Test Bank

Chapter 09
Reporting Processes and eXtensible Business Reporting Language (XBRL)

True / False Questions

1. Data warehouses work together with operational systems to provide necessary insight, particularly in the
case of customer relationship management (CRM) and supply chain management (SCM) systems.

True False

2. Data warehouses are often designed to facilitate decision making such as those often used in managerial
accounting and facilitate management by exception, such as variance reports, trend reports, variance
analysis reports, and reports that show actual performance are compared to budgeted information.

True False

3. If data mining may finds a statistical correlation or relationship between two data items, then there exists a
plausible relationship between those two data items in the real world.

True False

4. XBRL is based on the XML language.

True False

5. XBRL produces standardized reports and is not customizable.

True False

6. XBRL GL (also known as XBRL Global Ledger Taxonomy) serves as a means to facilitate efficient
communication within a firm.

True False

7. XBRL serves as a means to electronically communicate business information to facilitate business
reporting of financial and nonfinancial data to users. XBRL greatly enhances the speed and accuracy of
business reporting.

True False

8. XBRL instance documents describe each key data element (e.g., total assets, accounts, payable, net income,
etc.).

True False

9-1
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
9. XBRL allows highly disaggregated data so not only is it possible to know the level of sales, but it is
possible to know sales revenue in much more detail.

True False

10. Data warehouses gather information from external databases, but not from internal databases.

True False

11. XBRL style sheets take the instance documents and add presentation elements to make XBRL filings
readable by humans.

True False

12. Bank loan officers and the IRS will likely have different XBRL style sheets for the various XBRL filings.

True False

13. Since both are regulators, the SEC and the IRS will likely have similar XBRL style sheets for the various
XBRL filings.

True False

14. XBRL (eXtensible Business Reporting Language) is an open, global standard for exchanging financial
reporting information.

True False

15. Data Mining is a process of using sophisticated statistical techniques to extract and analyze data from large
databases to discern patterns and trends that were not previously known.

True False

16. XBRL Instance Documents define and describe each key data element (e.g., total assets, accounts, payable,
net income, etc.).

True False

Multiple Choice Questions

17. Data mining is considered a technique of

A. Data Warehousing
B. Project Management
C. Data Martian
D. Business Intelligence

9-2
18. A data warehouse may include a:

A. XBRL style sheet

B. General Economic Information
C. Digital Dashboard
D. iPad Mini

19. Ford may use business intelligence to:

A. Track the cost of parts on its vehicles

B. Monitor the price of their pilots and flight attendants
C. Indicators of quality issues to pinpoint machinery failures in its assembly plants
D. As inputs for its tax reporting system

20. A collection of information gathered from an assortment of external and operational (i.e., internal)
databases to facilitate reporting for decision making and business analysis is called

A. Business intelligence
B. Data Warehouse
D. XBR
L

21. The steps in business intelligence include:

A. Gather Information, Analyze Data for Patterns, Make Decision

B. Analyze Data for Patterns, Gather Information, Make Decision
C. Create Data Warehouse, Query Data Warehouse, Make Decision
D. Create Data Warehouse, Analyze Data for Patterns, Make Decision

22. Digital Dashboard tracks in a user-friendly way:

A. Airplane speed
B. Critical business failures
C. Critical business processes
D. Critical business projects

23. The first person to propose using XML be used as a means to electronically deliver financial information
was:

A. Albert Gore
B. Charles Hoffman
C. Manuel Sanchez
D. Kevin Kobelsky

9-3
24. XBRL GL, or XBRL Global Ledger Taxonomy, is different from XBRL US GAAP because it facilitates:

A. Efficient communication between the firm and financial analysts.

B. Efficient communication within a firm.
C. Efficient communication between the firm and its suppliers.
D. Efficient communication between the firm and its customers.

25. The stated advantages of XBRL GL include:

A. Flexibility
B. Wide acceptance by the market
C. Scalability
D. Network Effects

26. XBRL assurance is generally expected to include:

A. The most current, standardized XBRL taxonomy is used.

B. The underlying financial and nonfinancial data that is used in XBRL tagging is reliable.
C. The XBRL tagging is accurate and complete.
D. The reports include all relevant financial and nonfinancial information.

27. XBRL stands for

A. eXtensible Business Reporting Language.

B. eXtensible Behavioral Reporting Language.
C. eXtensible Book Reporting Language.
D. eXtensible Basic Reporting Language.

28. XBRL does all of the following except:

A. Enhances speed and accuracy of business reporting.

B. Provides major benefits in the preparation, analysis and communication of business information.
C. Serves as a universal standard for financial reporting information in the individual investor community.
D. Facilitates business reporting of financial and nonfinancial data.

29. In February 2009, the _____________ passed the rule requiring all large domestic firms to begin
formatting their financial statements using XBRL.

A. Financial Accounting Standards Board

B. International Accounting Standards Board
C. American Institute of Certified Public Accountants
D. Securities and Exchange Commission

9-4
30. A document containing XBRL elements is called a:

A. XBRL Instance Document

B. XBRL Style Sheet
C. XBRL Report
D. XBRL Taxonomy

31. The process of using sophisticated statistical techniques to extract and analyze data from large databases to
discern patterns and trends that were not previously known is called:

A. Data Mart
B. Data Mining
C. Data Warehouse

32. The tool that defines and describes each key data element (e.g., total assets, accounts, payable, net income,
etc.) in XBRL is called _________

A. XBRL specification.
B. XBRL taxonomy.
C. XBRL style sheet.
D. XBRL instance document.

33. A computer-based information system that facilitates business decision-making activities is called a:

A. Data Warehouse
B. Digital Dashboard
C. Decision Support System
D. Data Mart

Essay Questions

34. Name three internal and three external databases that you think should be included in a data warehouse for
Ford, Chrysler or General Motors. Support your answer.

9-5
35. Name three internal and three external databases that you think should be included in a data warehouse for
Apple or Google. Support your answer.

36. Name five items that you think would be included in a digital dashboard for your university. Why are these
critical business processes for them?

37. Name five items that you think would be included in a digital dashboard for an organization that you are
familiar with (church, sorority, local not-for-profit, etc.) Why are these critical business processes for
them?

38. Why would general economic information (GDP, interest rates, etc.) be included in a data warehouse?
Would they be more helpful for some companies than for others?

9-6
39. How would Apple Computer use a data mart in its marketing area? How does that help designers of the
data warehouse know what to include?

40. Why would competitor information be included in a data warehouse? How would it be used?

41. Name five items that you think would be included in a digital dashboard for EBay. Why are these critical
business processes for them?

42. Why is assurance needed on XBRL data? Why will financial analysts need assurance that the XBRL data is
correct? Support your answer.

9-7
43. Why would the company want XBRL assurance if the IRS or SEC were going to be using its data?

44. There is a different XBRL taxonomy for each country, including XBRL Australia, XBRL Canada, XBRL
Germany, XBRL Japan, XBRL-Netherlands, XBRL-US, and XBRL-UK. What would happen if there were
only one XBRL taxonomy for all countries?

45. How would the XBRL style sheets be different for financial analysts as compared to the Internal Revenue
Service?

46. Why is XBRL needed in the financial community? In your opinion, why did the Securities and Exchange
Commission mandate its usage? What does it provide that was not available before XBRL?

9-8
47. How would XBRL GL be used for internal uses such as management accounting?

48. How would XBRL GL facilitate the SEC-required XBRL submission of a company's regulatory filings?

49. Data mining is often used to find patterns in stock prices to assist technical financial stock market analysts,
or in commodities or currency trading. What are the benefits and concerns with using data mining to find
patterns in stock prices? What would you need to feel comfortable enough to trade on these patterns?

50. Data warehouses often serve as the main repository of the firm's historical data, or in other words, its
corporate memory, and will often serve as an archive of past firm performance. Besides past financial
performance, what historical data would a firm like McDonald's be interested in archiving in its data
warehouse?

9-9
Chapter 09 Reporting Processes and eXtensible Business Reporting Language
(XBRL) Answer Key


1. Data warehouses work together with operational systems to provide necessary insight, particularly in
the case of customer relationship management (CRM) and supply chain management (SCM) systems.

