Fill This Form To Receive Instant Help

Help in Homework
trustpilot ratings
google ratings


Homework answers / question archive / Utah State University ACCT 610 Chapter 15-IT Controls Part I: Sarbanes-Oxley and IT Governance TRUE/FALSE 1)Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting

Utah State University ACCT 610 Chapter 15-IT Controls Part I: Sarbanes-Oxley and IT Governance TRUE/FALSE 1)Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting

Business

Utah State University

ACCT 610

Chapter 15-IT Controls Part I: Sarbanes-Oxley and IT Governance

TRUE/FALSE

1)Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting.

 

 

 

  1. Both the SEC and the PCAOB requires management to use the COBIT framework for assessing internal control adequacy.

 

 

 

  1. Both the SEC and the PCAOB requires management to use the COSO framework for assessing internal control adequacy.

 

 

 

  1. A qualified opinion on management’s assessment of internal controls over the financial reporting system necessitates a qualified opinion on the financial statements?

 

 

 

  1. The same internal control objectives apply to manual and computer-based information systems.

 

 

 

  1. To fulfill the segregation of duties control objective, computer processing functions (like authorization of credit and billing) are separated.

 

 

 

  1. To ensure sound internal control, program coding and program processing should be separated.

 

 

 

  1. Some systems professionals have unrestricted access to the organization's programs and data.

 

 

 

  1. Application controls apply to a wide range of exposures that threaten the integrity of all programs processed within the computer environment.

 

 

 

  1. The Database Administrator should be separated from systems development.

 

 

 

  1. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster.

 

 

 

  1. IT auditing is a small part of most external and internal audits.

 

 

 

  1. Assurance services is an emerging field that goes beyond the auditor’s traditional attestation function.

 

 

 

  1. An IT auditor expresses an opinion on the fairness of the financial statements.

 

 

 

  1. External auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.

 

 

 

  1. External auditors can cooperate with and use evidence gathered by internal audit departments that are organizationally independent and that report to the Audit Committee of the Board of Directors.

 

 

 

  1. Tests of controls determine whether the database contents fairly reflect the organization's transactions.

 

 

 

  1. Audit risk is the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated.

 

 

 

  1. A strong internal control system will reduce the amount of substantive testing that must be performed.

 

 

 

  1. Substantive testing techniques provide information about the accuracy and completeness of an application's processes.

 

 

 

MULTIPLE CHOICE

 

  1. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?

a.

Auditors must determine, whether changes in internal control has, or is likely to,

materially affect internal control over financial reporting.

b.

Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.

c.

Corporate management (including the CEO) must certify monthly and annually their

organization’s internal controls over financial reporting.

d.

Management must disclose any material changes in the company’s internal controls that

have occurred during the most recent fiscal quarter.

 

 

 

  1. Which of the following is NOT a requirement in management’s report on the effectiveness of internal controls over financial reporting?

a.

A statement of management’s responsibility for establishing and maintaining adequate

internal control user satisfaction.

b.

A statement that the organizations internal auditors has issued an attestation report on management’s assessment of the companies internal controls.

c.

A statement identifying the framework used by management to conduct their assessment of internal controls.

d.

An explicit written conclusion as to the effectiveness of internal control over financial

reporting.

 

 

  1. In a computer-based information system, which of the following duties needs to be separated?

a.

program coding from program operations

b.

program operations from program maintenance

c.

program maintenance from program coding

d.

all of the above duties should be separated

 

 

  1. Supervision in a computerized environment is more complex than in a manual environment for all of the following reasons except

a.

rapid turnover of systems professionals complicates management's task of assessing the

competence and honesty of prospective employees

b.

many systems professionals have direct and unrestricted access to the organization's

programs and data

c.

rapid changes in technology make staffing the systems environment challenging

d.

systems professionals and their supervisors work at the same physical location

 

 

  1. Adequate backups will protect against all of the following except

a.

natural disasters such as fires

b.

unauthorized access

c.

data corruption caused by program errors

d.

system crashes

 

 

  1. Which is the most critical segregation of duties in the centralized computer services function?

a.

systems development from data processing

b.

data operations from data librarian

c.

data preparation from data control

d.

data control from data librarian

 

 

  1. Systems development is separated from data processing activities because failure to do so

a.

weakens database access security

b.

allows programmers access to make unauthorized changes to applications during

execution

c.

results in inadequate documentation

 

d.

results in master files being inadvertently erased

 

 

 

  1. Which organizational structure is most likely to result in good documentation procedures?

a.

separate systems development from systems maintenance

b.

separate systems analysis from application programming

c.

separate systems development from data processing

d.

separate database administrator from data processing

 

 

  1. All of the following are control risks associated with the distributed data processing structure except

a.

lack of separation of duties

b.

system incompatibilities

c.

system interdependency

d.

lack of documentation standards

 

 

  1. Which of the following is not an essential feature of a disaster recovery plan?

a.

off-site storage of backups

b.

computer services function

c.

second site backup

d.

critical applications identified

 

 

  1. A second site backup agreement between two or more firms with compatible computer facilities to assist each other with data processing needs in an emergency is called

a.

