AIS 14e Romney Chapter 7

Accounting Information Systems, 14e (Romney/Steinbart)
Chapter 7 Control and Accounting Information Systems
1 Explain basic control concepts and explain why computer control and security are important.
1) Why are threats to accounting information systems increasing?

A) Many companies have invested significant resources to protect their assets.
B) Many companies do not realize that data security is crucial to their survival.
C) Many companies believe that protecting information is a vital strategic requirement.
D) Computer control problems are often overestimated and overly emphasized by management.
Answer: B
Concept: Control concepts
Objective: Learning Objective 1
Difficulty: Easy
AACSB: Analytical Thinking
2) Describe the reasons organizations have not adequately protected data.

Answer: The reasons organizations have not adequately protected data include: (1) Some
companies view the loss of crucial information as a distant, unlikely threat. (2) The control
implications of moving from centralized computer systems to Internet-based systems are not
fully understood. (3) Many companies do not realize that information is a strategic resource and
that protecting it must be a strategic requirement. For example, one company lost millions of
dollars because it did not protect data transmissions. A competitor tapped into its phone lines and
obtained faxes of new product designs. (4) Productivity and cost pressures motivate management
to forgo time-consuming control measures.
Difficulty: Easy
3) A control procedure designed so that the employee that records cash received from customers
does not also have access to the cash itself is an example of a(n)
A) preventive control.
B) detective control.
C) corrective control.
D) authorization control.
Answer: A
Difficulty: Moderate
AACSB: Reflective Thinking
1
Copyright © 2018 Pearson Education, Inc.
4) Duplicate checking of calculations and preparing bank reconciliations and monthly trial
balances are examples of what type of control?
A) Preventive control
B) Detective control
C) Corrective control
D) Authorization control
Answer: B
5) Maintaining backup copies of files, correcting data entry errors, and resubmitting transactions
for subsequent processing are examples of what type of control?
A) Preventive control
B) Detective control
C) Corrective control
D) Authorization control
Answer: C
6) Identify the preventive control below.

A) Reconciling the bank statement to the cash control account.
B) Approving customer credit prior to approving a sales order.
C) Maintaining frequent backup records to prevent loss of data.
D) Counting inventory on hand and comparing counts to the perpetual inventory records.
Answer: B
7) Identify the detective control below.

D) Ensuring that the employee who records cash received from customers does not also have
access to the cash itself.
Answer: A
2
8) Identify the corrective control below.
D) Counting inventory on hand and comparing counts to the perpetual inventory records.
Answer: C
9) According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is
directly responsible for
A) hiring and firing the external auditors.
B) performing tests of the company's internal control structure.
C) certifying the accuracy of the company's financial reporting process.
D) overseeing day-to-day operations of the internal audit department.
Answer: A
10) Which of the following measures can protect a company from AIS threats?
A) Take a proactive approach to eliminate threats.
B) Detect threats that do occur.
C) Correct and recover from threats that do occur.
D) All of the above are proper measures for the accountant to take.
Answer: D
Difficulty: Easy
11) Internal control is often referred to as a(n) ________, because it permeates an organization's
operating activities and is an integral part of management activities.
A) event
B) activity
C) process
D) system
Answer: C
Difficulty: Easy
3
12) Internal controls are often segregated into
A) detective controls and preventive controls.
B) general controls and application controls.
C) process controls and general controls.
D) system controls and application controls.
Answer: B
Difficulty: Easy
13) Duplicate checking of calculations is an example of a ________ control, and procedures to

resubmit rejected transactions are an example of a ________ control.
A) corrective; detective
B) detective; corrective
C) preventive; corrective
D) detective; preventive
Answer: B
Difficulty: Easy
14) Hiring qualified personnel is an example of a ________ control, and procedures to resubmit
rejected transactions are an example of a ________ control.
A) corrective; detective
B) detective; corrective
C) preventive; corrective
D) detective; preventive
Answer: C
Difficulty: Easy
15) Which type of control is associated with making sure an organization's control environment
is stable?
A) general
B) application
C) detective
D) preventive
Answer: A
Difficulty: Easy
4
16) Which type of control prevents, detects, and corrects transaction errors and fraud?
A) general
B) application
C) detective
D) preventive
Answer: B
Difficulty: Easy
17) The primary purpose of the Foreign Corrupt Practices Act of 1977 was
A) to require corporations to maintain a good system of internal control.
B) to prevent the bribery of foreign officials by American companies.
C) to require the reporting of any material fraud by a business.
D) All of the above are required by the act.
Answer: B
Difficulty: Easy
18) Congress passed this federal law for the purpose of preventing financial statement fraud, to
make financial reports more transparent and to strengthen the internal control of public
companies.
A) Foreign Corrupt Practices Act of 1977
B) The Securities Exchange Act of 1934
C) The Sarbanes-Oxley Act of 2002
D) The Securities Exchange Act of 1933
Answer: C
Difficulty: Easy
19) Which of the following was not an important change introduced by the Sarbanes-Oxley Act
of 2002?
A) New roles for audit committees
B) New rules for auditors and management
C) New rules for internal control requirements
D) New rules for information systems development
Answer: D
Difficulty: Easy
5
20) A(n) ________ measures company progress by comparing actual performance to planned
performance.
A) boundary system
B) diagnostic control system
C) interactive control system
D) belief system
Answer: B
Difficulty: Easy
21) A(n) ________ helps top-level managers with high-level activities that demand frequent and
regular attention.
A) boundary system
D) belief system
Answer: C
Difficulty: Easy
22) A(n) ________ helps employees understand management's vision. It communicates company
core values and inspires employees to live by those values.
A) boundary system
D) belief system
Answer: D
Difficulty: Easy
23) A(n) ________ helps employees act ethically.