TRUE

AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse

2. Data warehouses are often designed to facilitate decision making such as those often used in managerial
accounting and facilitate management by exception, such as variance reports, trend reports, variance
analysis reports, and reports that show actual performance are compared to budgeted information.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

3. If data mining may finds a statistical correlation or relationship between two data items, then there
exists a plausible relationship between those two data items in the real world.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-02 Describe the basic components of business intelligence and how they are utilized in a firm.
Source: Original
Topic: Business Intelligence

4. XBRL is based on the XML language.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
9-10
Source: Original
Topic: XBR

5. XBRL produces standardized reports and is not customizable.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

6. XBRL GL (also known as XBRL Global Ledger Taxonomy) serves as a means to facilitate efficient
communication within a firm.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

7. XBRL serves as a means to electronically communicate business information to facilitate business
reporting of financial and nonfinancial data to users. XBRL greatly enhances the speed and accuracy of
business reporting.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

8. XBRL instance documents describe each key data element (e.g., total assets, accounts, payable, net
income, etc.).

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

9-11
9. XBRL allows highly disaggregated data so not only is it possible to know the level of sales, but it is
possible to know sales revenue in much more detail.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

10. Data warehouses gather information from external databases, but not from internal databases.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

11. XBRL style sheets take the instance documents and add presentation elements to make XBRL filings
readable by humans.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

12. Bank loan officers and the IRS will likely have different XBRL style sheets for the various XBRL
filings.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

13. Since both are regulators, the SEC and the IRS will likely have similar XBRL style sheets for the
various XBRL filings.

FALSE

AICPA BB: Industry
Blooms: Remember
9-12
Difficulty: 1 Easy
Source: Original
Topic: XBRL

14. XBRL (eXtensible Business Reporting Language) is an open, global standard for exchanging financial
reporting information.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL

15. Data Mining is a process of using sophisticated statistical techniques to extract and analyze data from
large databases to discern patterns and trends that were not previously known.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

16. XBRL Instance Documents define and describe each key data element (e.g., total assets, accounts,
payable, net income, etc.).

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: XBRL


17. Data mining is considered a technique of

A. Data Warehousing

B. Project Management
C. Data Martian

9-13
AICPA BB: Industry
Blooms: Understand
Difficulty: 2 Medium
Source: Original
Topic: Data Mining

18. A data warehouse may include a:

A. XBRL style sheet

B. General Economic Information
D. iPad Mini

AICPA BB: Industry
Blooms: Understand
Source: Original

19. Ford may use business intelligence to:

A. Track the cost of parts on its vehicles

B. Monitor the price of their pilots and flight attendants
C. Indicators of quality issues to pinpoint machinery failures in its assembly plants
D. As inputs for its tax reporting system

AICPA BB: Industry
Blooms: Understand
Source: Original

20. A collection of information gathered from an assortment of external and operational (i.e., internal)
databases to facilitate reporting for decision making and business analysis is called

A. Business intelligence

B. Data Warehouse
D. XBR
L

AICPA BB: Industry
Blooms: Understand
Source: Original

9-14
21. The steps in business intelligence include:

A. Gather Information, Analyze Data for Patterns, Make Decision

B. Analyze Data for Patterns, Gather Information, Make Decision
C. Create Data Warehouse, Query Data Warehouse, Make Decision
D. Create Data Warehouse, Analyze Data for Patterns, Make Decision

AICPA BB: Industry
Blooms: Understand
Source: Original

22. Digital Dashboard tracks in a user-friendly way:

A. Airplane speed

B. Critical business failures
C. Critical business processes
D. Critical business projects

AICPA BB: Industry
Blooms: Understand
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards

23. The first person to propose using XML be used as a means to electronically deliver financial
information was:

A. Albert Gore

B. Charles Hoffman
C. Manuel Sanchez
D. Kevin Kobelsky

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

9-15
24. XBRL GL, or XBRL Global Ledger Taxonomy, is different from XBRL US GAAP because it
facilitates:

A. Efficient communication between the firm and financial analysts.

B. Efficient communication within a firm.
C. Efficient communication between the firm and its suppliers.
D. Efficient communication between the firm and its customers.

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

25. The stated advantages of XBRL GL include:

A. Flexibility
B. Wide acceptance by the market
C. Scalability
D. Network Effects

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

26. XBRL assurance is generally expected to include:

A. The most current, standardized XBRL taxonomy is used.

B. The underlying financial and nonfinancial data that is used in XBRL tagging is reliable.
C. The XBRL tagging is accurate and complete.
D. The reports include all relevant financial and nonfinancial information.

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

9-16
27. XBRL stands for

A. eXtensible Business Reporting Language.

B. eXtensible Behavioral Reporting Language.
C. eXtensible Book Reporting Language.
D. eXtensible Basic Reporting Language.

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

28. XBRL does all of the following except:

A. Enhances speed and accuracy of business reporting.

B. Provides major benefits in the preparation, analysis and communication of business information.
C. Serves as a universal standard for financial reporting information in the individual investor
community.
D. Facilitates business reporting of financial and nonfinancial data.

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

29. In February 2009, the _____________ passed the rule requiring all large domestic firms to begin
formatting their financial statements using XBRL.

A. Financial Accounting Standards Board

B. International Accounting Standards Board
C. American Institute of Certified Public Accountants
D. Securities and Exchange Commission

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

9-17
30. A document containing XBRL elements is called a:

A. XBRL Instance Document

B. XBRL Style Sheet
C. XBRL Report
D. XBRL Taxonomy

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

31. The process of using sophisticated statistical techniques to extract and analyze data from large databases
to discern patterns and trends that were not previously known is called:

A. Data Mart

B. Data Mining
C. Data Warehouse

AICPA BB: Industry
Blooms: Understand
Source: Original

32. The tool that defines and describes each key data element (e.g., total assets, accounts, payable, net
income, etc.) in XBRL is called _________

A. XBRL specification.

B. XBRL taxonomy.
C. XBRL style sheet.
D. XBRL instance document.

AICPA BB: Industry
Blooms: Understand
Source: Original
Topic: XBRL

9-18
33. A computer-based information system that facilitates business decision-making activities is called a:

A. Data Warehouse

B. Digital Dashboard
C. Decision Support System
D. Data Mart

AICPA BB: Industry
Blooms: Understand
Source: Original

Essay Questions

34. Name three internal and three external databases that you think should be included in a data warehouse
for Ford, Chrysler or General Motors. Support your answer.

Answers will vary depending on the student knowledge of a car company, but could include supplier
info, financial statements and other financial reporting, general economics info, past car buying
behavior, buyer demographics, etc.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

35. Name three internal and three external databases that you think should be included in a data warehouse
for Apple or Google. Support your answer.

Answers will vary depending on the student knowledge of Apple and Google, but could include supplier
info, financial statements and other financial reporting, general economics info, past smartphone buying
behavior, buyer demographics, advertising models, etc.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original
9-19

36. Name five items that you think would be included in a digital dashboard for your university. Why are
these critical business processes for them?

Answers will vary depending on the student knowledge of the university. Universities always seem
interest in total student credit hours, retention rate, recruiting information, high school GPA of incoming
students, etc.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

37. Name five items that you think would be included in a digital dashboard for an organization that you are
familiar with (church, sorority, local not-for-profit, etc.) Why are these critical business processes for
them?

Answers will vary depending on the student knowledge of the organization.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

38. Why would general economic information (GDP, interest rates, etc.) be included in a data warehouse?
Would they be more helpful for some companies than for others?

Answers will vary! All companies and their business models are affected by the general economic
performance. Some businesses do better in a poor economy, but the majority has worse performance.
Some are tightly correlated to the economy and others are not; therefore, some companies will have
more interest in general economic information in their data warehouse than others.

AICPA BB: Industry
Blooms: Analyze
Source: Original

9-20
39. How would Apple Computer use a data mart in its marketing area? How does that help designers of the
data warehouse know what to include?

Answers will vary! Designers of the data warehouse need to carefully query users of Apple's data mart
to see what information is needed and what information might potentially be useful to know what to
include.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

40. Why would competitor information be included in a data warehouse? How would it be used?

Answers will vary! Generally, companies generally cannot get too much information about their
competitors. Any prior trends or information that might be useful to predict competitor (and/or industry)
performance might be useful.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

41. Name five items that you think would be included in a digital dashboard for EBay. Why are these
critical business processes for them?

Answers will vary! EBay might want to know that information that it's daily sales, the daily average
dollar amount of each sale, some measure of its product mix, the number of new listings, referrals from
its web site to other websites, etc. These all seem like critical data for its object of selling products and
scooping up margins.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

9-21
42. Why is assurance needed on XBRL data? Why will financial analysts need assurance that the XBRL
data is correct? Support your answer.

Answers will vary! A potential solution might include that since XBRL can be quickly edited, changed
and manipulated; it would be nice to have some assurances as to what standards were followed and that
the numbers that come out of the XBRL have assurances associated with them.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

43. Why would the company want XBRL assurance if the IRS or SEC were going to be using its data?

Answers will vary! A potential solution might include why the company wants to ensure that its
information is getting to banks, shareholders, potential investors, financial analysts in a way that
provides assurance would be very useful to the company even if the IRS and SEC are using that data.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

44. There is a different XBRL taxonomy for each country, including XBRL Australia, XBRL Canada,
XBRL Germany, XBRL Japan, XBRL-Netherlands, XBRL-US, and XBRL-UK. What would happen if
there were only one XBRL taxonomy for all countries?

