Accounting Information Systems 13th Edition By Marshall-B.-Romney – Test Bank A+

Description

6.1 Compare and contrast computer attack and abuse tactics.

1) ________ consists of the unauthorized copying of company data.

1. A) Phishing
2. B) Masquerading
3. C) Data leakage
4. D) Eavesdropping

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

2) Individuals who use telephone lines to commit fraud and other illegal acts are typically called

1. A) phreakers.
2. B) crackers.
3. C) phishers.
4. D) hackers.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

3) What is a denial of service attack?

1. A) A denial of service attack occurs when the perpetrator sends hundreds of messages from randomly generated false addresses, overloading an Internet service provider’s e-mail server.
2. B) A denial of service attack occurs when an e-mail message is sent through a re-mailer, who removes the message headers making the message anonymous, then resends the message to selected addresses.
3. C) A denial of service attack occurs when a cracker enters a system through an idle modem, captures the PC attached to the modem, and then gains access to the network to which it is connected.
4. D) A denial of service attack occurs when the perpetrator e-mails the same message to everyone on one or more Usenet newsgroups LISTSERV lists.

Answer: A

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

4) Gaining control of somebody’s computer without their knowledge and using it to carry out illicit activities is known as

1. A) hacking.
2. B) sniffing.
3. C) phreaking.
4. D) hijacking.

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

5) Tapping into a communications line and then entering the system by accompanying a legitimate user without their knowledge is called

1. A) superzapping.
2. B) data leakage.
3. C) hacking.
4. D) piggybacking.

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

6) Which of the following is not a method of identity theft?

1. A) scavenging
2. B) phishing
3. C) shoulder surfing
4. D) phreaking

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

7) The deceptive method by which a perpetrator gains access to the system by pretending to be an authorized user is called

1. A) cracking.
2. B) masquerading.
3. C) hacking.
4. D) superzapping.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

8) The unauthorized access to, or use of, a computer system is known as

1. A) hacking.
2. B) hijacking.
3. C) phreaking.
4. D) sniffing.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

9) A fraud technique that slices off tiny amounts from many projects is called the ________ technique.

1. A) Trojan horse
2. B) round down
3. C) salami
4. D) trap door

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

10) Data diddling is

1. A) gaining unauthorized access to and use of computer systems, usually by means of a personal computer and a telecommunications network.
2. B) unauthorized copying of company data such as computer files.
3. C) unauthorized access to a system by the perpetrator pretending to be an authorized user.
4. D) changing data before, during, or after it is entered into the system in order to delete, alter, or add key system data.

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

11) In the 1960s, techniques were developed that allowed individuals to fool the phone system into providing free access to long distance phone calls. The people who use these methods are referred to as

1. A) phreakers.
2. B) hackers.
3. C) hijackers.
4. D) superzappers.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

12) During a routine audit, a review of cash receipts and related accounting entries revealed discrepancies. Upon further analysis, it was found that figures had been entered correctly and then subsequently changed, with the difference diverted to a fictitious customer account. This is an example of

1. A) kiting.
2. B) data diddling.
3. C) data leakage.
4. D) phreaking.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

13) LOLer was chatting online with l33ter. “I can’t believe how lame some people are!

I can get into any system by checking out the company website to see how user names are defined and who is on the employee directory. Then, all it takes is brute force to find the password.” LOLer is a ________, and the fraud he is describing is ________.

1. A) hacker; social engineering
2. B) phreaker; dumpster diving
3. C) hacker; password cracking
4. D) phreaker; the salami technique

Answer: C

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

14) After graduating from college with a communications degree, Rado Ionesco experienced some difficulty in finding full-time employment. He free-lanced during the summer as a writer and then started a blog in the fall. Shortly thereafter he was contacted by SitePromoter Incorporated, who offered to pay him to promote their clients in his blog. He set up several more blogs for this purpose and is now generating a reasonable level of income. He is engaged in

1. A) splogging.
2. B) Bluesnarfing.
3. C) vishing.
4. D) typosquatting.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

15) Computers that are part of a botnet and are controlled by a bot herder are referred to as

1. A) posers.
2. B) zombies.
3. C) botsquats.
4. D) evil twins.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

16) Wassim Masood has been the webmaster for Woori Finance only ten days when Woori’s website was flooded with access attempts. Wassim shut down the site and only opened it to Web addresses which he specifically identified as legitimate. As a result, many of Woori’s customers were unable to obtain loans, causing Woori to lose a significant amount of business. Woori Finance suffered from a

1. A) denial-of-service attack.
2. B) zero-day attack.
3. C) malware attack.
4. D) cyber-extortion attack.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

17) Wassim Masood has been the webmaster for Woori Finance only ten days when he received an e-mail that threatened to shut down Woori’s website unless Wassim wired payment to an account in South America. Wassim was concerned that Woori Finance would suffer huge losses if its website went down, so he wired money to the appropriate account. The author of the e-mail successfully committed

1. A) a denial-of-service attack.
2. B) Internet terrorism.
3. C) hacking.
4. D) cyber-extortion.

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

18) Wassim Masood works in the information technology department of TMV. On Monday morning, he arrived at work, scanned his identity card, and entered his code. At that moment, a lady in a delivery uniform came up behind Wassim with a bunch of boxes. Although Wassim held the door for the delivery lade, he later wondered if the delivery lady was engaged in

1. A) pretexting.
2. B) piggybacking.
3. C) posing.
4. D) spoofing.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

19) Describe at least six computer attacks and abuse techniques.

Answer:

Round-down technique — rounded off amounts from calculations and the fraction deposited in perpetrator’s account.

Salami technique — small amounts sliced off and stolen from many projects over a period of time.

Software piracy — unauthorized copying of software, probably the most committed computer crime.

Data diddling — changing data in an unauthorized way.

Data leakage — unauthorized copying of data files.

Piggybacking — latching onto a legitimate user in data communications.

Masquerading or Impersonation — the perpetrator gains access to the system by pretending to be an authorized user.

Hacking — unauthorized access and use of a computer system.

E-mail threats — threatening legal action and asking for money via e-mail.

E-mail forgery — removing message headers, using such anonymous e-mail for criminal activity.