A) boundary system
D) belief system
Answer: A
Difficulty: Easy
6
24) Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The
management at Lasalle Investment group
A) asked their auditors to make recommendations for the redesign of their information
technology system and to aid in the implementation process.
B) did not mention to auditors that the company had experienced material weaknesses in the
company's internal control systems during the past year.
C) selected the company's CEO to chair the audit committee.
D) hired the manager from the external audit team as company CFO twelve months after the
manager had worked on the audit.
Answer: D
25) The Sarbanes-Oxley Act (SOX) applies to

A) all companies with gross annual revenues exceeding $500 million.
B) publicly traded companies with gross annual revenues exceeding $500 million.
C) all private and public companies incorporated in the United States.
D) all publicly traded companies.
Answer: D
26) Lauren Smith was relaxing after work with a colleague at a local bar. After a few drinks, she
began expressing her feelings about her company's new control initiatives. It seems that as a
result of controls put in place by the company, she now has to be more creative in solving
problems and avoiding actions that might have a negative effect on her company's reputation.
The level of control that the company is using in this case is a(n)
A) boundary system.
B) diagnostic control system.
C) interactive control system.
D) belief system.
Answer: A
7
27) Lauren Smith was relaxing after work with a colleague at a local bar. After a few drinks, she
began expressing her feelings about her company's new control initiatives. It seems that as a
result of controls put in place by the company, she now has to find ways to help her staff to better
understand the company's vision and core values. The level of control that the company is using
in this case is a(n)
A) boundary system.
B) diagnostic control system.
C) interactive control system.
D) belief system.
Answer: D
28) Explain why the Foreign Corrupt Practices Act was important to accountants.
Answer: The act is important to accountants because it incorporates the language of the AICPA
pronouncement on internal controls. The Act mandates that corporations should keep records that
accurately and fairly reflect their transactions and assets in reasonable detail. The internal control
system of these organizations should be able to provide reasonable assurance that: a) transactions
are properly authorized and recorded; b) assets are safeguarded and protected from unauthorized
access; and c) recorded asset values are periodically compared with actual assets and any
differences are corrected. The act requires corporations to maintain good systems of internal
accounting control.
29) Describe some of the most important aspects of Sarbanes-Oxley Act (SOX) and discuss why
SOX was important to accountants.
Answer: Some of the most important aspects of SOX include: (1) The creation of the Public
Company Accounting Oversight Board (PCAOB) to control the auditing profession; (2) The
added new rules for auditors; (3) The added new roles for audit committees; (3) The added new
rules for management, and (4) The added new internal control requirements. SOX applies to
publicly held companies and their auditors and was designed to prevent financial statement
fraud, make financial reports more transparent, protect investors, strengthen internal controls,
and punish executives who perpetrate fraud. SOX was important to accountants because it is the
most important business-oriented legislation in the last 80 years. It changed the way boards of
directors and management operate and had a dramatic impact on CPAs who audit them.
8
2 Compare and contrast the COBIT, COSO, and ERM control frameworks.
1) Which of the following is not a component of the COSO Enterprise Risk Management
Integrated Framework (ERM)?
A) Monitoring.
B) Ethical culture.
C) Risk assessment.
D) Control environment.
Answer: B
Concept: Control frameworks
Difficulty: Easy
2) The COSO Enterprise Risk Management Integrated Framework stresses that

A) risk management activities are an inherent part of all business operations and should be
considered during strategy setting.
B) effective risk management is comprised of just three interrelated components; internal
environment, risk assessment, and control activities.
C) risk management is the sole responsibility of top management.
D) risk management policies, if enforced, guarantee achievement of corporate objectives.
Answer: A
3) Nolwenn Limited has been diligent in ensuring that their operations meet modern control
standards. Recently, they have extended their control compliance system by incorporating
policies and procedures that require the specification of company objectives, uncertainties
associated with objectives, and contingency plans. Nolwenn Limited is transitioning from a
________ to a ________ control framework.
A) COSO-Integrated Framework; COBIT
B) COBIT; COSO-Integrated Framework
C) COBIT; COSO-ERM
D) COSO-Integrated Framework; COSO-ERM
E) COSO-ERM; COBIT
Answer: D
9
4) Discuss the weaknesses in COSO's internal control framework that led to the development of
the COSO Enterprise Risk Management framework.
Answer: COSO's internal control framework 1. had too narrow a focus. 2. examined controls
without first addressing purposes and risks of business processes 3. existing internal control
systems often have controls that protect against items that are no longer risks or are no longer
important. 4. focusing on controls first has an inherent bias toward past problems and concerns.
5) The COSO ERM contains all five of the same COSO-Integrated Framework components.
Answer: TRUE
Difficulty: Easy
6) How many principles are there in the 2013 updated COSO - Internal Control Framework?
A) 5
B) 8
C) 17
D) 21
Answer: C
7) Why was the original 1992 COSO - Integrated Control framework updated in 2013?
A) Congress required COSO to modernize.
B) U.S. stock exchanges required more disclosure.
C) As an effort to more effectively address technological advancements.
D) As an effort to comply with the Information System Audit and Control Association
requirements.
Answer: C
10
8) Which internal control framework is widely accepted as the authority on internal controls?
A) COBIT.
B) ISACA framework.
C) COSO Integrated Control.
D) Sarbanes-Oxley control framework.
Answer: C
9) Identify the statement below that is not true of the 2013 COSO Internal Control updated
framework.
A) It more efficiently deals with control implementation and documentation issues.
B) It more effectively deals with control implementation and documentation issues.
C) It provides users with more precise guidance.
D) It adds many new examples to clarify the framework concepts.
Answer: A
Difficulty: Challenging
10) Which of the following is not one of the five principles of COBIT5?
A) meeting stakeholder needs
B) covering the enterprise end-to-end
C) enabling a holistic approach
D) improving organization efficiency
Answer: D
11) The COBIT5 framework primarily relates to