Answers will vary! A potential solution might include a discussion of the differences in accounting
standards between countries and even that tagging/wording for a very similar account might be quite
different due to culture and language.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original
Topic: XBRL

9-22
45. How would the XBRL style sheets be different for financial analysts as compared to the Internal
Revenue Service?

Answers will vary! A potential solution might include of the different roles of the IRS and financial
analysts. The IRS is primarily interested in whether firms are paying sufficient taxes. Financial analysts
are interested in earnings prediction and stock market valuation which often requires very different
information; hence, a very different style sheet.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original
Topic: XBRL

46. Why is XBRL needed in the financial community? In your opinion, why did the Securities and
Exchange Commission mandate its usage? What does it provide that was not available before XBRL?

Answers will vary! A potential solution might include a discussion of the SEC and its role in
establishing a level playing field for all investors. It might also include a discussion of the efficiencies
gained by the SEC.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original
Topic: XBRL

47. How would XBRL GL be used for internal uses such as management accounting?

Answers will vary! A potential answer might include a discussion of how XBRL GL might be used to
quickly and efficiently share financial and managerial information throughout the organization.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

9-23
48. How would XBRL GL facilitate the SEC-required XBRL submission of a company's regulatory
filings?

Answers will vary! A potential answer might include a discussion of how XBRL GL might be used to
quickly and efficiently transmit information required by the SEC.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

49. Data mining is often used to find patterns in stock prices to assist technical financial stock market
analysts, or in commodities or currency trading. What are the benefits and concerns with using data
mining to find patterns in stock prices? What would you need to feel comfortable enough to trade on
these patterns?

Answers will vary! A potential answer might include a discussion of the power of data mining in
finding patterns. However, to the extent that these patterns of past performance do not correlate with
future performance, an investor may not feel comfortable trading based on those patterns.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original

50. Data warehouses often serve as the main repository of the firm's historical data, or in other words, its
corporate memory, and will often serve as an archive of past firm performance. Besides past financial
performance, what historical data would a firm like McDonald's be interested in archiving in its data
warehouse?

Answers will vary! A potential answer might include discussion of how data warehouses might detail
past special promotions, special products, details on store locations that worked well, customer
demographics, customer eating palette information, employee incentive programs, customer
satisfaction, etc.

AICPA BB: Industry
Blooms: Analyze
Difficulty: 3 Hard
Source: Original
9-24

Chapter 10
Accounting Information Systems and Internal Controls


1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors
to assess and report on the design and effectiveness of internal control over financial reporting annually.

True False

2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to establish
and maintain the effectiveness of internal control.

True False

3. In a computerized environment, internal controls can be categorized as general controls and application
controls.

True False

4. Internal controls guarantee the accuracy and reliability of accounting records.

True False

5. Segregation of duties reduces the risk of errors and irregularities in accounting records.

True False

6. The chief executive officer is ultimately responsible for enterprise risk management.

True False

7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount of revenue
on the company's income statement is classified as inherent risk.

True False

8. Processing controls are IT general controls.

True False

9. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for
IT governance in the U.S.

True False

9-25
10. The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating,
monitoring, maintaining, and improving information security.

True False

11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting
Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide
independent oversight of public accounting firms.

True False

12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages
auditors to start from the basic/bottom of financial records to identify the key controls.

True False

13. Corporate governance is a set of processes and policies in managing an organization with sound ethics to
safeguard the interests of its stakeholders.

True False

14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in
itself.

True False

15. A firm must establish control policies, procedures, and practices that ensure the firm's business objectives
are achieved and its risk mitigation strategies are carried out.

True False


16. According to COSO, which of the following components of the enterprise risk management addresses an
entity's integrity and ethical values?

A. Information and communication

B. Internal environment.
C. Risk assessment.
D. Control activities.

17. Which of the following items is one of the eight components of COSO's enterprise risk management
framework?

A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.

9-26
18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:

A. Accounting management staff who report to the CFO.

B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operation officer.
D. Security management staff who report to the chief facilities officer.

19. Which of the following represents an inherent limitation of internal controls?

A. Bank reconciliations are not performed on a timely basis.

B. The CEO can request a check with no purchase order.
C. Customer credit check not performed.
D. Shipping documents are not matched to sales invoices.

20. Which of the following is the best way to compensate for the lack of adequate segregation of duties in a
small organization?

A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.

21. Review of the audit log is an example of which of the following types of security control?

A. Governance.
B. Detective.
C. Preventive.
D. Corrective.

22. Which of the following is not a component of internal control as defined by COSO?

A. Control environment.
B. Control activities.
C. Inherent risk
D. Monitoring.

23. Which of the following is considered an application input control?

A. Run control total.

B. Edit check.
C. Reporting distribution log.
D. Exception report.

9-27
24. Which of the following control activities should be taken to reduce the risk of incorrect processing in a
newly installed computerized accounting system?

A. Segregation of duties.
B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.

25. Which of the following statement is correct regarding internal control?

A. A well-designed internal control environment ensures the achievement of an entity's control objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by management
override.
C. A well-designed and operated internal control environment should detect collusion perpetrated by two
people.
D. Internal control in a necessary business function and should be designed and operated to detect errors
and fraud.

26. Obtaining an understanding of an internal control involves evaluating the design of the control and
determining whether the control has been:

A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.

27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to
relocate its production facilities. According to COSO, this decision represents which of the following
response to the risk?

A. Risk reduction.
B. Prospect theory.
C. Risk sharing.
D. Risk acceptance.

28. Each of the following types of controls is considered to be an entity-level control, except those:

A. Relating to the control environment.

B. Pertaining to the company's risk assessment process.
C. Regarding the company's annual stockholder meeting.
D. Addressing policies over significant risk management practices

9-28
29. Controls in the information technology area are classified into preventive, detective, and corrective
categories. Which of the following is preventive control?

A. Contingency planning.
B. Hash total.
C. Echo check.
D. Access control software.

30. All of the following are examples of internal control procedures except

A. Using pre-numbered documents

B. Reconciling the bank statement
C. Customer satisfaction surveys
D. Insistence that employees take vacations

31. The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related to:

A. Accounting practice.
B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.

32. Which of the following most likely would not be considered as an inherent limitation of the effectiveness of
a firm's internal control?

A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.

33. According to COSO which of the following is not a component of internal control?

A. Control risk.
C. Monitoring.
D. Control environment.

34. When considering internal control, an auditor should be aware of reasonable assurance, which recognizes
that

A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper
accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.

9-29
35. Proper segregation of duties calls for separation of the following functions:

A. Authorization, execution, and payment.

B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

36. An entity's ongoing monitoring activities often include

A. Periodic audits by the audit committee.

B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.

37. The overall attitude and awareness of a firm's top management and board of directors concerning the
importance of internal control is often reflected in its

A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

38. Management philosophy and operating style would have a relatively less significant influence on a firm's
control environment when

A. The internal auditor reports directly to the controller.

B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific duties.
D. The audit committee does not have regular meetings.

39. Control risk should be assessed in terms of

A. Specific controls.
B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.

40. An auditor assesses control risk because it

A. is relevant to the auditor's understanding of the control environment.

B. provides assurance that the auditor's materiality levels are appropriate.
C. indicates to the auditor where inherent risk may be the greatest.
D. affects the level of detection risk that the auditor may accept.

9-30
41. The framework could be used by management in its internal control assessment under requirements of SOX
is the:

A. COSO internal framework.

B. COSO enterprise risk management framework.
C. COBIT framework.
D. All of the above are correct.

42. The internal control provisions of SOX apply to which companies in the United States?

A. All companies.
B. SEC registrants.
C. All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of net
worth.
D. All nonissuer companies.

43. Reconciliation of cash accounts may be referred to as what type of control?

A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.

44. Sound internal control dictates that immediately upon receiving checks from customers by mail, a
responsible employee should

A. Add the checks to the daily cash summary.

B. Verify that each check is supported by a pre-numbered sales invoice.
C. Prepare a summary listing of checks received.
D. Record the checks in the cash receipts journal.

45. Tracing shipping documents to pre-numbered sales invoices provides evidence that

A. No duplicate shipments or billings occurred.

B. Shipments to customers were properly invoiced.
C. All goods ordered by customers were shipped.
D. All pre-numbered sales invoices were accounted for.

46. Which of the following input controls is a numeric value computed to provide assurance that the original
value has not been altered in construction or transmission?