Denial of service attack — sending hundreds of e-mail messages from false addresses until the attacked server shuts down.

Internet terrorism — crackers using the Internet to disrupt electronic commerce and communication lines.

Internet misinformation — using the Internet to spread false or misleading information.

War dialing — searching for an idle modem by dialing thousands of telephones and intruding systems through idle modems.

Spamming — e-mailing the same message to everyone on one or more Usenet groups.

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

20) Zeus is an example of a

1. A) virus.
2. B) worm.
3. C) Trojan horse.
4. D) war dialing.

Answer: C

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

21) Recall that students used Facebook and VKontakte to identify Russian money laundering mules. What fraud case did these students help foil?

1. A) Zeus
2. B) Trident Breach
3. C) Nigerian Banking
4. D) InfraGard

Answer: B

Objective: Learning Objective 1

Difficulty: Difficult

AACSB: Analytic

22) On the weekends, Thuy Nguyen climbs into her Toyota Camry and drives around the city of Las Vegas looking for unprotected wireless networks to exploit. Thuy is most likely engaging in

1. A) snarfing.
2. B) Wi-pilfering.
3. C) war driving.
4. D) data slurping.

Answer: C

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

23) Offering a free website, then charging the phone bills of the individuals who signed up for the free website is known as

1. A) snarfing.
2. B) web cramming.
3. C) podpounding.
4. D) e-scraping.

Answer: B

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

6.2 Explain how social engineering techniques are used to gain physical or logical access to computer resources.

1) Mircea Vasilescu maintains an online brokerage account. In early March, Mircea received an e-mail from the firm that explained that there had been a computer error and asked Mircea to call a phone number to verify his customer information. When Mircea called the number, a recording asked that he enter the code from the e-mail, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the e-mail. Mircea was a victim of

1. A) Bluesnarfing.
2. B) vishing.
3. C) splogging.
4. D) typosquatting.

Answer: B

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

2) When a computer criminal gains access to a system by searching through discarded records, this is referred to as

1. A) data diddling.
2. B) dumpster diving.
3. C) eavesdropping.
4. D) data squatting.

Answer: B

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by

1. A) scavenging.
2. B) skimming.
3. C) Internet auction fraud.
4. D) cyber extortion.

Answer: A

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

4) Illegally obtaining and using confidential information about a person for economic gain is known as

1. A) eavesdropping.
2. B) identity theft.
3. C) packet sniffing.
4. D) piggybacking.

Answer: B

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

5) Which method of fraud is physical in its nature rather than electronic?

1. A) cracking
2. B) hacking
3. C) eavesdropping
4. D) scavenging

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

6) Which of the following is the easiest method for a computer criminal to steal output without ever being on the premises?

1. A) dumpster diving
2. B) use of a Trojan horse
3. C) using a telescope to peer at paper reports
4. D) electronic eavesdropping on computer monitors

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

7) Dimitri Ivanov is an accountant with PwC. The firm has a very strict policy of requiring all users to change their passwords every sixty days. In early March, Dimitri received an e-mail claiming that there had been an error updating his password and that provided a link to a website with instructions for re-updating his password. Something about the e-mail made Dimitri suspicious, so he called PwC’s information technology department and found that the e-mail was fictitious. The e-mail was an example of

1. A) social engineering.
2. B) piggybacking.
3. C) spamming.
4. D) phishing.

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

8) It was late on a Friday afternoon when Makari Polzin got a call at the help desk for Taggart Transcontinental. A man with an edge of panic in his voice was on the phone. “I’m really in a bind and I sure hope that you can help me.” He identified himself as John Galt from the Accounting Department. He told Makari that he had to work on a report that was due on Monday morning and that he had forgotten to bring a written copy of his new password home with him. Makari knew that Taggart’s new password policy required that passwords be at least fifteen characters long, must contain letters and numbers, and must be changed every sixty days, had created problems. Consequently, Makari provided the password to John. The caller was not John Galt, and Makari was a victim of

1. A) phreaking.
2. B) war dialing.
3. C) identity theft.
4. D) social engineering.

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

9) Jim Chan decided to Christmas shop online. He linked to Amazon.com, found a perfect gift for his daughter, registered, and placed his order. It was only later that he noticed that the website’s URL was actually Amazom.com. Jim was a victim of

1. A) Bluesnarfing.
2. B) splogging.
3. C) vishing.
4. D) typosquatting.

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

10) Mo Chauncey was arrested in Emporia, Kansas, on February 29, 2008, for running an online business that specialized in buying and reselling stolen credit card information. Mo was charged with

1. A) typosquatting.
2. B) carding.
3. C) pharming.
4. D) phishing.

Answer: B

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

11) Which of the following is not an example of social engineering?

1. A) obtaining and using another person’s Social Security number, credit card, or other confidential information
2. B) creating phony websites with names and URL addresses very similar to legitimate websites in order to obtain confidential information or to distribute malware or viruses
3. C) using e-mail to lure victims into revealing passwords or user IDs
4. D) setting up a computer in a way that allows the user to use a neighbors unsecured wireless network

Answer: D

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

12) Describe at least four social engineering techniques.

Answer:

Piggybacking — latching onto a legitimate user in data communications.

Masquerading or Impersonation — the perpetrator gains access to the system by pretending to be an authorized user.

Social engineering — a perpetrator tricks an employee into giving him the information he needs to get into the system.

Identity theft — illegally assuming someone else’s identity, usually with the social security number.

Pretexting — using an invented scenario to increase the likelihood the victim will give away information.

Posing — fraudsters try to collect personal information by pretending to be legitimate business colleagues.

Phishing — sending e-mail, pretending to be a legitimate business colleague, requesting user ID or password or other confidential data.

Vishing — pretending to be a legitimate business colleague and attempting to get a victim to provide confidential information over the phone.

Carding — using stolen credit card information.

Pharming — redirecting website traffic to a spoofed website.

Typosquatting — setting up websites with names similar to real websites.

Scavenging — gaining access to confidential data by searching corporate records in dumpsters or computer storage.

Shoulder surfing — looking over a person’s shoulder in a public place to see PIN or passwords.

Skimming — manually swiping a credit card through a handheld card reader and storing the data for future use.