internally provided backup

b.

recovery operations center

c.

empty shell

d.

mutual aid pact

 

 

  1. The major disadvantage of an empty shell solution as a second site backup is

a.

the host site may be unwilling to disrupt its processing needs to process the critical

applications of the disaster stricken company

b.

intense competition for shell resources during a widespread disaster

c.

maintenance of excess hardware capacity

d.

the control of the shell site is an administrative drain on the company

 

 

  1. An advantage of a recovery operations center is that

a.

this is an inexpensive solution

b.

the initial recovery period is very quick

c.

the company has sole control over the administration of the center

d.

none of the above are advantages of the recovery operations center

 

 

  1. For most companies, which of the following is the least critical application for disaster recovery purposes?

 

a.

month-end adjustments

b.

accounts receivable

c.

accounts payable

d.

order entry/billing

 

 

 

  1. The least important item to store off-site in case of an emergency is

a.

backups of systems software

b.

backups of application software

c.

documentation and blank forms

d.

results of the latest test of the disaster recovery program

 

 

  1. Some companies separate systems analysis from programming/program maintenance. All of the following are control weaknesses that may occur with this organizational structure except

a.

systems documentation is inadequate because of pressures to begin coding a new program

before documenting the current program

b.

illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time

c.

a new systems analyst has difficulty in understanding the logic of the program

d.

inadequate systems documentation is prepared because this provides a sense of job

security to the programmer

 

 

  1. All of the following are recommended features of a fire protection system for a computer center except

a.

clearly marked exits

b.

an elaborate water sprinkler system

c.

manual fire extinguishers in strategic locations

d.

automatic and manual alarms in strategic locations

 

 

  1. Which concept is not an integral part of an audit?

a.

evaluating internal controls

b.

preparing financial statements

c.

expressing an opinion

d.

analyzing financial data

 

 

  1. Which statement is not true?

a.

Auditors must maintain independence.

b.

IT auditors attest to the integrity of the computer system.

c.

IT auditing is independent of the general financial audit.

d.

IT auditing can be performed by both external and internal auditors.

 

 

  1. Typically, internal auditors perform all of the following tasks except

a.

IT audits

b.

evaluation of operational efficiency

c.

review of compliance with legal obligations

d.

internal auditors perform all of the above tasks

 

 

 

  1. The fundamental difference between internal and external auditing is that

a.

internal auditors represent the interests of management and external auditors represent

outsiders

b.

internal auditors perform IT audits and external auditors perform financial statement audits

c.

internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement audits

d.

external auditors assist internal auditors but internal auditors cannot assist external auditors

 

 

  1. Internal auditors assist external auditors with financial audits to

a.

reduce audit fees

b.

ensure independence

c.

represent the interests of management

d.

the statement is not true; internal auditors are not permitted to assist external auditors with financial audits

 

 

  1. Which statement is not correct?

a.

Auditors gather evidence using tests of controls and substantive tests.

b.

The most important element in determining the level of materiality is the mathematical

formula.

c.

Auditors express an opinion in their audit report.

d.

Auditors compare evidence to established criteria.

 

 

  1. All of the following are steps in an IT audit except

a.

substantive testing

b.

tests of controls

c.

post-audit testing

d.

audit planning

 

 

  1. When planning the audit, information is gathered by all of the following methods except

a.

completing questionnaires

b.

interviewing management

c.

observing activities

d.

confirming accounts receivable

 

 

  1. Substantive tests include

a.

examining the safety deposit box for stock certificates

b.

reviewing systems documentation

c.

completing questionnaires

d.

observation

 

 

  1. Tests of controls include

a.

confirming accounts receivable

b.

counting inventory

c.

completing questionnaires

d.

counting cash

 

 

  1. All of the following are components of audit risk except

a.

control risk

b.

legal risk

c.

detection risk

d.

inherent risk

 

 

  1. Control risk is

a.

the probability that the auditor will render an unqualified opinion on financial statements

that are materially misstated

b.

associated with the unique characteristics of the business or industry of the client

c.

the likelihood that the control structure is flawed because controls are either absent or

inadequate to prevent or detect errors in the accounts

d.

the risk that auditors are willing to take that errors not detected or prevented by the control

structure will also not be detected by the auditor

 

 

  1. All of the following tests of controls will provide evidence about the physical security of the computer center except

a.

review of fire marshal records

b.

review of the test of the backup power supply

c.

verification of the second site backup location

d.

observation of procedures surrounding visitor access to the computer center

 

 

  1. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except

a.

inspection of the second site backup

b.

analysis of the fire detection system at the primary site

c.

review of the critical applications list

d.

composition of the disaster recovery team

 

 

  1. Which of the following is true?

a.

In the CBIS environment, auditors gather evidence relating only to the contents of

databases, not the reliability of the computer system.

b.

Conducting an audit is a systematic and logical process that applies to all forms of

information systems.

c.

Substantive tests establish whether internal controls are functioning properly.

d.

IT auditors prepare the audit report if the system is computerized.