A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.

9-31
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent product B.
Which of the following controls most likely would detect this error?

A. Validity check
B. Record count
C. Hash total
D. Parity check

48. Which of the following is an example of a validity check?

A. The computer ensures that a numerical amount in a record does not exceed some predetermined amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the
errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of an existing
file record.
D. After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.

49. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the
group?

A. Check digit.
B. Validity check.
C. Echo check.
D. Limit check.

Essay Questions

9-32
50. Put the listed steps in the corresponding parentheses in the risk assessment and response approach diagram
below.
(A) Avoid, share or accept risk

(B) Reduce risk by implementing controls
(C) Is it cost beneficial to protect the firm from the risk?
(D) Estimate the likelihood of each risk occurring
(E) Identify control to mitigate the risk
(F) Estimate the costs and benefits from instituting controls
(G) Identify the risks
(H) Estimate the impact or potential loss, from each risk

9-33
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public accounting
firms?

52. Describe the three categories of objectives and five essential components of the COSO 2.0 framework.

53. What are the three main functions of COSO ERM?

54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?

9-34
55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control environment?

56. The information system of Company ABC is deemed to be 90% reliable. A major threat has been identified
with an exposure of $5,000,000. Two control procedures exist to deal with the threat. Implementation of
control A would cost of $140,000 and reduce the risk to 4%. Implementation of control B would cost
$100,000 and reduce the risk to 6%. Implementation of both controls would cost $220,000 and reduce the
risk to 2%. Given the data and based solely on an economic analysis of costs and benefits, which control
procedure should you choose?

57. Which internal control(s) would you recommend to prevent the following situations from occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent account
number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk entered the
same number into the system, and the payment was credited to another customer's account.
c. After processing a large sales transaction, the inventory records showed negative quantities on hand for
several items.

9-35
Chapter 10 Accounting Information Systems and Internal Controls Answer Key


1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their
auditors to assess and report on the design and effectiveness of internal control over financial reporting
annually.

FALSE

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance

2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to
establish and maintain the effectiveness of internal control.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

3. In a computerized environment, internal controls can be categorized as general controls and application
controls.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
Topic: Control and Governance Frameworks

4. Internal controls guarantee the accuracy and reliability of accounting records.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
9-36

5. Segregation of duties reduces the risk of errors and irregularities in accounting records.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original

6. The chief executive officer is ultimately responsible for enterprise risk management.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount of
revenue on the company's income statement is classified as inherent risk.

FALSE

AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Remember
Difficulty: 1 Easy
Source: Original

8. Processing controls are IT general controls.

FALSE

AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9-37
9. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework
for IT governance in the U.S.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original

10. The main objective of the ISO 27000 series is to provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving information security.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-04 Describe other governance frameworks related to information systems management and security.
Source: Original

11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting
Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide
independent oversight of public accounting firms.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages
auditors to start from the basic/bottom of financial records to identify the key controls.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

13. Corporate governance is a set of processes and policies in managing an organization with sound ethics
to safeguard the interests of its stakeholders.

TRUE

9-38
AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an
end in itself.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

15. A firm must establish control policies, procedures, and practices that ensure the firm's business
objectives are achieved and its risk mitigation strategies are carried out.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original


16. According to COSO, which of the following components of the enterprise risk management addresses
an entity's integrity and ethical values?

A. Information and communication

B. Internal environment.
C. Risk assessment.
D. Control activities.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: CPA 2009 examination, adapted

9-39
17. Which of the following items is one of the eight components of COSO's enterprise risk management
framework?

A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:

A. Accounting management staff who report to the CFO.

B. Internal audit staff who report to the board of directors.
C. Operations management staff who report to the chief operation officer.
D. Security management staff who report to the chief facilities officer.

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Remember
Difficulty: 1 Easy

19. Which of the following represents an inherent limitation of internal controls?

A. Bank reconciliations are not performed on a timely basis.

B. The CEO can request a check with no purchase order.
C. Customer credit check not performed.
D. Shipping documents are not matched to sales invoices.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

9-40
20. Which of the following is the best way to compensate for the lack of adequate segregation of duties in a
small organization?

A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

21. Review of the audit log is an example of which of the following types of security control?

A. Governance.
B. Detective.
C. Preventive.
D. Corrective.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

22. Which of the following is not a component of internal control as defined by COSO?

A. Control environment.

C. Inherent risk
D. Monitoring.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

9-41
23. Which of the following is considered an application input control?

A. Run control total.

B. Edit check.
C. Reporting distribution log.
D. Exception report.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

24. Which of the following control activities should be taken to reduce the risk of incorrect processing in a
newly installed computerized accounting system?

A. Segregation of duties.

B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

25. Which of the following statement is correct regarding internal control?

A. A well-designed internal control environment ensures the achievement of an entity's control
objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by
management override.
C. A well-designed and operated internal control environment should detect collusion perpetrated by
two people.
D. Internal control in a necessary business function and should be designed and operated to detect
errors and fraud.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

9-42
26. Obtaining an understanding of an internal control involves evaluating the design of the control and
determining whether the control has been:

A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it
decided to relocate its production facilities. According to COSO, this decision represents which of the
following response to the risk?

A. Risk reduction.

B. Prospect theory.
C. Risk sharing.
D. Risk acceptance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

28. Each of the following types of controls is considered to be an entity-level control, except those:

A. Relating to the control environment.

B. Pertaining to the company's risk assessment process.
C. Regarding the company's annual stockholder meeting.
D. Addressing policies over significant risk management practices

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

9-43
29. Controls in the information technology area are classified into preventive, detective, and corrective
categories. Which of the following is preventive control?

A. Contingency planning.

B. Hash total.
C. Echo check.
D. Access control software.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

30. All of the following are examples of internal control procedures except

A. Using pre-numbered documents

B. Reconciling the bank statement
C. Customer satisfaction surveys
D. Insistence that employees take vacations

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

31. The Public Company Accounting Oversight Board (PCAOB) is not responsible for standards related to:

A. Accounting practice.

B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9-44
32. Which of the following most likely would not be considered as an inherent limitation of the
effectiveness of a firm's internal control?

A. Incompatible duties.

B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

33. According to COSO which of the following is not a component of internal control?

A. Control risk.

C. Monitoring.
D. Control environment.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

34. When considering internal control, an auditor should be aware of reasonable assurance, which
recognizes that

A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper
accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-45
35. Proper segregation of duties calls for separation of the following functions:

A. Authorization, execution, and payment.

B. Authorization, recording, and custody.
C. Custody, execution, and reporting.
D. Authorization, payment, and recording.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

36. An entity's ongoing monitoring activities often include

A. Periodic audits by the audit committee.

B. Reviewing the purchasing function.
C. The audit of the annual financial statements.
D. Control risk assessment in conjunction with quarterly reviews.

AICPA BB: Industry
Blooms: Understand
Source: Original

37. The overall attitude and awareness of a firm's top management and board of directors concerning the
importance of internal control is often reflected in its

A. Computer-based controls.

B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9-46
38. Management philosophy and operating style would have a relatively less significant influence on a
firm's control environment when

A. The internal auditor reports directly to the controller.

B. Management is dominated by one individual.
C. Accurate management job descriptions delineate specific duties.
D. The audit committee does not have regular meetings.

AICPA BB: Industry
Blooms: Understand
Source: Original

39. Control risk should be assessed in terms of

A. Specific controls.

B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.

AICPA BB: Industry
Blooms: Understand
Source: Original

40. An auditor assesses control risk because it

A. is relevant to the auditor's understanding of the control environment.

B. provides assurance that the auditor's materiality levels are appropriate.
C. indicates to the auditor where inherent risk may be the greatest.
D. affects the level of detection risk that the auditor may accept.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-47
41. The framework could be used by management in its internal control assessment under requirements of
SOX is the:

A. COSO internal framework.

B. COSO enterprise risk management framework.
C. COBIT framework.
D. All of the above are correct.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

42. The internal control provisions of SOX apply to which companies in the United States?

A. All companies.

B. SEC registrants.
C. All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of
net worth.
D. All nonissuer companies.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

43. Reconciliation of cash accounts may be referred to as what type of control?

A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9-48
44. Sound internal control dictates that immediately upon receiving checks from customers by mail, a
responsible employee should

A. Add the checks to the daily cash summary.

B. Verify that each check is supported by a pre-numbered sales invoice.
C. Prepare a summary listing of checks received.
D. Record the checks in the cash receipts journal.

AICPA BB: Industry
Blooms: Understand
Source: Original

45. Tracing shipping documents to pre-numbered sales invoices provides evidence that

A. No duplicate shipments or billings occurred.

B. Shipments to customers were properly invoiced.
C. All goods ordered by customers were shipped.
D. All pre-numbered sales invoices were accounted for.