A) best practices and effective governance and management of private companies.
B) best practices and effective governance and management of public companies.
C) best practices and effective governance and management of information technology.
D) best practices and effective governance and management of organizational assets.
Answer: D
Difficulty: Easy
11
12) Applying the COBIT5 framework, governance is the responsibility of
A) internal audit.
B) external audit.
C) management.
D) the board of directors.
Answer: D
13) Applying the COBIT5 framework, monitoring is the responsibility of

A) the CEO.
B) the CFO.
C) the board of directors.
D) all of the above
Answer: D
14) Applying the COBIT5 framework, planning is the responsibility of

A) the CEO.
B) the CFO.
C) the board of directors.
D) all of the above
Answer: D
15) The purpose of the COSO Enterprise Risk Management framework is

A) to improve the organization's risk management process.
B) to improve the organization's financial reporting process.
C) to improve the organization's manufacturing process.
D) to improve the organization's internal audit process.
Answer: A
Difficulty: Easy
12
16) Which of the following is not a basic principle of the COSO ERM framework?
A) Companies are formed to create value for society.
B) Management must decide how much uncertainty it will accept to create value.
C) Uncertainty results in risk.
D) Uncertainty results in opportunity.
Answer: A
17) The largest differences between the COSO Integrated Control (IC) framework and the COSO
Enterprise Risk Management (ERM) framework is
A) IC is controls-based, while the ERM is risk-based.
B) IC is risk-based, while ERM is controls-based.
C) IC is required, while ERM is optional.
D) IC is more applicable to international accounting standards, while ERM is more applicable to
generally accepted accounting principles.
Answer: A
13
18) Describe the five components of the COSO's Internal Control Model.
Answer: The five components of the COSO's Internal Control Model are: (1) Control
environment. This is the foundation for all other components of internal control. The core of any
business is its people their individual attributes, including integrity, discipline, ethical values, and
competence—and the environment in which they operate. They are the engine that drives the
organization and the foundation on which everything rests. (2) Risk assessment. The organization
must identify, analyze, and manage its risks. Managing risk is a dynamic process. Management
must consider changes in the external environment and within the business that may be obstacles
to its objectives. (3) Control activities. Control policies and procedures help ensure that the
actions identified by management to address risks and achieve the organization's objectives are
effectively carried out. Control activities are performed at all levels and at various stages within
the business process and over technology. (4) Information and communication. Information and
communication systems capture and exchange the information needed to conduct, manage, and
control the organization's operations. Communication must occur internally and externally to
provide information needed to carry out day-to-day internal control activities. All personnel must
understand their responsibilities. (5) Monitoring. The entire process must be monitored, and
modifications made as necessary so the system can change as conditions warrant. Evaluations
ascertain whether each component of internal control is present and functioning. Deficiencies are
communicated in a timely manner, with serious matters reported to senior management and the
board.
19) The principle of obtaining or generating relevant, high-quality information to support internal
control belongs to which of the COSO's Internal Control Model's component?
A) Control environment.
B) Risk assessment.
C) Control activities.
D) Information and communication.
Answer: D
14
20) The principle of identifying and assessing changes that could significantly impact the system
of internal control belongs to which of the COSO's Internal Control Model's component?
B) Risk assessment.
Answer: B
21) The principle of selecting and developing controls that might help mitigate risks to an
acceptable level belongs to which of the COSO's Internal Control Model's component?
B) Risk assessment.
Answer: C
22) The principle of holding individuals accountable for their internal control responsibilities in
pursuit of objectives belongs to which of the COSO's Internal Control Model's component?
B) Risk assessment.
Answer: A
15
3 Describe the major elements in the internal environment of a company.
1) Melissa is a staff accountant for Quality Paper Company, which has strict corporate policies
on appropriate use of corporate resources. The first week of March, Melissa saw Kent, the
branch manager putting printer paper and toner into his briefcase on his way out the door. This
situation best reflects a weakness in which aspect of internal environment, as discussed in the
COSO Enterprise Risk Management Framework?
A) Integrity and ethical values.
B) Risk management philosophy.
C) Restrict access to assets.
D) Methods of assigning authority and responsibility.
Answer: A
Concept: COSO's internal environment
Difficulty: Easy
2) Melissa is a staff accountant for Quality Paper Company suspected that management might
have used "creative accounting" to improve company performance. This situation best reflects a
weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk
Management Framework?
A) Integrity and ethical values.
B) Risk management philosophy.
C) Restrict access to assets.