Eavesdropping — observation of private communications by wiretapping or other surveillance techniques.

E-mail forgery — removing message headers, using such anonymous e-mail for criminal activity.

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

13) What is social engineering?

Answer: Social engineering refers to techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network. Generally, social engineering is used in computer abuse to access a system to obtain confidential data.

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Reflective Thinking

14) Which of the following is not a human trait social engineers take advantage of to entice people to reveal information they should keep confidential?

1. A) compassion
2. B) sloth
3. C) sex Appeal
4. D) authority

Answer: D

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

15) Which of the following websites likely poses the most fraud and security risk?

1. A) your school’s website
2. B) a file sharing website
3. C) a social media website
4. D) your personal website

Answer: B

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

16) True or False: Identify theft has always been a federal crime.

Answer: FALSE

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

17) Pretexting is best described as a social engineering technique that uses

1. A) text messages to gain sensitive information.
2. B) an invented scenario to gain sensitive information.
3. C) threat of physical force to gain sensitive information.
4. D) impersonation of somebody you know to gain sensitive information.

Answer: B

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

18) On a Friday evening you use a bar’s ATM to withdraw $50 from your bank account. However, as you complete your withdrawal, your card gets jammed in the ATM machine. The individual waiting in line behind you approaches you and suggests re-entering your PIN number. You do. However, your card remains jammed. You leave the bar to call your bank to report the incident. However, after you left the individual who offered to help you removed a sleeve he inserted in the ATM to jam your card. He now has your ATM card and PIN number. You just fell victim to a ________ fraud.

1. A) tabnapping
2. B) Lebanese looping
3. C) phishing
4. D) pharming

Answer: B

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

6.3 Describe the different types of malware used to harm computers.

1) A part of a program that remains idle until a specified date or event activates it to cause havoc is called a

1. A) virus.
2. B) logic bomb.
3. C) trap door.
4. D) data diddle.

Answer: B

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

2) Spyware is

1. A) software that tells the user if anyone is spying on his computer.
2. B) software that monitors whether spies are looking at the computer.
3. C) software that monitors computing habits and sends the data it gathers to someone else.
4. D) none of the above

Answer: C

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

3) The unauthorized use of special program that bypass regular system controls to perform illegal acts is called

1. A) a Trojan horse.
2. B) a trap door.
3. C) the salami technique.
4. D) superzapping.

Answer: D

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

4) Computer fraud perpetrators that modify programs during systems development, allowing access into the system that bypasses normal system controls are using

1. A) a Trojan horse.
2. B) a trap door.
3. C) the salami technique.
4. D) superzapping.

Answer: B

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

5) A fraud technique that allows a perpetrator to bypass normal system controls and enter a secured system is called

1. A) superzapping.
2. B) data diddling.
3. C) using a trap door.
4. D) piggybacking.

Answer: C

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

6) A set of unauthorized computer instructions in an otherwise properly functioning program is known as a

1. A) logic bomb.
2. B) spyware.
3. C) trap door.
4. D) Trojan horse.

Answer: D

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

7) A ________ is similar to a ________, except that it is a program rather than a code segment hidden in a host program.

1. A) worm; virus
2. B) Trojan horse; worm
3. C) worm; Trojan horse
4. D) virus; worm

Answer: A

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

8) Developers of computer systems often include a user name and password that is hidden in the system, just in case they need to get into the system and correct problems in the future. This is referred to as a

1. A) Trojan horse.
2. B) key logger.
3. C) spoof.
4. D) back door.

Answer: D

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

9) Narang Direct Sales is a telemarketing firm that operates out of India. The turnover rate among employees is quite high. Recently, the information technology manager discovered that an unknown employee had used a Bluetooth-enabled mobile phone to access the firm’s database and copied a list of customers from the past three years and their credit card information. Narang Direct Sales was a victim of

1. A) Bluesnarfing.
2. B) splogging.
3. C) vishing.
4. D) typosquatting.

Answer: A

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

10) Rina Misra, a first-time computer user, purchased a brand new PC two months ago and it was now operating much more slowly and sluggishly. Since purchasing the computer, she had been accessing the Internet and had installed a variety of free software. The problem is mostly likely to be

1. A) a zero-day attack.
2. B) a virus.
3. C) a spoof.
4. D) Bluesnarfing.

Answer: B

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

11) In November of 2005 it was discovered that many of the new CDs distributed by Sony BMG installed software when they were played on a computer. The software was intended to protect the CDs from copying. Unfortunately, it also made the computer vulnerable to attack by malware run over the Internet. The scandal and resulting backlash was very costly. The software installed by the CDs is a

1. A) virus.
2. B) worm.
3. C) rootkit.
4. D) squirrel.

Answer: C

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

12) Which of the following would be least effective to reduce exposure to a computer virus?

1. A) Only transfer files between employees with USB flash drives.
2. B) Install and frequently update antivirus software.
3. C) Install all new software on a stand-alone computer for until it is tested.
4. D) Do not open e-mail attachments from unknown senders.

Answer: A

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

13) How can a system be protected from viruses?

Answer: Install reliable antivirus software that scans for, identifies, and isolates or destroys viruses. Use caution when copying files on to your diskettes from unknown machines. Ensure the latest version of the antivirus program available is used. Scan all incoming e-mails for viruses at the server level. All software should be certified as virus-free before loading it into the system. If you use jump drives, diskettes, or CDs, do not put them in unfamiliar machines as they may become infected. Obtain software and diskettes only from known and trusted sources. Use caution when using or purchasing software or diskettes from unknown sources. Deal with trusted software retailers. Ask whether the software you are purchasing comes with electronic techniques that makes tampering evident. Check new software on an isolated machine with virus detection software before installing on the system. Cold boot to clear and reset the system. When necessary, “cold boot” the machine from a write-protected diskette. Have two backups of all files. Restrict the use of public bulletin boards.

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

14) Describe the differences between a worm and a virus?

Answer: A computer virus is a segment of executable code that attaches itself to computer software. A virus has two phases: it replicates itself and spreads to other systems or files, and in the attack phase, the virus carries out its mission to destroy files or the system itself. A worm is similar to a virus, except that it is a program rather than a code segment hidden in a host program. A worm can reside in e-mail attachments, which when opened or activated can damage a user’s system. Worms can also reproduce themselves by mailing themselves to the addresses found in the recipient’s mailing list. Worms do not have long lives, but their lives can be very destructive nonetheless.