AICPA BB: Industry
Blooms: Understand
Source: Original

46. Which of the following input controls is a numeric value computed to provide assurance that the
original value has not been altered in construction or transmission?

A. Hash total.

B. Parity check.
C. Encryption.
D. Check digit.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-49
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent product B.
Which of the following controls most likely would detect this error?

A. Validity check

B. Record count
C. Hash total
D. Parity check

AICPA BB: Industry
Blooms: Understand
Source: Original

48. Which of the following is an example of a validity check?

A. The computer ensures that a numerical amount in a record does not exceed some predetermined
amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of
the errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of an
existing file record.
D. After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.

AICPA BB: Industry
Blooms: Understand
Source: Original

49. Which of the following is a computer test made to ascertain whether a given characteristic belongs to
the group?

A. Check digit.

B. Validity check.
C. Echo check.
D. Limit check.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-50

Essay Questions

9-51
50. Put the listed steps in the corresponding parentheses in the risk assessment and response approach
diagram below.
(A) Avoid, share or accept risk

(B) Reduce risk by implementing controls
(C) Is it cost beneficial to protect the firm from the risk?
(D) Estimate the likelihood of each risk occurring
(E) Identify control to mitigate the risk
(F) Estimate the costs and benefits from instituting controls
(G) Identify the risks
(H) Estimate the impact or potential loss, from each risk

G D H E F C A (No) B (yes)
9-52

AICPA BB: Industry
Blooms: Understand
Source: Original

9-53
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public
accounting firms?

SOX requires public companies registered with the SEC and their auditors to annually assess and report
on the design and effectiveness of internal control over financial reporting.
SOX also established the Public Company Accounting Oversight Board (PCAOB) to provide
independent oversight of public accounting firms. The PCAOB issues auditing standards and oversees
quality controls of public accounting firms.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

52. Describe the three categories of objectives and five essential components of the COSO 2.0 framework.

Objectives:
1) Operations Objectives - effectiveness and efficiency of a firm's operations on financial performance

goals and safeguarding assets.
2) Reporting Objectives - reliability of reporting, including internal and external financial and non-
financial reporting.
3) Compliance Objectives - adherence to applicable laws and regulations.
Five components of internal control:
1) Control Environment — include the management's philosophy and operating style, integrity and
ethical values of employees, organizational structure, the role of the audit committee, proper board
oversight for the development and performance of internal control, and personnel policies and practices.
2) Risk Assessment — Risk assessment involves a dynamic process for identifying and analyzing a
firm's risks from external and internal environments.
3) Control Activities — A firm must establish control policies, procedures, and practices that ensure the
firm's objectives are achieved and risk mitigation strategies are carried out.
4) Information and Communication — Relevant information should be identified, captured, and
communicated in a form and timeframe that enables employees to carry out their duties.
5) Monitoring Activities — The design and effectiveness of internal controls should be monitored by
management and other parties outside the process in an ongoing basis.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-54
53. What are the three main functions of COSO ERM?

Identifies potential events that may affect the firm
Manages risk to be within the firm's risk appetite
Provides reasonable assurance regarding the achievement of the firm's objectives.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?

COBIT 5.0 defines "governance" as ensuring that firm objectives are achieved by evaluating
stakeholder needs; setting direction through decision making; and monitoring performance, compliance
and progress. In most firms, the board of directors is responsible for governance. Per COBIT 5,
"management" includes planning, building, running and monitoring activities in alignment with the
direction in achieving the firm objectives.

AICPA BB: Industry
AICPA FN: Reporting
Blooms: Understand
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original

55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control
environment?

Students' answers may vary.

AICPA BB: Industry
Blooms: Understand
Source: Original
9-55

56. The information system of Company ABC is deemed to be 90% reliable. A major threat has been
identified with an exposure of $5,000,000. Two control procedures exist to deal with the threat.
Implementation of control A would cost of $140,000 and reduce the risk to 4%. Implementation of
control B would cost $100,000 and reduce the risk to 6%. Implementation of both controls would cost
$220,000 and reduce the risk to 2%. Given the data and based solely on an economic analysis of costs
and benefits, which control procedure should you choose?

Estimate value of control A: 5,000,000*(10% - 4%) = $300,000 (problem states that Control A reduces
the risk TO 4%)
Estimate value of control B: 5,000,000*(10% - 6%) = $200,000 (problem states that Control A reduced
the risk TO 6%)
Estimate value of control A&B: 5,000,000*(10% - 2%) = $400,000
Benefits exceed cost of A: 300,000 - 140,000 = 160,000
Benefits exceed cost of B: 200,000 - 100,000 = 100,000
Benefits exceed cost of A&B: 400,000 - 220,000 = 180,000
Choose Control C.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

57. Which internal control(s) would you recommend to prevent the following situations from occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent account
number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk entered
the same number into the system, and the payment was credited to another customer's account.
c. After processing a large sales transaction, the inventory records showed negative quantities on hand
for several items.

a. Use Validity check for actual customer records.

b. Use Closed-loop verification when entering customers' account numbers.
c. Use sign check on quantity on hand.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

9-56
Chapter 11
Information Security and Computer Fraud


1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.

True False

2. The goal of information security management is to maintain confidentiality, integrity and availability of a
firm's information.

True False

3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for
storage.

True False

4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.

True False

5. Key distribution and key management are problematic under the symmetric-key encryption.

True False

6. Symmetric-key encryption method is used to authenticate users.

True False

7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private
key.

True False

8. A company's audit committee is responsible for fraud risk assessments.

True False

9. One type of fault tolerance is using redundant units to provide a system the ability to continue functioning
when part of the system fails.

True False

9-57
10. Disaster recovery planning and business continuity management are preventive controls.

True False

11. Information security is a critical factor in maintaining systems integrity.

True False

12. The goal of information security management is to enhance the confidence, integrity and authority (CIA) of
a firm's management.

True False

13. Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to
spread itself.

True False

14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.

True False

15. Encryption and hashing are similar process to maintain data confidentiality.

True False


16. Integrity of information means the information is:

A. Accurate
B. Complete
C. Accessible
D. A and B are correct.

17. Which of the following statements is incorrect about digital signature?

A. A digital signature can ensure data integrity.

B. A digital signature also authenticates the document creator.
C. A digital signature is an encrypted message digest.
D. A digital signature is a message digest encrypted using the document creator's public key.

9-58
18. What is the primary objective of data security controls?

A. To establish a framework for controlling the design, security, and use of computer programs throughout
an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly executed.
D. To monitor the use of system software to prevent unauthorized access to system software and computer
programs.

19. An entity doing business on the internet most likely could use any of the following methods to prevent
unauthorized intruders from accessing proprietary information except:

A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.

20. When client's accounts payable computer system was relocated, the administrator provided support through
a dial-up connection to server. Subsequently, the administrator left the company. No changes were made to
the accounts payable system at that time. Which of the following situations represents the greatest security
risk?

A. User passwords are not required to the in alpha-numeric format.

B. Management procedures for user accounts are not documented.
C. User accounts are not removed upon termination of employees.
D. Security logs are not periodically reviewed for violations.

21. Which of the following statement present an example of a general control for a computerized system?

A. Limiting entry of sales transactions to only valid credit customers.

B. Creating hash totals from social security number for the weekly payroll.
C. Restricting entry of accounts payable transactions to only authorized users.
D. Restricting access to the computer center by use of biometric devices.

22. Which of the following outcomes is a likely benefit of information technology used for internal control?

A. Processing of unusual or nonrecurring transactions.

B. Enhanced timeliness of information.
C. Potential loss of data.
D. Recording of unauthorized transactions.

9-59
23. In a large multinational organization, which of the following job responsibilities should be assigned to be
network administrator?

A. Managing remote access.

B. Developing application programs.
C. Reviewing security policy.
D. Installing operating system upgrades.

24. An information technology director collected the names and locations of key vendors, current hardware
configuration, names of team members, and an alternative processing location. What is the director most
likely preparing?

A. Data restoration plan.

B. Disaster recovery plan.
C. System security policy.
D. System hardware policy.

25. Bacchus, Inc. is a larger multinational corporation with various business units around the world. After a fire
destroyed the corporation headquarters and largest manufacturing site, plans for which of the following
would help Bacchus ensure a timely recovery?

A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.

26. Which of the following statements regarding authentication in conducting e-business is incorrect?

A. It is a process that establishes the origin of information or determines the identity of a user, process, or
device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

27. Which of the following is not included in the remediation phrase for vulnerability management?

A. Risk Response Plan

B. Policy and procedures for remediation
C. Vulnerability Prioritization
D. Control Implementation

9-60
28. Which of the following does not represent a viable data backup method?