D) Methods of assigning authority and responsibility.
Answer: B
Difficulty: Easy
3) Which of the following is not a factor of internal environment according to the COSO
Enterprise Risk Management Framework?
A) Analyzing past financial performance and reporting.
B) Providing sufficient resources to knowledgeable employees to carry out duties.
C) Disciplining employees for violations of expected behavior.
D) Setting realistic targets for long-term performance.
Answer: A
16
4) The audit committee of the board of directors
A) is usually chaired by the CFO.
B) conducts testing of controls on behalf of the external auditors.
C) provides a check and balance on management.
D) does all of the above.
Answer: C
5) The definition of the lines of authority and responsibility and the overall framework for
planning, directing, and controlling is laid out by the
A) control activities.
B) organizational structure.
C) budget framework.
D) internal environment.
Answer: B
Difficulty: Easy
6) Reducing management layers, creating self-directed work teams, and emphasizing continuous
improvement are all related to which aspect of internal environment?
A) Organizational structure.
B) Methods of assigning authority and responsibility.
C) Management philosophy and operating style.
D) Commitment to competence.
Answer: A
7) Helping employees understand entity goals and objectives and then holding them accountable
for achieving them are all related to which aspect of internal environment?
A) Organizational structure.
B) Methods of assigning authority and responsibility.
C) Management philosophy and operating style.
D) Commitment to competence.
Answer: B
17
8) Personnel policies such as background checks, mandatory vacations, and rotation of duties
tend to deter
A) unintentional errors.
B) employee fraud or embezzlement.
C) fraud by outsiders.
D) disgruntled employees.
Answer: B
Difficulty: Easy
9) The SEC, PCAOB, and FASB are best described as external influences that directly affect an
organization's
A) hiring practices.
B) philosophy and operating style.
C) internal environment.
D) methods of assigning authority.
Answer: C
Difficulty: Easy
10) Which attribute below is not an aspect of the COSO ERM Framework internal environment?
A) Enforcing a written code of conduct.
B) Holding employees accountable for achieving objectives.
C) Restricting access to assets.
D) Avoiding unrealistic expectations.
Answer: C
11) The amount of risk a company is willing to accept in order to achieve its goals and objectives
is
A) inherent risk.
B) residual risk.
C) risk appetite.
D) risk assessment.
Answer: C
Difficulty: Easy
18
12) Which of the following is the most effective way in uncovering fraud schemes that require
ongoing perpetrator's attention?
A) Hiring a forensic specialist.
B) Requiring employees to take mandatory vacations.
C) Installing security cameras to monitor employees activities.
D) Implementing a fraud hotline.
Answer: B
13) Discuss the internal environment and identify the elements that comprise the internal
environment.
Answer: The internal environment embraces individuals and the environment in which they
operate in an organization. Individual employees are "the engine" that drive the organization and
form the foundation upon which everything in the organization rests. Elements of the internal
environment are: 1) a commitment to integrity and ethical values; 2) the philosophy and
operating style of management; 3) organizational structure; 4) the audit committee of the board
of directors; 5) methods of assigning authority and responsibility; 6) human resources policies
and practices; and 7) various external influences. Each of these elements influences the internal
control structure of the organization. Likewise, these elements should be examined and analyzed
in detail when implementing or evaluating a system of internal controls.
14) Explain why management's philosophy and operating style are considered to be the most
important element of the internal environment.
Answer: Management truly sets the tone for the control environment of a business. If top
management takes good control seriously and makes this known to everyone in the organization,
then employees down the line will tend to do likewise. Management's attitude toward risk taking
and the assessment of risk before acting are indications. Willingness to manipulate performance
measures or to encourage employees to do likewise is another indication of attitude. Finally,
pressure on subordinates to achieve certain results regardless of the methods used can be a very
persuasive indicator of problems. Management concerned about control will assess risk and act
prudently, manipulation of performance measures will not be tolerated, and ethical behavior will
be instilled in and required of employees.
19
15) What are some of the ways to assign authority and responsibility within an organization?
Answer: It is incumbent on management to identify specific business objectives and assign such
objectives to certain departments and individuals. Management must also hold such departments
and individuals responsible and accountable for achieving the assigned business objectives. Ways
in which management may assign authority and responsibility is through formal job descriptions,
employee training, budgets, operating plans, and scheduling. A formal code of conduct also sets
the stage for responsible behavior on the part of employees by defining ethical behavior,
acceptable business practices, regulatory requirements, and conflicts of interest. Another useful
and important tool is a written policy and procedures manual.
16) Why are most fraud not being reported or prosecuted?