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

15) Spyware that pops banner ads on a monitor, then collects information about the users web-surfing and spending habits is an example of

1. A) a Trojan horse
2. B) scareware
3. C) adware
4. D) a keylogger

Answer: C

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

16) Ransomware often comes in the form of

1. A) fake antivirus software.
2. B) an e-mail that threatens to kidnap the reader unless a ransom is paid.
3. C) free performance-maximizing software.
4. D) free apps.

Answer: A

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

17) True or False: Law enforcement uses key logging software, a form of malware, to detect crime.

Answer: TRUE

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

18) Terrorists often use ________ because it is an effective way to transmit information and receive orders.

1. A) steganography
2. B) packet sniffers
3. C) trap doors
4. D) time bombs

Answer: A

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

19) True or False: Steganography malware uses encryption to increase its effectiveness.

Answer: FALSE

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

Accounting Information Systems, 13e (Romney/Steinbart)

Chapter 7 Control and Accounting Information Systems

7.1 Explain basic control concepts and explain why computer control and security are important.

1) Why are threats to accounting information systems increasing?

1. A) Many companies do not realize that data security is crucial to their survival.
2. B) LANs and client/server systems are easier to control than centralized, mainframe systems.
3. C) Many companies believe that protecting information is a strategic requirement.
4. D) Computer control problems are often overestimated and overly emphasized by management.

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

2) A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n)

1. A) preventive control.
2. B) detective control.
3. C) corrective control.
4. D) authorization control.

Answer: A

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Reflective Thinking

3) Identify the preventive control below.

1. A) reconciling the bank statement to the cash control account
2. B) approving customer credit prior to approving a sales order
3. C) maintaining frequent backup records to prevent loss of data
4. D) counting inventory on hand and comparing counts to the perpetual inventory records

Answer: B

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

4) According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for

1. A) hiring and firing the external auditors.
2. B) performing tests of the company’s internal control structure.
3. C) certifying the accuracy of the company’s financial reporting process.
4. D) overseeing day-to-day operations of the internal audit department.

Answer: A

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

5) Which of the following measures can protect a company from AIS threats?

1. A) Take a proactive approach to eliminate threats.
2. B) Detect threats that do occur.
3. C) Correct and recover from threats that do occur.
4. D) All of the above are proper measures for the accountant to take.

Answer: D

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

6) Internal control is often referred to as a(n) ________, because it permeates an organization’s operating activities and is an integral part of management activities.

1. A) event
2. B) activity
3. C) process
4. D) system

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

7) Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions are an example of a ________ control.

1. A) corrective; detective
2. B) detective; corrective
3. C) preventive; corrective
4. D) detective; preventive

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

8) Which type of control is associated with making sure an organization’s control environment is stable?

1. A) general
2. B) application
3. C) detective
4. D) preventive

Answer: A

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

9) Which type of control prevents, detects, and corrects transaction errors and fraud?

1. A) general
2. B) application
3. C) detective
4. D) preventive

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

10) The primary purpose of the Foreign Corrupt Practices Act of 1977 was

1. A) to require corporations to maintain a good system of internal control.
2. B) to prevent the bribery of foreign officials by American companies.
3. C) to require the reporting of any material fraud by a business.
4. D) All of the above are required by the act.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

11) Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies.

1. A) Foreign Corrupt Practices Act of 1977
2. B) The Securities Exchange Act of 1934
3. C) The Sarbanes-Oxley Act of 2002
4. D) The Control Provision of 1998

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

12) Which of the following was not an important change introduced by the Sarbanes-Oxley Act of 2002?

1. A) new roles for audit committees
2. B) new rules for auditors and management
3. C) new rules for information systems development
4. D) the creation of the Public Company Accounting Oversight Board

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

13) A(n) ________ measures company progress by comparing actual performance to planned performance.

1. A) boundary system
2. B) diagnostic control system
3. C) interactive control system
4. D) internal control system

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

14) A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention.

1. A) boundary system
2. B) diagnostic control system
3. C) interactive control system
4. D) internal control system

Answer: C

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

15) Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Oanez Dinnerware

1. A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process.
2. B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.
3. C) selected the company’s Chief Financial Officer to chair the audit committee.
4. D) did not mention to auditors that the company had experienced significant losses due to fraud during the past year.

Answer: B

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

16) The Sarbanes-Oxley Act (SOX) applies to

1. A) all companies with gross annual revenues exceeding $500 million.
2. B) publicly traded companies with gross annual revenues exceeding $500 million.
3. C) all private and public companies incorporated in the United States.
4. D) all publicly traded companies.

Answer: D

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

17) Irene Pacifica was relaxing after work with a colleague at a local watering hole. Well into her second martini, she began expressing her feelings about her company’s budgeting practices. It seems that as a result of controls put in place by the company,her ability to creatively manage his department’s activities have been curtailed. The level of control that the company is using in this case is a(n)

1. A) boundary system.
2. B) diagnostic control system.
3. C) interactive control system.
4. D) belief system.

Answer: B

Objective: Learning Objective 1

Difficulty: Easy

AACSB: Analytic

18) Irene Pacifica was relaxing after work with a colleague at a local watering hole. Well into her second martini, she began expressing her feelings about her work environment. Recently, every employee of the firm was required to attend a sexual harassment workshop. The level of control that the company is using in this case is a(n)

1. A) boundary system.
2. B) diagnostic control system.
3. C) interactive control system.
4. D) belief system.

Answer: A

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

19) Explain why the Foreign Corrupt Practices Act was important to accountants.

Answer: The act is important to accountants because it incorporates the language of the AICPA pronouncement on internal controls. The Act mandates that corporations should keep records that accurately and fairly reflect their transactions and assets in reasonable detail. The internal control system of these organizations should be able to provide reasonable assurance that: a) transactions are properly authorized and recorded; b) assets are safeguarded and protected from unauthorized access; and c) recorded asset values are periodically compared with actual assets and any differences are corrected. The act requires corporations to maintain good systems of internal accounting control.