 

 

  1. Inherent risk

 

a.

exists because all control structures are flawed in some ways.

b.

is the likelihood that material misstatements exist in the financial statements of the firm.

c.

is associated with the unique characteristics of the business or industry of the client.

d.

is the likelihood that the auditor will not find material misstatements.

 

 

 

  1. Attestation services require all of the following except

a.

written assertions and a practitioner’s written report

b.

the engagement is designed to conduct risk assessment of the client’s systems to verify

their degree of SOX compliance

c.

the formal establishment of measurements criteria

d.

the engagement is limited to examination, review, and application of agreed-upon

procedures

 

 

  1. The financial statement of an organization reflects a set of management assertions about the financial health of the business. All of the following described types of assertions except

a.

that all of the assets and equities on the balance sheet exist

b.

that all employees are properly trained to carry out their assigned duties

c.

that all transactions on the income statement actually occurred

d.

that all allocated amounts such as depreciation are calculated on a systematic and rational

basis

 

 

SHORT ANSWER

 

  1. Which of the following statements is true?

a. Both the SEC and the PCAOB requires the use of the COSO framework

b.Both the SEC and the PCAOB requires the COBIT framework

c. The SEC recommends COBIT and the PCAOB recommends COSO

d.Any framework can be used that encompass all of COSO’s general themes

 

 

  1. COSO identifies two broad groupings of information system controls. What are they?

 

 

  1. The Sarbanes-Oxley Act contains many sections. Which sections are the focus of this chapter?

 

 

  1. What control framework is recommended by the PCAOB?

 

  1. What are the objectives of application controls?

 

 

  1. Define general controls.

 

 

  1. Discuss the key features of Section 302 of the Sarbanes-Oxley Act.

 

 

  1. What the three primary CBIS functions that must be separated?

 

 

  1. List three pairs of system functions that should be separated in the centralized computer services organization. Describe a risk exposure if the functions are not separated.

 

Functions to Separate

 

Risk Exposure

 

 

 

 

 

 

 

 

 

 

 

  1. For disaster recovery purposes, what criteria are used to identify an application or data as critical?

 

 

  1. Describe the components of a disaster recovery plan.

 

 

  1. What is a mirrored data center?

 

 

  1. Why is supervisory control more elaborate in the CBIS environment than in the manual environment?

 

 

  1. What are some control implications of the distributed data processing model?

 

 

  1. What is program fraud?

 

 

  1. The distributed data processing approach carries some control implications of which accountants should be aware. Discuss two.

 

 

  1.                                                                  are intentional mistakes while                                                                are unintentional mistakes.

 

 

  1. Explain the relationship between internal controls and substantive testing.

 

 

 

  1. Discuss the interrelationship of tests of controls, audit objectives, exposures, and existing controls.

 

 

  1. Distinguish between errors and irregularities. Which do you think concern the auditors the most?

 

 

  1. Describe two tests that an auditor would perform to ensure that the disaster recovery plan is adequate.

 

 

  1. Distinguish between inherent risk and control risk. How do internal controls and detection risk fit in?

 

 

  1. Contrast internal and external auditing.

 

 

 

  1. What are the components of audit risk?

 

 

  1. How do the tests of controls affect substantive tests?

 

 

  1. What is an auditor looking for when testing computer center controls?

 

 

  1. Define and contrast attestation services and assurance services.

 

 

 

ESSAY

  1. Discuss the key features of Section 404 of the Sarbanes-Oxley Act

 

 

  1. Section 404 requires management to make a statement identifying the control framework used to conduct their assessment of internal controls. Discuss the options in selecting a control framework.

 

 

  1. Explain how general controls impact transaction integrity and the financial reporting process.

 

 

 

  1. Prior to SOX, external auditors were required to be familiar with the client organization’s internal controls, but not test them. Explain.

 

 

  1. Does a qualified opinion on managements assessment of internal controls over the financial reporting system necessitate a qualified opinion on the financial statements? Explain.

 

 

  1. The PCAOB’s standard No. 2 specifically requires auditors to understand transaction flows in designing their test of controls. What steps does this entail?

 

 

  1. What fraud detection responsibilities (if any) are imposed on auditors by SOX.

 

  1. Describe how a Corporate Computer Services Function can overcome some of the problems associated with distributed data processing.

 

 

  1. Discuss the advantages and disadvantages of the second site backup options.

 

  1. Internal control in a computerized environment can be divided into two broad categories. What are they? Explain each.

 

 

  1. Auditors examine the physical environment of the computer center as part of their audit. Many characteristics of computer centers are of interest to auditors. What are they? Discuss.

 

 

  1. Explain why certain duties that are deemed incompatible in a manual system may be combined in a CBIS environment? Give an example.

 

 

  1. Compare and contrast the following disaster recovery options: mutual aid pact, empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as most costly to least costly.

 

 

  1. What is a disaster recovery plan? What are the key features?

 

 

Option 1

Low Cost Option
Download this past answer in few clicks

15.83 USD

PURCHASE SOLUTION

Already member?


Option 2

Custom new solution created by our subject matter experts

GET A QUOTE