Answer: Most fraud is not reported or prosecuted for the following reasons: (1) Companies are
reluctant to report fraud because it can be a public relations disaster. The disclosure can reveal
system vulnerabilities and attract more fraud or hacker attacks. (2) Law enforcement and the
courts are busy with violent crimes and have less time and interest for computer crimes in which
no physical harm occurs. (3) Fraud is difficult, costly, and time-consuming to investigate and
prosecute. (4) Many law enforcement officials, lawyers, and judges lack the computer skills
needed to investigate and prosecute computer crimes. (5) Fraud sentences are often light.
4 Describe the control objectives companies need to set and how to identify events that affect
organizational uncertainty.
1) According to the ERM model, ________ help the company address all applicable laws and
regulations.
A) compliance objectives
B) operations objectives
C) reporting objectives
D) strategic objectives
Answer: A
Concept: COSO's control objective
Difficulty: Easy
20
2) According to the ERM model, ________ help to align high level goals with the company's
mission.
Answer: D
Difficulty: Easy
3) According to the ERM model, ________ help to deal with the effectiveness and efficiency of
company operations, such as performance and profitability goals.
Answer: B
Difficulty: Easy
4) According to the ERM model, ________ help to ensure the accuracy, completeness and
reliability of internal and external company reports.
Answer: C
Difficulty: Easy
5) Using the COSO definition of an event, an event represents uncertainty.

Answer: TRUE
Difficulty: Easy
21
6) Identify the most correct statement with regards to an event.
A) An event identified by management will occur.
B) An event identified by management may or may not occur.
C) An event identified by management may not trigger other events.
D) It is easy to determine which events are most likely to occur.
Answer: B
Difficulty: Easy
7) Which of the following is a commonly used technique to identify potential events?

A) Using data mining.
B) Browsing news articles.
C) Hiring a business process consultant.
D) None of the above.
Answer: A
8) Describe what is an event using the COSO definition and provide an example.
Answer: COSO defines an event as "an incident or occurrence emanating from internal or
external sources that affects implementation of strategy or achievement of objectives. Events
may have positive or negative impacts or both." A positive event represents an opportunity; a
negative event represents a risk. An event represents uncertainty; it may or may not occur. If it
does occur, it is hard to know when. Until it occurs, it may be difficult to determine its impact.
When it occurs, it may trigger another event. Events may occur individually or concurrently.
Management must try to anticipate all possible positive or negative events, determine which are
most and least likely to occur, and understand the interrelationship of events. Students' answers
may vary depending on the example they use.
22
5 Explain how to assess and respond to risk using the Enterprise Risk Management (ERM)
model.
1) ________ is not a risk response identified in the COSO Enterprise Risk Management
Framework.
A) Acceptance
B) Avoidance
C) Monitoring
D) Sharing
Answer: C
Concept: COSO's risk assessment and risk response
Difficulty: Easy
2) Best Friends, Incorporated is a publicly traded company where three BFF's (best friends
forever) serve as its key officers. This situation
A) violates the Sarbanes-Oxley Act.
B) violates the Securities and Exchange Act.
C) increases the risk associated with an audit.
D) All of the above.
Answer: C
Difficulty: Easy
3) ________ remains after management implements internal control(s).

A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
Answer: B
Difficulty: Easy
23
4) ________ is the risk that exists before management takes any steps to mitigate it.
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
Answer: A
Difficulty: Easy
5) How is expected loss calculated when performing risk assessment?

A) Impact times expected loss.
B) Impact times likelihood.
C) Inherent risk times likelihood.
D) Residual risk times likelihood.
Answer: B
Difficulty: Easy
6) Preventive controls are usually superior to detective controls

Answer: TRUE
Difficulty: Easy
7) The first step of the risk assessment process is generally to