A. Disaster recovery plan

B. Redundant arrays of independent drives
C. Virtualization
D. Cloud computing

29. Which of the following statements about asymmetric-key encryption is correct?

A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their employees.
E. Two of the above are correct.

30. Which of the following statements is incorrect?

A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business processes.

31. A disaster recovery approach should include which of the following elements:

A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.

32. Which of the following passwords would be most difficult to crack?

A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word

33. Which of the following is a password security weakness?

A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.

9-61
34. To prevent invalid data input, a bank added an extra number at the end of each account number and
subjected the new number to an algorithm. This technique is known as:

A. A validation check.

B. check digit verification.
C. A dependency check.
D. A format check.

35. Which of the following security controls would best prevent unauthorized access to a firm's internal
network?

A. Use of a screen saver with a password.

B. Use of a firewall.
C. Encryption of data files.
D. Automatic log-off of inactive users.

36. Why do Certificate Authority (CA) play an important role in a company's information security
management?

A. Using a CA is required by SOX in managing information security.

B. Most companies use CA to manage their employees' public keys.
C. CA creates and maintains both the public and private keys for a company's employees.
D. None of the above is correct.

37. When computer programs or files can be accessed from terminals, users should be required to enter a(n)

A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.

38. Which of the following controls would most likely assure that a company can reconstruct its financial
records?

A. Security controls such as firewalls

B. Backup data are tested and stored safely
C. Personnel understand the data very well
D. Paper records

39. Why would companies want to use digital signatures when conducting e-business?

A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.

9-62
40. Select a correct statement regarding encryption methods?

A. To use symmetric-key encryption, each user needs two different keys.
B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate
authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption
methods.

Essay Questions

41. A magnetic tape used to store data backups was lost while it was being transported to an offsite storage
location. The data on the tape includes customers' credit card and personal information. Which preventive
control(s) should have been used to minimize the potential loss?

42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.

9-63
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in e-
business.

44. What are the two prerequisites for vulnerability management?

45. Describe the framework for vulnerability assessment and vulnerability management.

46. What are included in disaster recovery planning and business continuity management? Are these concepts
related?

9-64
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?

9-65
Chapter 11 Information Security and Computer Fraud Answer Key


1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse

2. The goal of information security management is to maintain confidentiality, integrity and availability of
a firm's information.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity

3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for
storage.

TRUE

AICPA BB: Industry
Blooms: Understand
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original

4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.

FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original

9-66
5. Key distribution and key management are problematic under the symmetric-key encryption.

TRUE

AICPA BB: Industry
Blooms: Understand
Source: Original

6. Symmetric-key encryption method is used to authenticate users.

FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original

7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a
private key.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

8. A company's audit committee is responsible for fraud risk assessments.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
9-67
Source: Original
Topic: System availability, disaster recovery and business continuity

10. Disaster recovery planning and business continuity management are preventive controls.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

11. Information security is a critical factor in maintaining systems integrity.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

12. The goal of information security management is to enhance the confidence, integrity and authority
(CIA) of a firm's management.

TRUE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

13. Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to
spread itself.

FALSE

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.

FALSE

AICPA BB: Industry
9-68
Blooms: Remember
Difficulty: 1 Easy
Source: Original

15. Encryption and hashing are similar process to maintain data confidentiality.

FALSE

AICPA BB: Industry
Blooms: Understand
Source: Original


16. Integrity of information means the information is:

A. Accurate
B. Complete
C. Accessible
D. A and B are correct.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

17. Which of the following statements is incorrect about digital signature?

A. A digital signature can ensure data integrity.

B. A digital signature also authenticates the document creator.
C. A digital signature is an encrypted message digest.
D. A digital signature is a message digest encrypted using the document creator's public key.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-69
18. What is the primary objective of data security controls?

A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly
executed.
D. To monitor the use of system software to prevent unauthorized access to system software and
computer programs.

AICPA BB: Industry
Blooms: Understand
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: CPA 2011 Examination, adapted
Topic: Vulnerability management and assessments

19. An entity doing business on the internet most likely could use any of the following methods to prevent
unauthorized intruders from accessing proprietary information except:

A. Password management.

B. Data encryption.
C. Digital certificates.
D. Batch processing.

AICPA BB: Industry
Blooms: Understand

20. When client's accounts payable computer system was relocated, the administrator provided support
through a dial-up connection to server. Subsequently, the administrator left the company. No changes
were made to the accounts payable system at that time. Which of the following situations represents the
greatest security risk?

A. User passwords are not required to the in alpha-numeric format.

B. Management procedures for user accounts are not documented.
C. User accounts are not removed upon termination of employees.
D. Security logs are not periodically reviewed for violations.

AICPA BB: Industry
Blooms: Understand

9-70
21. Which of the following statement present an example of a general control for a computerized system?

A. Limiting entry of sales transactions to only valid credit customers.

B. Creating hash totals from social security number for the weekly payroll.
C. Restricting entry of accounts payable transactions to only authorized users.
D. Restricting access to the computer center by use of biometric devices.

AICPA BB: Industry
Blooms: Understand

22. Which of the following outcomes is a likely benefit of information technology used for internal
control?

A. Processing of unusual or nonrecurring transactions.

B. Enhanced timeliness of information.
C. Potential loss of data.
D. Recording of unauthorized transactions.

AICPA BB: Industry
Blooms: Understand

23. In a large multinational organization, which of the following job responsibilities should be assigned to
be network administrator?

A. Managing remote access.

B. Developing application programs.
C. Reviewing security policy.
D. Installing operating system upgrades.

AICPA BB: Industry
Blooms: Understand

9-71
24. An information technology director collected the names and locations of key vendors, current hardware
configuration, names of team members, and an alternative processing location. What is the director most
likely preparing?

A. Data restoration plan.

B. Disaster recovery plan.
C. System security policy.
D. System hardware policy.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

25. Bacchus, Inc. is a larger multinational corporation with various business units around the world. After a
fire destroyed the corporation headquarters and largest manufacturing site, plans for which of the
following would help Bacchus ensure a timely recovery?

A. Daily backup.

B. Network security.
C. Business continuity.
D. Backup power.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy

26. Which of the following statements regarding authentication in conducting e-business is incorrect?

A. It is a process that establishes the origin of information or determines the identity of a user, process,
or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-72
27. Which of the following is not included in the remediation phrase for vulnerability management?

A. Risk Response Plan

B. Policy and procedures for remediation
C. Vulnerability Prioritization
D. Control Implementation

AICPA BB: Industry
Blooms: Understand
Source: Original

28. Which of the following does not represent a viable data backup method?

A. Disaster recovery plan

B. Redundant arrays of independent drives
C. Virtualization
D. Cloud computing

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

29. Which of the following statements about asymmetric-key encryption is correct?

A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

9-73
30. Which of the following statements is incorrect?

A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business processes.

AICPA BB: Industry
Blooms: Understand
Source: Original

31. A disaster recovery approach should include which of the following elements:

A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

32. Which of the following passwords would be most difficult to crack?

A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

9-74
33. Which of the following is a password security weakness?

A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.

AICPA BB: Industry
Blooms: Understand
Source: Original

34. To prevent invalid data input, a bank added an extra number at the end of each account number and
subjected the new number to an algorithm. This technique is known as:

A. A validation check.

B. check digit verification.
C. A dependency check.
D. A format check.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

35. Which of the following security controls would best prevent unauthorized access to a firm's internal
network?

A. Use of a screen saver with a password.

B. Use of a firewall.
C. Encryption of data files.
D. Automatic log-off of inactive users.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original

9-75
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?

A. Using a CA is required by SOX in managing information security.

B. Most companies use CA to manage their employees' public keys.
C. CA creates and maintains both the public and private keys for a company's employees.
D. None of the above is correct.

AICPA BB: Industry
Blooms: Understand
Source: Original

37. When computer programs or files can be accessed from terminals, users should be required to enter
a(n)

A. Parity check.

B. Password as a personal identification code.
C. Check digit.
D. Echo check.

AICPA BB: Industry
Blooms: Understand
Source: Original

38. Which of the following controls would most likely assure that a company can reconstruct its financial
records?

A. Security controls such as firewalls

B. Backup data are tested and stored safely
C. Personnel understand the data very well
D. Paper records

AICPA BB: Industry
Blooms: Understand
Source: Original

9-76
39. Why would companies want to use digital signatures when conducting e-business?

A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.

AICPA BB: Industry
Blooms: Understand
Source: Original

40. Select a correct statement regarding encryption methods?

A. To use symmetric-key encryption, each user needs two different keys.
B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a
certificate authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key
encryption methods.

