, and monitoring

59.The 1992 COSO report identifies five components for an effective internal control system. Which of those five establishes the tone of a company and influences the control awareness of the company’s employees?

a)Control procedures

b)Control environment

c)Control activities

d)Information and communication

60.The 1992 COSO report identifies five components for an effective internal control system. Which of those five includes the methods used to inform employees about their roles and responsibilities pertaining to internal control?

a)Control procedures

b)Control environment

c)Control activities

d)Information and communication

61.The Enterprise Risk Management (ERM) framework is based on the 1992 COSO report and adds three additional components for an effective internal control system. Which of the following is not one of those three?

a)Objective setting

b)Event identification

c)Control assessment

d)Risk response

62.Suppose a company established training programs that teach employees to perform their job functions more efficiently and effectively. This is an example of which type of control?

a)Detective

b)Preventive

c)Corrective

d)none of the above

63.Many organizations have an internal audit function that makes periodic reviews of each department within the organization. The focus of these reviews is to:

a)Conduct an investigation of each department to be sure fraud is not taking place

b)Evaluate the efficiency and effectiveness of the department

c)Evaluate the performance of the manager of the department

d)Report to the organization’s top managers and board of directors

TB 9.9

64.Which of the following factors best describes the “control environment” of a firm?

a)The integrity, ethical values, and competence of employees

b)Management’s philosophy and operating style

c)The way management assigns authority and responsibility

d)The direction and attention provided by the board of directors

e)all of the above

65.The purpose of ________________ is to identify organizational risks, analyze their potential in terms of costs and likelihood of occurrence, and install those controls whose projected benefits outweigh their costs.

a)Internal controls

b)A control environment

c)Risk assessment

d)Management consultants

66.Which of the following personnel policies would be the most useful in mitigating fraud or embezzlement?

a)Fidelity bonds for key employees

b)Careful hiring procedures for key employees

c)Having a Code of Conduct

d)Required vacations for key employees

67.When assessing a company’s internal control structure policies and procedures, the primary consideration is whether they

a)Prevent management override

b)Relate to the control environment

c)Reflect management’s philosophy and operating style

d)Affect the financial statement assertions

68.Which one of the following functions performed in an organization is a violation of internal control?

a)A mail clerk opening the mail compares the check received with the source document accompanying the payment, noting the amount paid, then forwards the checks daily (along with a listing of the cash receipts) to the Cashier for deposit

b)A mail clerk opening the mail compares the check received with the source document accompanying the payment, noting the amount paid, then forwards the source documents that accompany the payments (along with a listing of the cash receipts) to Accounts Receivable, on a daily basis, for posting to the subsidiary ledger

c)At the end of the week the Cashier prepares a deposit slip for all of the cash receipts received during the week

d)The General Ledger clerk compares the summary journal entry, received from the Cashier for cash receipts applicable to outstanding accounts, with the batch total for posting to the Subsidiary Ledger by the Accounts Receivable clerk

TB 9.10

69.Which one of the following methods, for the distribution of employees’ paychecks, would provide the best internal control for the organization?

a)Delivery of the paychecks to each department supervisor, who in turn would distribute paychecks directly to the employees in his/her department

b)Direct deposit in each employee’s personal bank account

c)Distribution of paychecks directly to each employee by a representative of the Human Resource department

d)Distribution of paychecks directly to each employee by the payroll manager

70.Which one of the following would be most effective in deterring the commission of fraud?

a)Policies of strong internal control, segregation of duties, and requiring employees to take vacations

b)Policies of strong internal control and punishments for unethical behavior

c)Employee training, segregation of duties, and punishment for unethical behavior

d)Hiring ethical employees, employee training, and segregation of duties

71.Which one of the following types of audits would be most likely to focus on objectives related to the efficient use of resources?

a)Compliance audit

b)Information systems audit

c)Independent audit

d)Operational audit

Matching Questions

For the following terms find the correct definition below and place the letter of that response in the blank space provided before the term. Each definition is used only once – there are two terms that are not used.

72.______ ideal control

73.______ scenario planning

74.______ COBIT

75.______ detective controls

76.______ SOX, Section 404

77.______ control activities

78.______ fidelity bond

79.______ risk matrix

80.______ preventive controls

81.______ Val IT

82.______ control environment

83.______ separation of duties

84.______ corporate governance

85.______ internal control

86.______ corrective controls

TB 9.11

Definitions:

A.Managing an organization in a fair, transparent and accountable manner to protect the interests of all the stakeholder groups

B.A framework for IT governance

C.The purpose of this control is to reduce the risk of loss caused by employee theft

D.The policies, plans, and procedures management uses to protect company assets

E.Software that interfaces with suppliers and customers

F.A control procedure that reduces to practically zero the risk of an undetected error or irregularity

G.A process whereby management identifies possible events that represent a problem to the firm and then identifies appropriate responses to those problems

H.Establishes the tone of a company and influences the control awareness of the company’s employees

I.An example of this control is to assign these three functions to different employees: authorizing transactions, recording transactions, and maintaining custody of assets

J.An example of this type of control is a firewall to prevent unauthorized access to the company’s network

K.An example of this type of control is a change to the company’s procedures for creating backup copies of important business files

L.When companies have production or work completed in countries like India, China, Canada, Mexico, or Malaysia

M.Examples of this type of control are: log monitoring and review, system audits, file integrity checkers, and motion detection

N.The purpose of this procedure is to classify each potential risk by mitigation cost and also by likelihood of occurrence

O.The purpose of this framework is to achieve effective governance of IT

P.Reaffirms that management is responsible for an adequate internal control structure

Q.Includes a combination of manual and automated controls – such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, and segregation of duties

Short Answer Questions

87.What do the acronyms COSO and COBIT stand for?

88.Define preventive, detective, and corrective controls. Give an example of each.

TB 9.12