A) identify controls to reduce all risk to zero.
B) estimate the exposure from negative events.
C) identify the threats that the company currently faces.
D) estimate the risk probability of negative events occurring.
Answer: C
Difficulty: Easy
24
8) The second step of the risk assessment process is generally to
A) identify controls to reduce all risk to zero.
B) estimate the exposure from negative events.
C) identify the threats that the company currently faces.
D) estimate the risk probability of negative events occurring.
Answer: D
Difficulty: Easy
9) Describe the steps in the development of a company's risk assessment and response strategy.
Answer: Steps in the development of a company's risk assessment and response strategy
include: (1) Identify the events, or threats, that confront the company. (2) Estimate the impact, or
potential loss, from each threat. (3) Identify controls to guard against each threat. (4) Estimate
the costs and benefits from instituting controls. (5) Reduce risk by implementing controls to
guard against the threat.
10) Whitewater Rapids provides canoes to tourists eager to ride Whitewater River's rapids.
Management has determined that there is one chance in a thousand of a customer being injured
or killed. Settlement of resulting lawsuits has an average cost of $850,000. Insurance with a
$100,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of
criminal negligence. What is the impact of this risk without insurance?
A) $10
B) $850
C) $100,000
D) $850,000
Answer: D
Difficulty: Easy
25
11) Whitewater Rapids provides canoes to tourists eager to ride Whitewater river's rapids.
criminal negligence. What is the expected loss without insurance?
A) $10
B) $850
C) $100,000
D) $850,000
Answer: B
Difficulty: Easy
criminal negligence. What is the expected loss with insurance?
A) $100
B) $850
C) $100,000
D) $850,000
Answer: A
Difficulty: Easy
criminal negligence. Based on cost-benefit analysis, what is the most that the business should
pay for the insurance?
A) $100
B) $500
C) $750
D) $850
Answer: C
Difficulty: Easy
26
14) According to the COSO Enterprise Risk Management Framework, the risk assessment
process incorporates all of the following components except
A) reporting potential risks to auditors.
B) identifying events that could impact the enterprise.
C) evaluating the impact of potential events on achievement of objectives.
D) establishing objectives for the enterprise.
Answer: A
15) Describe the four ways that management can use to respond to risk. Provide an example for
each of them.
Answer: Management can respond to risk in one of four ways: (1) Reduce the likelihood and
impact of risk by implementing an effective system of internal controls. (2) Accept the likelihood
and impact of the risk. (3) Share risk or transfer it to someone else by buying insurance,
outsourcing an activity,
or entering into hedging transactions. (4) Avoid risk by not engaging in the activity that produces
the risk. This may require the company to sell a division, exit a product line, or not expand as
anticipated. Students' answers may vary depending on examples they used.
16) As a result of an internal risk assessment, Berryhill Insurance decided it was no longer
profitable to provide flood insurance in the southern states. Berryhill apparently chose to
________ the risk of paying flood claims in the southern states.
A) reduce
B) share
C) avoid
D) accept
Answer: C
27
17) Upon acquiring a new computer operating system, management at Berryhill worried that
computer virus might cripple the company's operation. Management decided to install anti-virus
software and to build a firewall for its operating system. Berryhill chose to ________ the risk of
being crippled by computer virus.
A) reduce
B) share
C) avoid
D) accept
Answer: A
18) Upon acquiring a new computer operating system, management at Berryhill worried that
computer virus might cripple the company's operation. Despite the concern, management did not
think that the risk was high enough to justify the purchase of an anti-virus software. Berryhill
chose to ________ the risk of being crippled by computer virus.
A) reduce
B) share
C) avoid
D) accept
Answer: D
19) As a result of an internal risk assessment, Berryhill Insurance decided it was no longer
profitable to provide flood insurance in the southern states without a general rate increase.
Berryhill apparently chose to ________ the risk of paying flood claims in the southern states by
raising its insurance rate.
A) reduce
B) share
C) avoid
D) accept
Answer: B
28
6 Describe control activities commonly used in companies.
1) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day,
the beginning ticket number is subtracted from the ending number to calculate the number of
tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with
the number of tickets sold. Which of the following situations does this control detect?
A) Some customers presented tickets purchased on a previous day when there wasn't a ticket
taker at the theater entrance (so the tickets didn't get torn.)
B) A group of kids snuck into the theater through a back door when customers left after a show.
C) The box office cashier accidentally gives too much change to a customer.
D) The ticket taker admits his friends without tickets.
Answer: A
Concept: COSO's control activities
2) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day,
the beginning ticket number is subtracted from the ending number to calculate the number of
tickets sold. Cash is counted and compared with the number of tickets sold. Which of the
following situations does this control detect?
A) Some customers presented tickets purchased on a previous day when there wasn't a ticket
taker at the theater entrance (so the tickets didn't get torn.)
B) A group of kids snuck into the theater through a back door when customers left after a show.
C) The box office cashier accidentally gives too much change to a customer.
D) The ticket taker admits his friends without tickets.
Answer: C
3) Independent checks on performance include all the following except

A) data input validation checks.
B) reconciling hash totals.
C) preparing a trial balance report.
D) supervisor review of journal entries and supporting documentation.
Answer: A
Difficulty: Easy
29
4) One of the key objectives of segregating duties is to
A) ensure that no collusion will occur.
B) achieve an optimal division of labor for efficient operations.
C) make sure that different people handle different transactions.
D) make sure that different people handle different parts of the same transaction.
Answer: D
5) Effective segregation of accounting duties is achieved when which of the following functions
are separated?
A) Authorization, recording, and custody.
B) Recording, monitoring, and information system.
C) Authorization, monitoring, and risk assessment.
D) Recording, risk assessment, and control procedures.
Answer: A
6) Identify the statement below which is true.