Objective: Learning Objective 1

Difficulty: Moderate

AACSB: Analytic

7.2 Compare and contrast the COBIT, COSO, and ERM control frameworks.

1) Which of the below is not a component of the COSO ERM?

1. A) monitoring
2. B) control environment
3. C) risk assessment
4. D) compliance with federal, state, or local laws

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

2) The COSO Enterprise Risk Management Integrated Framework stresses that

1. A) risk management activities are an inherent part of all business operations and should be considered during strategy setting.
2. B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities.
3. C) risk management is the sole responsibility of top management.
4. D) risk management policies, if enforced, guarantee achievement of corporate objectives.

Answer: A

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

3) Nolwenn Limited has been diligent in ensuring that their operations meet modern control standards. Recently, they have extended their control compliance system by incorporating policies and procedures that require the specification of company objectives, uncertainties associated with objectives, and contingency plans. Nolwenn Limited is transitioning from a ________ to a ________ control framework.

1. A) COSO-Integrated Framework; COBIT
2. B) COBIT; COSO-Integrated Framework
3. C) COBIT; COSO-ERM
4. D) COSO-Integrated Framework; COSO-ERM
5. E) COSO-ERM; COBIT

Answer: D

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Reflective Thinking

4) Discuss the weaknesses in COSO’s internal control framework that led to the development of the COSO Enterprise Risk Management framework.

Answer: COSO’s internal control framework 1. had too narrow a focus. 2. examined controls without first addressing purposes and risks of business processes 3. existing internal control systems often have controls that protect against items that are no longer risks or are no longer important. 4. focusing on controls first has an inherent bias toward past problems and concerns.

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

5) True or False: The COSO ERM contains all five of the same COSO-Integrated Framework components.

Answer: TRUE

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

6) How many principles are there in the 2013 updated COSO – Internal Control Framework?

1. A) 5
2. B) 8
3. C) 17
4. D) 21

Answer: C

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

7) Why was the original 1992 COSO – Integrated Control framework updated in 2013?

1. A) Congress required COSO to modernize.
2. B) U.S. stock exchanges required more disclosure.
3. C) to more effectively address technological advancements
4. D) to comply with International accounting standards

Answer: C

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

8) Which internal control framework is widely accepted as the authority on internal controls?

1. A) COBIT
2. B) COSO Integrated Control
3. C) COSO Enterprise Risk Management
4. D) Sarbanes-Oxley Control Framework

Answer: B

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

9) Identify the statement below that is not true of the 2013 COSO Internal Control updated framework.

1. A) It more efficiently deals with control implementation and documentation issues.
2. B) It more effectively deals with control implementation and documentation issues.
3. C) It provides users with more precise guidance.
4. D) It adds many new examples to clarify the framework concepts.

Answer: A

Objective: Learning Objective 2

Difficulty: Difficult

AACSB: Analytic

10) Which of the following is not one of the five principles of COBIT5?

1. A) meeting stakeholder needs
2. B) covering the enterprise end-to-end
3. C) enabling a holistic approach
4. D) improving organization efficiency

Answer: D

Objective: Learning Objective 2

Difficulty: Difficult

AACSB: Analytic

11) The COBIT5 framework primarily relates to

1. A) best practices and effective governance and management of private companies.
2. B) best practices and effective governance and management of public companies.
3. C) best practices and effective governance and management of information technology.
4. D) best practices and effective governance and management of organizational assets.

Answer: D

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

12) Applying the COBIT5 framework, governance is the responsibility of

1. A) internal audit.
2. B) external audit.
3. C) management.
4. D) the board of directors.

Answer: D

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

13) Applying the COBIT5 framework, monitoring is the responsibility of

1. A) the CEO.
2. B) the CFO.
3. C) the board of directors.
4. D) all of the above

Answer: D

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

14) Why did COSO develop the Enterprise Risk Management framework?

1. A) to improve the audit process
2. B) to improve the risk management process
3. C) to improve the financial reporting process
4. D) to improve the manufacturing process

Answer: B

Objective: Learning Objective 2

Difficulty: Easy

AACSB: Analytic

15) Which of the following is not a basic principle of the COSO ERM framework?

1. A) Companies are formed to create value for society.
2. B) Management must decide how much uncertainty it will accept to create value.
3. C) Uncertainty results in risk.
4. D) Uncertainty results in opportunity.

Answer: A

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

16) The largest differences between the COSO Integrated Control (IC) framework and the COSO Enterprise Risk Management (ERM) framework is

1. A) IC is controls-based, while the ERM is risk-based.
2. B) IC is risk-based, while ERM is controls-based.
3. C) IC is required, while ERM is optional.
4. D) IC is more applicable to international accounting standards, while ERM is more applicable to generally accepted accounting principles.

Answer: A

Objective: Learning Objective 2

Difficulty: Moderate

AACSB: Analytic

7.3 Describe the major elements in the internal environment of a company.

1) Rauol is a receptionist for The South American Paper Company, which has strict corporate policies on appropriate use of corporate resources. The first week of March, Rauol saw Jim (the branch manager) putting printer paper and toner into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework?

1. A) integrity and ethical values
2. B) risk management philosophy
3. C) restrict access to assets
4. D) methods of assigning authority and responsibility

Answer: A

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

2) Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework?

1. A) analyzing past financial performance and reporting
2. B) providing sufficient resources to knowledgeable employees to carry out duties
3. C) disciplining employees for violations of expected behavior
4. D) setting realistic targets for long-term performance

Answer: A

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

3) The audit committee of the board of directors

1. A) is usually chaired by the CFO.
2. B) conducts testing of controls on behalf of the external auditors.
3. C) provides a check and balance on management.
4. D) does all of the above.

Answer: C

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

4) The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the

1. A) control activities.
2. B) organizational structure.
3. C) budget framework.
4. D) internal environment.

Answer: B

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

5) Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment?

1. A) organizational structure
2. B) methods of assigning authority and responsibility
3. C) management philosophy and operating style
4. D) commitment to competence

Answer: A

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

6) Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter

1. A) unintentional errors.
2. B) employee fraud or embezzlement.
3. C) fraud by outsiders.
4. D) disgruntled employees.

Answer: B

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

7) The SEC and FASB are best described as external influences that directly affect an organization’s

1. A) hiring practices.
2. B) philosophy and operating style.
3. C) internal environment.
4. D) methods of assigning authority.