AICPA BB: Industry
Blooms: Understand
Source: Original

Essay Questions

41. A magnetic tape used to store data backups was lost while it was being transported to an offsite storage
location. The data on the tape includes customers' credit card and personal information. Which
preventive control(s) should have been used to minimize the potential loss?

The tape needs to be encrypted and password protected.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

9-77
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.

d, c, b, e, a

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

43. Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in
e-business.

To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge message
to TP. TP uses her private key to encrypt the challenge message and send it to CP. If CP is able to use
TP's public key to decrypt and get the plaintext of the challenge message, CP has authenticated TP
successfully.

AICPA BB: Industry
Blooms: Apply
Difficulty: 3 Hard
Source: Original

44. What are the two prerequisites for vulnerability management?

First, determine the main objectives of its vulnerability management. In some case, the firm should
determine which laws, regulations, and standards it should comply with. Second, a firm should assign
roles and responsibilities for vulnerability management. The management may designate a team to be
responsible for developing and implementing the vulnerability management program.

AICPA BB: Industry
Blooms: Remember
Difficulty: 1 Easy
Source: Original
9-78

45. Describe the framework for vulnerability assessment and vulnerability management.

The components of vulnerability assessment include identification and risk assessment.
Identification process: identifying all critical IT assets, threats and vulnerabilities.
Risk assessment process: assessing vulnerabilities and prioritizing vulnerability issues.
The components of vulnerability management include remediation and maintenance.
Remediation process: making a risk response plan, preparing the policy and requirements for
remediation, as well as control implementation.
Maintenance: monitoring, ongoing assessment and continuous improvement.

AICPA BB: Industry
Blooms: Understand
Source: Original

46. What are included in disaster recovery planning and business continuity management? Are these
concepts related?

Disaster recovery planning (DRP) must include a clearly defined and documented plan that covers key
personnel, resources including IT infrastructure and applications, and actions required to be carried out
in order to continue or resume the systems for critical business functions within planned levels of
disruption. Business continuity management (BCM) includes the activities required to keep a firm
running during a period of displacement or interruption of normal operations. DRP is a key component
of the BCM. BCM is broader than DRP and is concerned about the entire business processes rather than
particular assets, such as IT infrastructure and applications.

AICPA BB: Industry
Blooms: Understand
Source: Original

9-79
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?

Digital signature is a message digest (MD) of a document (or data file) that is encrypted using the
document creator's private key.
1) Both the sender (A) and receiver (B) use an asymmetric-key encryption method to authenticate each
other.
2) Sender A makes a copy of the document and uses SHA-256 to hash the copy and get an MD.
3) Sender A encrypts the MD using Sender A's private key to get Sender A's digital signature.
4) Sender A uses Receiver B's public key to encrypt the original document and Sender A's digital
signature (for confidentiality).
5) Sender A sends the encrypted package to Receiver B.
6) Receiver B receives the package and decrypts it using Receiver B's private key. Receiver B now has
the document and Sender A's digital signature.
7) Receiver B decrypts Sender A's digital signature using Sender A's public key to get the sent-over
MD. Receiver B also authenticates that Sender A is the document creator.
8) Receiver B makes a copy of the received document and uses SHA-256 to hash the copy and get a
calculated MD.
9) If the sent-over MD is the same as the calculated MD, Receiver B ensures data integrity.

AICPA BB: Industry
Blooms: Understand
Source: Original

Chapter 13
The Balanced Scorecard and Business Value of Information Technology


1. The balanced scorecard only includes quantitative measures.

True False

2. The balanced scorecard framework describes performance from four different perspectives based on the
firm's strategy to achieve shareholder value.

True False

9-80
3. In the business process perspective, the firm describes its objectives for improvements in tangible and
intangible infrastructure.

True False

4. A strategy map depicts the cause and effect relationship between objectives across the balanced scorecard
perspectives.

True False

5. When the firm's value proposition meets or exceeds customers' requirements, customer satisfaction results
in customer retention and new customer acquisition, which drives sales growth.

True False

6. Besides presenting financial performance information to shareholders, the financial perspective provides
information that can confirm the success of investments in learning and growth.

True False

7. Network IT changes the way that work if performed and decisions are made.

True False

8. Function IT can be used without affecting more than one skilled worker.

True False

9. Supply chain management systems are an example of Network IT.

True False

10. The success of Enterprise IT investments often depends on whether the company makes complementary
changes in business processes.

True False

11. The balanced scorecard management process starts with the Formulate step.

True False

12. Investments in business analytics systems support the balanced scorecard management process during the
Link to Operations step.

True False

13. Research shows that standardized, integrated, and networked technology enhances decision making and
performance management.

True False

14. The value of IT investments often depend on the level of complementary resources, which can change over
time.

True False

9-81
15. The impact of an IT investment can depend on managers' decision-making abilities.

True False


16. Which of the following is the best description of the balanced scorecard?

A. A strategic planning and management system

B. A performance measurement framework
C. A formal, structured approach to link IT investment to business performance
D. All are descriptions of the balanced scorecard

17. Which of the following is not a balanced scorecard perspective?

A. Stakeholder
B. Financial
C. Business process
D. Customer

18. Which of the following is not a general type of business process found on generic strategy maps?

A. Innovation processes
B. Administrative processes
C. Operations management processes
D. Customer management processes

19. Which of the following is not a value proposition characteristic expected to influence customer value?

A. Product attributes
B. Image
C. Innovation
D. Relationship

20. Which of the following is not included in Information Capital as described in the balanced scorecard
learning and growth perspective?

A. IT Infrastructure
B. Employees' abilities to use technology
C. Intangible assets
D. Applications

9-82
21. Which of the following is not an example of Enterprise IT?

A. Spreadsheet financial applications

B. Business intelligence systems
C. CRM systems
D. ERP systems

22. Which of the following is not an organizational capability directly supported by Enterprise IT?

A. Process definition
B. Process integration
C. Customer service
D. Transaction automation

23. Which of the following is the best reason that companies find it hard to assess the benefit of IT
investments?

A. Difficult to assess costs

B. Difficult to tie IT investments to company strategy
C. IT investments become embedded in business processes
D. None of the above

24. Which of the following is not a step in the balanced scorecard management process?

A. Invest
B. Translate
C. Monitor
D. Adapt

25. Which of the following is the best description of the Link to Operations step in the balanced scorecard
management process?

A. The company establishes objectives, measures, targets, and initiatives.

B. The company prepares operating budgets and prioritizes business process improvements.
C. The company evaluates the effectiveness of its strategy.
D. The company examines the competitive environment.

Essay Questions

9-83
26. Review the following list of company objectives. Prepare a strategy map that places each objective in the
correct balanced scorecard perspective.

9-84
27. Your company has elected to implement a balanced scorecard management process following the steps
outlined by Kaplan and Norton. After examining the process closely, your company's senior management
team (CEO, CFO, CIO, etc.) decides to modify the process to make the steps more specific. First of all,
they identified three different organizational levels involved in the process: senior management, middle
management, and the rest of the workforce.
After a brainstorming session, they decide to break the five steps into pieces as follows: the formulate step
would include a) assessing the company's value proposition relative to the competition, and b) determining
the appropriate elements of the value proposition to emphasize in order to achieve competitive advantage.
The translate step would include a) setting long-term strategic objectives for customer and shareholder
value, and b) set priorities for long-term capital improvements necessary to achieve the long-term strategic
objectives. The Link step would then include a) establishing necessary IT initiatives, b) setting
departmental budgets, c) implementing new IT systems, and d) operating business processes. The monitor
step would include a) produce reports to track performance, and b) review reports to evaluate performance.
Then, they decided to insert a new step, titled Adjust. This step would include making adjustments
necessary to improve business processes, basically revisiting the Link to Operations step but making minor
changes. If the adjustments failed to achieve objectives, then they would continue to the Adapt step to a)
reconsider their assumptions about the competitive environment, and b) reconsider alternatives for those
parts of the value proposition to emphasize to achieve competitive success.
Required: Draw a BPMN activity diagram that outlines your company's approach to the balanced
scorecard management process. Then, describe in writing whether you agree with your senior management
team's breakdown of the steps and the approach they propose. What would you do differently? Why?

9-85
Chapter 13 The Balanced Scorecard and Business Value of Information
Technology Answer Key


1. The balanced scorecard only includes quantitative measures.

FALSE

AACSB: Analytic
AICPA BB: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-01 Describe the balanced scorecard framework.
Source: Original
Topic: Business Value

2. The balanced scorecard framework describes performance from four different perspectives based on the
firm's strategy to achieve shareholder value.