A) Requiring two signatures on checks over $20,000 is an example of segregation of duties.
B) Although forensic specialists utilize computers, only people can accurately identify fraud.
C) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of
Enterprise Risk Management processes.
D) Re-adding the total of a batch of invoices and comparing the total with the first total you
calculated is an example of an independent check.
Answer: C
30
7) Of the following examples of fraud, which will be the most difficult to prevent and detect?
Assume the company enforces adequate segregation of duties.
A) A mail room employee steals a check received from a customer and destroys the
documentation.
B) The accounts receivable clerk does not record sales invoices for friends or family, so they can
receive free goods.
C) An employee puts inventory behind the dumpster while unloading a vendor's delivery truck,
then picks up the inventory later in the day and puts it in her car.
D) A credit manager issues credit cards to himself and a staff accountant in the accounting office,
and when the credit card balances are just under $1,000, the staff accountant writes off the
accounts as bad debt. The credit manager then issues new cards.
Answer: D
8) Which of the following is a control related to design and use of documents and records?
A) Locking blank checks in a drawer or safe.
B) Sequentially prenumbering sales invoices.
C) Reconciling the bank statement to the general ledger.
D) Comparing physical inventory counts with perpetual inventory records.
Answer: B
Difficulty: Easy
9) Which of the following duties could be performed by the same individual without violating
segregation of duties controls?
A) Approving accounting software change requests and testing production scheduling software
changes.
B) Programming new code for accounting software and testing accounting software upgrades.
C) Approving software changes and implementing the upgraded software.
D) Managing accounts payable function and revising code for accounting software to more
efficiently process discount due dates on vendor invoices.
Answer: A
31
10) With a limited work force and a desire to maintain strong internal control, which
combination of duties would result in the lowest risk exposure?
A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal.
B) Approving a sales return on a customer's account and depositing customers' checks in the
bank.
C) Updating the general ledger and working in the inventory warehouse.
D) Entering payments to vendors in the cash disbursements journal and entering cash received
from customers in the cash receipts journal.
Answer: D
11) A store policy that allows retail clerks to process sales returns for $1,000 or less, with a
receipt dated within the past 30 days, is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization.
Answer: A
Difficulty: Easy
12) An accounting policy that requires a purchasing manager to sign off on all purchases over
$10,000 is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization.
Answer: B
Difficulty: Easy
32
13) A document that shows all projects that must be completed and the related IT needs in order
to achieve long-range company goals is known as a
A) performance evaluation.
B) project development plan.
C) data processing schedule.
D) strategic master plan.
Answer: D
14) A ________ is created to guide and oversee systems development and acquisition.
A) performance evaluation
B) project development plan
C) steering committee
D) strategic master plan
Answer: C
Difficulty: Easy
15) A ________ shows how a project will be completed, including tasks and who will perform
them as well as a timeline and cost estimates.
A) performance evaluation
B) project development plan
C) steering committee
D) strategic master plan
Answer: B
Difficulty: Easy
33
16) The organization chart for Renata Corporation includes a controller and an information
processing manager, both of whom report to the vice president of finance. Which of the
following would be a control weakness?
A) Assigning the programming and operating of the computer system to an independent control
group which reports to the controller
B) Providing for maintenance of input data controls by an independent control group which
reports to the controller
C) Periodically rotating assignment of application processing among machine operators, who all
report to the information processing manager
D) Providing for review and distribution of system-generated reports by an independent control
group which reports to the controller
Answer: A
17) Which of the following is an independent check on performance?

A) The Purchasing Agent physically reviews the contents of shipments and compares them with
the purchase orders he has placed.
B) Production teams perform quality evaluations of the products that they produce.
C) The General Manager compares budgeted amounts with expenditure records from all
departments.
D) Petty cash is disbursed by Fred Haynes. He also maintains records of disbursements, places
requests to finance to replace expended funds, and periodically reconciles the petty cash balance.
Answer: C
Difficulty: Easy
18) Petty cash is disbursed by the Manuela Luisina in the Cashier's Office. Manuela also
maintains records of disbursements, places requests to the Finance Department to replace
expended funds, and periodically reconciles the petty cash balance. This represents a(n)
________ segregation of duties.
A) ideal
B) effective
C) ineffective
D) limited
Answer: C
Difficulty: Easy
34
19) Hiring decisions at Maarja's Razors are made by Maimu Maarja, the Director of Human
Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay
period, supervisors submit time cards to Kasheena, who prepares paycheck requisitions.
Paychecks are then distributed through the company's mail room. This represents a(n) ________
segregation of duties.
A) partial
B) effective
C) ineffective
D) limited
Answer: B
20) The Director of Information Technology for the city of Tampa, Florida formed a company to
sell computer supplies and software. All purchases made on behalf of the City were made from
her company. She was later charged with fraud for overcharging the City, but was not convicted
by a jury. The control issue in this case arose because the Director had both ________ and
________ duties.
A) custody; authorization
B) custody; recording
C) recording; authorization
D) management; custody
Answer: C
21) In a system with effective separation of duties, it is difficult for any single employee to
embezzle successfully.
Answer: TRUE
Difficulty: Easy
AACSB: Application of Knowledge
22) Detecting fraud where two or more people are in collusion to override controls is less
difficult because it is much easier to for one or more fraud perpetrators to reveal the fraud.
Answer: FALSE
Difficulty: Easy
AACSB: Application of Knowledge
35
23) The examination of the relationships between different sets of data is called
A) top-level reviews.
B) analytical reviews.
C) reconciliation of independently maintained records.
D) comparison of actual quantities with recorded amounts.
Answer: B
24) Describe the differences between general and specific authorization.