Answer: C

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

8) Which attribute below is not an aspect of the COSO ERM Framework internal environment?

1. A) enforcing a written code of conduct
2. B) holding employees accountable for achieving objectives
3. C) restricting access to assets
4. D) avoiding unrealistic expectations

Answer: C

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

9) The amount of risk a company is willing to accept in order to achieve its goals and objectives is

1. A) inherent risk.
2. B) residual risk.
3. C) risk appetite.
4. D) risk assessment.

Answer: C

Objective: Learning Objective 3

Difficulty: Easy

AACSB: Analytic

10) Discuss the internal environment and identify the elements that comprise the internal environment.

Answer: The internal environment embraces individuals and the environment in which they operate in an organization. Individual employees are “the engine” that drive the organization and form the foundation upon which everything in the organization rests. Elements of the internal environment are: 1) a commitment to integrity and ethical values; 2) the philosophy and operating style of management; 3) organizational structure; 4) the audit committee of the board of directors; 5) methods of assigning authority and responsibility; 6) human resources policies and practices; and 7) various external influences. Each of these elements influences the internal control structure of the organization. Likewise, these elements should be examined and analyzed in detail when implementing or evaluating a system of internal controls.

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

11) Explain why management’s philosophy and operating style are considered to be the most important element of the internal environment.

Answer: Management truly sets the tone for the control environment of a business. If top management takes good control seriously and makes this known to everyone in the organization, then employees down the line will tend to do likewise. Management’s attitude toward risk taking and the assessment of risk before acting are indications. Willingness to manipulate performance measures or to encourage employees to do likewise is another indication of attitude. Finally, pressure on subordinates to achieve certain results regardless of the methods used can be a very persuasive indicator of problems. Management concerned about control will assess risk and act prudently, manipulation of performance measures will not be tolerated, and ethical behavior will be instilled in and required of employees.

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Reflective Thinking

12) What are some of the ways to assign authority and responsibility within an organization?

Answer: It is incumbent on management to identify specific business objectives and assign such objectives to certain departments and individuals. Management must also hold such departments and individuals responsible and accountable for achieving the assigned business objectives. Ways in which management may assign authority and responsibility is through formal job descriptions, employee training, budgets, operating plans, and scheduling. A formal code of conduct also sets the stage for responsible behavior on the part of employees by defining ethical behavior, acceptable business practices, regulatory requirements, and conflicts of interest. Another useful and important tool is a written policy and procedures manual.

Objective: Learning Objective 3

Difficulty: Moderate

AACSB: Analytic

7.4 Describe the four types of control objectives that companies need to set.

1) According to the ERM, these help the company address all applicable laws and regulations.

1. A) compliance objectives
2. B) operations objectives
3. C) reporting objectives
4. D) strategic objectives

Answer: A

Objective: Learning Objective 4

Difficulty: Easy

AACSB: Analytic

2) According to the ERM, high level goals that are aligned with and support the company’s mission are

1. A) compliance objectives.
2. B) operations objectives.
3. C) reporting objectives.
4. D) strategic objectives.

Answer: D

Objective: Learning Objective 4

Difficulty: Easy

AACSB: Analytic

3) According to the ERM, ________ deal with the effectiveness and efficiency of company operations, such as performance and profitability goals.

1. A) compliance objectives
2. B) operations objectives
3. C) reporting objectives
4. D) strategic objectives

Answer: B

Objective: Learning Objective 4

Difficulty: Easy

AACSB: Analytic

4) ________ objectives help ensure the accuracy, completeness and reliability of internal and external company reports, Applying the ERM framework.

1. A) Compliance objectives
2. B) Operations objectives
3. C) Reporting objectives
4. D) Strategic objectives

Answer: C

Objective: Learning Objective 4

Difficulty: Easy

AACSB: Analytic

7.5 Describe the events that affect uncertainty and the techniques used to identify them.

1) True or False: Using the COSO definition of an event, an event represents uncertainty.

Answer: TRUE

Objective: Learning Objective 5

Difficulty: Easy

AACSB: Analytic

2) Identify the most correct statement with regards to an event.

1. A) An event identified by management will occur.
2. B) An event identified by management may or may not occur.
3. C) An event identified by management may not trigger other events.
4. D) It is easy to determine which events are most likely to occur.

Answer: B

Objective: Learning Objective 5

Difficulty: Easy

AACSB: Analytic

3) Which of the following is not a commonly used technique used to identify potential events?

1. A) performing internal analysis
2. B) monitoring leading events
3. C) conducting interviews
4. D) none of the above

Answer: D

Objective: Learning Objective 5

Difficulty: Moderate

AACSB: Analytic

7.6 Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.

1) ________ is not a risk responses identified in the COSO Enterprise Risk Management Framework.

1. A) Acceptance
2. B) Avoidance
3. C) Monitoring
4. D) Sharing

Answer: C

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

2) Best Friends, Incorporated is a publicly traded company where three BFF’s (best friends forever) serve as its key officers. This situation

1. A) is a violation of the Sarbanes-Oxley Act.
2. B) violates the Securities and Exchange Act.
3. C) increases the risk associated with an audit.
4. D) must be changed before your audit firm could accept the audit engagement.

Answer: C

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

3) ________ remains after management implements internal control(s).

1. A) Inherent risk
2. B) Residual risk
3. C) Risk appetite
4. D) Risk assessment

Answer: B

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

4) ________ is the risk that exists before management takes any steps to mitigate it.

1. A) Inherent risk
2. B) Residual risk
3. C) Risk appetite
4. D) Risk assessment

Answer: A

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

5) How is expected loss calculated when performing risk assessment?

1. A) impact times expected loss
2. B) impact times likelihood
3. C) inherent risk times likelihood
4. D) residual risk times likelihood

Answer: B

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

6) The first step of the risk assessment process is generally to

1. A) identify controls to reduce all risk to zero.
2. B) estimate the exposure from negative events.
3. C) identify the threats that the company currently faces.
4. D) estimate the risk probability of negative events occurring.