TRUE

AACSB: Analytic
Blooms: Remember
Difficulty: 1 Easy
Source: Original

3. In the business process perspective, the firm describes its objectives for improvements in tangible and
intangible infrastructure.

FALSE

AACSB: Analytic
Blooms: Understand
Source: Original

4. A strategy map depicts the cause and effect relationship between objectives across the balanced
scorecard perspectives.

TRUE

AACSB: Analytic
Blooms: Understand
Learning Objective: 13-02 Explain the purpose of strategy maps.
Source: Original
9-86

5. When the firm's value proposition meets or exceeds customers' requirements, customer satisfaction
results in customer retention and new customer acquisition, which drives sales growth.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original

6. Besides presenting financial performance information to shareholders, the financial perspective provides
information that can confirm the success of investments in learning and growth.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original

7. Network IT changes the way that work if performed and decisions are made.

FALSE

AACSB: Analytic
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-03 Describe different types of IT and why IT initiatives can be difficult to evaluate.
Source: Original

8. Function IT can be used without affecting more than one skilled worker.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original

9. Supply chain management systems are an example of Network IT.

FALSE

AACSB: Analytic
Blooms: Understand
9-87
Source: Original

10. The success of Enterprise IT investments often depends on whether the company makes complementary
changes in business processes.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original

11. The balanced scorecard management process starts with the Formulate step.

TRUE

AACSB: Analytic
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-04 Define the balanced scorecard management process.
Source: Original

12. Investments in business analytics systems support the balanced scorecard management process during
the Link to Operations step.

FALSE

AACSB: Analytic
Blooms: Understand
Source: Original

13. Research shows that standardized, integrated, and networked technology enhances decision making and
performance management.

TRUE

AACSB: Analytic
Blooms: Understand
Learning Objective: 13-05 Describe how an AIS system contributes to a balanced scorecard management process.
Source: Original

9-88
14. The value of IT investments often depend on the level of complementary resources, which can change
over time.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original

15. The impact of an IT investment can depend on managers' decision-making abilities.

TRUE

AACSB: Analytic
Blooms: Understand
Source: Original


16. Which of the following is the best description of the balanced scorecard?

A. A strategic planning and management system

B. A performance measurement framework
C. A formal, structured approach to link IT investment to business performance
D. All are descriptions of the balanced scorecard

AACSB: Analytic
Blooms: Understand
Source: Original

17. Which of the following is not a balanced scorecard perspective?

A. Stakeholder
B. Financial
C. Business process
D. Customer

AACSB: Analytic
9-89
Blooms: Remember
Difficulty: 1 Easy
Source: Original

18. Which of the following is not a general type of business process found on generic strategy maps?

A. Innovation processes

B. Administrative processes
C. Operations management processes
D. Customer management processes

AACSB: Analytic
Blooms: Remember
Difficulty: 1 Easy
Source: Original

19. Which of the following is not a value proposition characteristic expected to influence customer value?

A. Product attributes

B. Image
C. Innovation
D. Relationship

AACSB: Analytic
Blooms: Understand
Source: Original

20. Which of the following is not included in Information Capital as described in the balanced scorecard
learning and growth perspective?

A. IT Infrastructure
B. Employees' abilities to use technology
C. Intangible assets
D. Applications

AACSB: Analytic
Blooms: Understand
Source: Original

9-90
21. Which of the following is not an example of Enterprise IT?

A. Spreadsheet financial applications

B. Business intelligence systems
C. CRM systems
D. ERP systems

AACSB: Analytic
Blooms: Understand
Source: Original

22. Which of the following is not an organizational capability directly supported by Enterprise IT?

A. Process definition

B. Process integration
C. Customer service
D. Transaction automation

AACSB: Analytic
Blooms: Understand
Source: Original

23. Which of the following is the best reason that companies find it hard to assess the benefit of IT
investments?

A. Difficult to assess costs

B. Difficult to tie IT investments to company strategy
C. IT investments become embedded in business processes
D. None of the above

AACSB: Analytic
Blooms: Understand
Source: Original

9-91
24. Which of the following is not a step in the balanced scorecard management process?

A. Invest
B. Translate
C. Monitor
D. Adapt

AACSB: Analytic
Blooms: Understand
Source: Original

25. Which of the following is the best description of the Link to Operations step in the balanced scorecard
management process?

A. The company establishes objectives, measures, targets, and initiatives.

B. The company prepares operating budgets and prioritizes business process improvements.
C. The company evaluates the effectiveness of its strategy.
D. The company examines the competitive environment.

AACSB: Analytic
Blooms: Understand
Source: Original

Essay Questions

9-92
26. Review the following list of company objectives. Prepare a strategy map that places each objective in
the correct balanced scorecard perspective.

9-93

AACSB: Analytic
Blooms: Apply
Difficulty: 3 Hard
Source: Original

27. Your company has elected to implement a balanced scorecard management process following the steps
outlined by Kaplan and Norton. After examining the process closely, your company's senior
management team (CEO, CFO, CIO, etc.) decides to modify the process to make the steps more
specific. First of all, they identified three different organizational levels involved in the process: senior
management, middle management, and the rest of the workforce.
After a brainstorming session, they decide to break the five steps into pieces as follows: the formulate
step would include a) assessing the company's value proposition relative to the competition, and b)
determining the appropriate elements of the value proposition to emphasize in order to achieve
competitive advantage. The translate step would include a) setting long-term strategic objectives for
customer and shareholder value, and b) set priorities for long-term capital improvements necessary to
achieve the long-term strategic objectives. The Link step would then include a) establishing necessary
IT initiatives, b) setting departmental budgets, c) implementing new IT systems, and d) operating
business processes. The monitor step would include a) produce reports to track performance, and b)
review reports to evaluate performance.
Then, they decided to insert a new step, titled Adjust. This step would include making adjustments
necessary to improve business processes, basically revisiting the Link to Operations step but making
minor changes. If the adjustments failed to achieve objectives, then they would continue to the Adapt
step to a) reconsider their assumptions about the competitive environment, and b) reconsider
alternatives for those parts of the value proposition to emphasize to achieve competitive success.
Required: Draw a BPMN activity diagram that outlines your company's approach to the balanced
scorecard management process. Then, describe in writing whether you agree with your senior
management team's breakdown of the steps and the approach they propose. What would you do
differently? Why?

(Open ended; the BPMN should not violate standards)

AACSB: Analytic
Blooms: Evaluate
Difficulty: 3 Hard
Source: Original

9-94

Test Bank

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test Bank

Uploaded by

Copyright:

Available Formats

Chapter 09

Reporting Processes and eXtensible Business Reporting Language (XBRL)

True / False Questions

Multiple Choice Questions

17. Data mining is considered a technique of

A. XBRL style sheet

A. Track the cost of parts on its vehicles

A. Gather Information, Analyze Data for Patterns, Make Decision

A. Efficient communication between the firm and financial analysts.

A. The most current, standardized XBRL taxonomy is used.

A. eXtensible Business Reporting Language.

A. Enhances speed and accuracy of business reporting.

A. Financial Accounting Standards Board

A. XBRL Instance Document

True / False Questions

Multiple Choice Questions

17. Data mining is considered a technique of

A. Data Warehousing

A. XBRL style sheet

A. Track the cost of parts on its vehicles

A. Business intelligence

A. Gather Information, Analyze Data for Patterns, Make Decision

A. Airplane speed

A. Albert Gore

A. Efficient communication between the firm and financial analysts.

A. The most current, standardized XBRL taxonomy is used.

A. eXtensible Business Reporting Language.

A. Enhances speed and accuracy of business reporting.

A. Financial Accounting Standards Board

A. XBRL Instance Document

A. Data Mart

A. XBRL specification.

A. Data Warehouse

Answers will vary depending on the student knowledge of the organization.

Accounting Information Systems and Internal Controls

True / False Questions

Multiple Choice Questions

A. Information and communication

A. Accounting management staff who report to the CFO.

A. Bank reconciliations are not performed on a timely basis.

A. Run control total.

A. Relating to the control environment.

A. Using pre-numbered documents

A. Authorization, execution, and payment.

A. Periodic audits by the audit committee.

A. The internal auditor reports directly to the controller.

A. is relevant to the auditor's understanding of the control environment.

A. COSO internal framework.

A. Add the checks to the daily cash summary.

A. No duplicate shipments or billings occurred.

(A) Avoid, share or accept risk

True / False Questions

Multiple Choice Questions

A. Information and communication

A. Accounting management staff who report to the CFO.

A. Bank reconciliations are not performed on a timely basis.

A. Control environment.

A. Run control total.

A. Segregation of duties.

A. Risk reduction.

A. Relating to the control environment.

A. Contingency planning.

A. Using pre-numbered documents