Answer: Authorizations are often documented by signing, initializing, or entering an
authorization code on a transaction document or record. Management may deem that certain
transactions are of a routine nature and as such may authorize employees to handle such
transactions without special approval. This is known as general authorization. Other transactions
may be of such consequence that management grants specific authorization for them to occur.
Usually management must approve of such transactions and oversee them to completion,
requiring an additional signature required on checks exceeding a given dollar amount.
Management should have written policies on both specific and general authorization for all type
of transactions.
25) Explain how a company could be the victim of fraud, even if ideal segregation of duties is
enforced.
Answer: When a system effectively incorporates a separation of duties, it should be difficult for
any one employee to defeat the system and commit fraud. Fraud is possible when two or more
employees agree to defeat the system for their own dishonest ends. This problem is known as
collusion. When two or more employees act together to defeat the internal controls of the system,
they may likely succeed. It is more difficult to detect such activity because the employees may
have planned to "cover their tracks." This is why independent review of transaction activity by
third parties is important to monitor that internal controls are in place and working as designed.
36
26) Explain how a company could safeguard its assets, records, and data.
Answer: A company can safeguard its assets, records, and data by (1) Creating and enforcing
appropriate policies and procedures; (2) Maintaining accurate records of all assets; (3)
Restricting access to assets; and (4) Protecting records and documents.
7 Describe how to communicate information and monitor control processes in organizations.
1) Which component of the COSO Enterprise Risk Management Integrated Framework is

concerned with understanding how transactions are initiated, data are captured and processed,
and information is reported?
A) Information and communication.
B) Internal environment.
C) Event identification.
D) Objective setting.
Answer: A
Concept: COSO's communication and monitoring
Difficulty: Easy
2) Which of the following is not a principle related to information and communicating in the
updated COSO Integrated Control framework?
A) Communicate relevant internal control matters to external parties.
B) Obtain or generate relevant, high-quality information to support internal control.
C) Surround internal control processes with information technology that enables discrepancies to
be identified.
D) Internally communicate the information necessary to support the other components of internal
control.
Answer: C
37
3) COSO requires that any internal deficiencies identified through monitoring be reported to
whom?
A) The external auditor.
B) The company's management.
C) The board of directors.
D) The audit committee.
Answer: C
4) Which of the following is not a key method of monitoring performance?

A) Performing internal control evaluation.
B) Implementing a benefit incentive plan.
C) Implementing effective supervision.
D) Implementing a whistleblower hotline.
Answer: B
5) To ensure compliance with copyrights and to protect itself from software piracy lawsuits,
companies should ________.
A) periodically conduct software audits
B) update the operating system frequently
C) buy software from legitimate suppliers
D) adopt cloud operating platforms
Answer: A
6) Which type of audits can detect fraud and errors?

A) External audits.
B) Internal audits.
C) Network security audits.
D) all of the above
Answer: D
Difficulty: Easy
38
7) Which of the following is not an example of something monitored by a responsibility
accounting system?
A) Budgets.
B) Quotas.
C) Vendor analysis.
D) Quality standards
Answer: C
8) Which type of audit assesses employee compliance with management policies and
procedures?
A) External audit.
B) Internal audit.
C) Compliance audit.
D) Operational audit.
Answer: B
9) Which of the following factors is not a reason forensic investigators are increasingly used in
accounting?
A) The Sarbanes-Oxley Act.
B) New accounting rules.
C) Audit fee increases.
D) Pressure from boards of directors.
Answer: C
10) A neural network is a software program that has

A) the ability to read text.
B) the ability to learn.
C) the capability to extract information from an individual's brain.
D) the capability to inject information into an individual's brain.
Answer: B
39
11) Describe the three principles that apply to the information and communication process.
Answer: The following three principles apply to the information and communication process:
(1) Obtain or generate relevant, high-quality information to support internal control. (2)
Internally communicate the information, including objectives and responsibilities, necessary to
support the other components of internal control. (3)Communicate relevant internal control
matters to external parties.
12) SOX suggested the fraud hotline as a mechanism for employees to report fraud and abuse.
Answer: FALSE
40

AIS 14e Romney Chapter 7

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS 14e Romney Chapter 7

Uploaded by

Copyright:

Available Formats

Accounting Information Systems, 14e (Romney/Steinbart)

Chapter 7 Control and Accounting Information Systems

1) Why are threats to accounting information systems increasing?

2) Describe the reasons organizations have not adequately protected data.

6) Identify the preventive control below.

7) Identify the detective control below.

13) Duplicate checking of calculations is an example of a ________ control, and procedures to

23) A(n) ________ helps employees act ethically.

25) The Sarbanes-Oxley Act (SOX) applies to

2) The COSO Enterprise Risk Management Integrated Framework stresses that

11) The COBIT5 framework primarily relates to

13) Applying the COBIT5 framework, monitoring is the responsibility of

14) Applying the COBIT5 framework, planning is the responsibility of

15) The purpose of the COSO Enterprise Risk Management framework is

16) Why are most fraud not being reported or prosecuted?

5) Using the COSO definition of an event, an event represents uncertainty.

7) Which of the following is a commonly used technique to identify potential events?

3) ________ remains after management implements internal control(s).

5) How is expected loss calculated when performing risk assessment?

6) Preventive controls are usually superior to detective controls

7) The first step of the risk assessment process is generally to

3) Independent checks on performance include all the following except

6) Identify the statement below which is true.

17) Which of the following is an independent check on performance?

24) Describe the differences between general and specific authorization.

7 Describe how to communicate information and monitor control processes in organizations.

1) Which component of the COSO Enterprise Risk Management Integrated Framework is

4) Which of the following is not a key method of monitoring performance?

6) Which type of audits can detect fraud and errors?

10) A neural network is a software program that has

You might also like