Answer: C

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

7) Whitewater Rapids provides canoes to tourists eager to ride Whitewater River’s rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance?

1. A) $50
2. B) $650
3. C) $50,000
4. D) $650,000

Answer: D

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

8) Whitewater Rapids provides canoes to tourists eager to ride Whitewater river’s rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss without insurance?

1. A) $50
2. B) $650
3. C) $50,000
4. D) $650,000

Answer: B

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

9) Whitewater Rapids provides canoes to tourists eager to ride Whitewater river’s rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss with insurance?

1. A) $50
2. B) $650
3. C) $50,000
4. D) $650,000

Answer: A

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

10) Whitewater Rapids provides canoes to tourists eager to ride Whitewater river’s rapids. Management has determined that there is one chance in a thousand of a customer being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. Based on cost-benefit analysis, what is the most that the business should pay for the insurance?

1. A) $50
2. B) $500
3. C) $600
4. D) $650

Answer: C

Objective: Learning Objective 6

Difficulty: Easy

AACSB: Analytic

11) According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except

1. A) reporting potential risks to auditors.
2. B) identifying events that could impact the enterprise.
3. C) evaluating the impact of potential events on achievement of objectives.
4. D) establishing objectives for the enterprise.

Answer: A

Objective: Learning Objective 6

Difficulty: Moderate

AACSB: Analytic

12) As a result of an internal risk assessment, Allstate Insurance decided it was not profitable to provide hurricane insurance in the state of Florida. Allstate apparently chose to ________ the risk of paying hurricane claims in Florida.

1. A) reduce
2. B) share
3. C) avoid
4. D) accept

Answer: C

Objective: Learning Objective 6

Difficulty: Moderate

AACSB: Reflective Thinking

13) Upon getting into your new car, you suddenly became worried that you might become injured in an auto accident. You decided to buckle your seat belt in response. You chose to ________ the risk of being injured in an auto accident.

1. A) reduce
2. B) share
3. C) avoid
4. D) accept

Answer: A

Objective: Learning Objective 6

Difficulty: Moderate

AACSB: Reflective Thinking

14) Upon getting into your new car, you suddenly became worried that you might become injured in an auto accident. In response, you decided to drive 5 miles under the speed limit. You chose to ________ the risk of being injured in an auto accident.

1. A) reduce
2. B) share
3. C) avoid
4. D) accept

Answer: A

Objective: Learning Objective 6

Difficulty: Moderate

AACSB: Reflective Thinking

15) Upon getting into your new car, you suddenly became worried that you might become injured in an auto accident. In response, you decided to ride your bike instead. You chose to ________ the risk of being injured in an auto accident.

1. A) reduce
2. B) share
3. C) avoid
4. D) accept

Answer: C

Objective: Learning Objective 6

Difficulty: Moderate

AACSB: Reflective Thinking

7.7 Describe control activities commonly used in companies.

1) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect?

1. A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)
2. B) A group of kids snuck into the theater through a back door when customers left after a show.
3. C) The box office cashier accidentally gives too much change to a customer.
4. D) The ticket taker admits his friends without tickets.

Answer: A

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

2) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect?

1. A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)
2. B) A group of kids snuck into the theater through a back door when customers left after a show.
3. C) The box office cashier accidentally gives too much change to a customer.
4. D) The ticket taker admits his friends without tickets.

Answer: C

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

3) Independent checks on performance include all the following except

1. A) data input validation checks.
2. B) reconciling hash totals.
3. C) preparing a trial balance report.
4. D) supervisor review of journal entries and supporting documentation.

Answer: A

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

4) One of the key objectives of segregating duties is to

1. A) ensure that no collusion will occur.
2. B) achieve an optimal division of labor for efficient operations.
3. C) make sure that different people handle different transactions.
4. D) make sure that different people handle different parts of the same transaction.

Answer: D

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Analytic

5) Identify the statement below which is true.

1. A) Requiring two signatures on checks over $20,000 is an example of segregation of duties.
2. B) Although forensic specialists utilize computers, only people can accurately identify fraud.
3. C) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.
4. D) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check.

Answer: C

Objective: Learning Objective 7

Difficulty: Difficult

AACSB: Reflective Thinking

6) Of the following examples of fraud, which will be the most difficult to prevent and detect? Assume the company enforces adequate segregation of duties.

1. A) A mail room employee steals a check received from a customer and destroys the documentation.
2. B) The accounts receivable clerk does not record sales invoices for friends or family, so they can receive free goods.
3. C) An employee puts inventory behind the dumpster while unloading a vendor’s delivery truck, then picks up the inventory later in the day and puts it in her car.
4. D) Mike issues credit cards to him and Maxine, and when the credit card balances are just under $1,000, Maxine writes off the accounts as bad debt. Mike then issues new cards.

Answer: D

Objective: Learning Objective 7

Difficulty: Difficult

AACSB: Reflective Thinking

7) Which of the following is a control related to design and use of documents and records?

1. A) locking blank checks in a drawer or safe
2. B) sequentially prenumbering sales invoices
3. C) reconciling the bank statement to the general ledger
4. D) comparing physical inventory counts with perpetual inventory records

Answer: B

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

8) Which of the following duties could be performed by the same individual without violating segregation of duties controls?

1. A) approving accounting software change requests and testing production scheduling software changes
2. B) programming new code for accounting software and testing accounting software upgrades
3. C) approving software changes and implementing the upgraded software
4. D) managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices

Answer: A

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

9) With a limited work force and a desire to maintain strong internal control, which combination of duties would result in the lowest risk exposure?

1. A) updating the inventory subsidiary ledgers and recording purchases in the purchases journal
2. B) approving a sales return on a customer’s account and depositing customers’ checks in the bank
3. C) updating the general ledger and working in the inventory warehouse
4. D) entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal

Answer: D

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

10) A store policy that allows retail clerks to process sales returns for $500 or less, with a receipt dated within the past 30 days, is an example of

1. A) general authorization.
2. B) specific authorization.
3. C) special authorization.
4. D) generic authorization.

Answer: A

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Reflective Thinking

11) An accounting policy that requires a purchasing manager to sign off on all purchases over $5,000 is an example of

1. A) general authorization.
2. B) specific authorization.
3. C) special authorization.
4. D) generic authorization.

Answer: B

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Reflective Thinking

12) A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a

1. A) performance evaluation.
2. B) project development plan.
3. C) data processing schedule.
4. D) strategic master plan.

Answer: D

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Analytic

13) A ________ is created to guide and oversee systems development and acquisition.

1. A) performance evaluation
2. B) project development plan
3. C) steering committee
4. D) strategic master plan

Answer: C

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

14) A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates.

1. A) performance evaluation
2. B) project development plan
3. C) steering committee
4. D) strategic master plan

Answer: B

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

15) The organization chart for Renata Corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness?

1. A) assigning the programming and operating of the computer system to an independent control group which reports to the controller
2. B) providing for maintenance of input data controls by an independent control group which reports to the controller
3. C) periodically rotating assignment of application processing among machine operators, who all report to the information processing manager
4. D) providing for review and distribution of system-generated reports by an independent control group which reports to the controller

Answer: A

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

16) Which of the following is an independent check on performance?

1. A) The Purchasing Agent physically reviews the contents of shipments and compares them with the purchase orders he has placed.
2. B) Production teams perform quality evaluations of the products that they produce.
3. C) The General Manager compares budgeted amounts with expenditure records from all departments.
4. D) Petty cash is disbursed by Fred Haynes. He also maintains records of disbursements, places requests to finance to replace expended funds, and periodically reconciles the petty cash balance.

Answer: C

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

17) Petty cash is disbursed by the Manuela Luisina in the Cashier’s Office. Manuela also maintains records of disbursements, places requests to the Finance Department to replace expended funds, and periodically reconciles the petty cash balance. This represents a(n) ________ segregation of duties.

1. A) ideal
2. B) effective
3. C) ineffective
4. D) limited

Answer: C

Objective: Learning Objective 7

Difficulty: Easy

AACSB: Analytic

18) Hiring decisions at Maarja’s Razors are made by Maimu Maarja, the Director of Human Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay period, supervisors submit time cards to Kasheena, who prepares paycheck requisitions. Paychecks are then distributed through the company’s mail room. This represents a(n) ________ segregation of duties.

1. A) partial
2. B) effective
3. C) ineffective
4. D) limited

Answer: B

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

19) The Director of Information Technology for the city of Tampa, Florida formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from her company. She was later charged with fraud for overcharging the City, but was not convicted by a jury. The control issue in this case arose because the Director had both ________ and ________ duties.

1. A) custody; authorization
2. B) custody; recording
3. C) recording; authorization
4. D) management; custody

Answer: C

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

20) Describe the differences between general and specific authorization.

Answer: Authorizations are often documented by signing, initializing, or entering an authorization code on a transaction document or record. Management may deem that certain transactions are of a routine nature and as such may authorize employees to handle such transactions without special approval. This is known as general authorization. Other transactions may be of such consequence that management grants specific authorization for them to occur. Usually management must approve of such transactions and oversee them to completion, requiring an additional signature required on checks exceeding a given dollar amount. Management should have written policies on both specific and general authorization for all type of transactions.

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Analytic

21) Explain how a company could be the victim of fraud, even if ideal segregation of duties is enforced.

Answer: When a system effectively incorporates a separation of duties, it should be difficult for any one employee to defeat the system and commit fraud. Fraud is possible when two or more employees agree to defeat the system for their own dishonest ends. This problem is known as collusion. When two or more employees act together to defeat the internal controls of the system, they may likely succeed. It is more difficult to detect such activity because the employees may have planned to “cover their tracks.” This is why independent review of transaction activity by third parties is important to monitor that internal controls are in place and working as designed.

Objective: Learning Objective 7

Difficulty: Moderate

AACSB: Reflective Thinking

7.8 Describe how to communicate information and monitor control processes in organizations.

1) Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported?

1. A) information and communication
2. B) internal environment
3. C) event identification
4. D) objective setting

Answer: A

Objective: Learning Objective 8

Difficulty: Easy

AACSB: Analytic

2) Which of the following is not a principle related to information and communicating in the updated COSO Integrated Control framework?

1. A) Communicate relevant internal control matters to external parties.
2. B) Obtain or generate relevant, high-quality information to support internal control.
3. C) Surround internal control processes with information technology that enables discrepancies to be identified.
4. D) Internally communicate the information necessary to support the other components of internal control.

Answer: C

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

3) COSO requires that any internal deficiencies identified through monitoring be reported to whom?

1. A) the external auditor
2. B) appropriate federal, state, or local authorities
3. C) the board of directors
4. D) the audit committee

Answer: C

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

4) Which of the following is not a key method of monitoring performance?

1. A) performing internal control evaluation
2. B) employing a chief risk officer
3. C) implementing effective supervision
4. D) monitoring system activities

Answer: B

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

5) To ensure compliance with copyrights and to protect itself from software piracy lawsuits, companies should ________.

1. A) periodically conduct software audits
2. B) update the operating system frequently
3. C) buy software from legitimate suppliers
4. D) adopt cloud operating platforms

Answer: A

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

6) Which type of audits can detect fraud and errors?

1. A) external audits
2. B) internal audits
3. C) network security audits
4. D) all of the above

Answer: D

Objective: Learning Objective 8

Difficulty: Easy

AACSB: Analytic

7) Which of the following is not an example of something monitored by a responsibility accounting system?

1. A) budgets
2. B) quotas
3. C) vendor analysis
4. D) quality standards

Answer: C

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

8) Which type of audit assesses employee compliance with management policies and procedures?

1. A) external audit
2. B) internal audit
3. C) network security audit
4. D) all of the above

Answer: B

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

9) Which of the following factors is not a reason forensic investigators are increasingly used in accounting?

1. A) the Sarbanes-Oxley Act
2. B) new accounting rules
3. C) audit fee increases
4. D) pressure from boards of directors

Answer: C

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic

10) A neural network is a software program that has

1. A) the ability to read text.
2. B) the ability to learn.
3. C) the capability to extract information from an individual’s brain.
4. D) the capability to inject information into an individual’s brain.

Answer: B

Objective: Learning Objective 8

Difficulty: Moderate

AACSB: Analytic