Question 1

LOS.absorb.cst.effct.0030.wml
AICPA.951156BEC-AR
LOS: LOS.absorb.cst.effct.0030.wml
Lesson Reference: Absorption and Direct Costing
Difficulty: hard
Bloom Code: 4

Lynn Manufacturing Co. prepares income statements using both standard absorption and standard variable costing methods. For Year 2, unit standard costs
were unchanged from Year 1. In Year 2, the only beginning and ending inventories were finished goods of 5,000 units.

How would Lynn's ratios using absorption costing compare with those using variable costing?

Current ratio Return on stockholders' equity

Same Same
Same Smaller
Greater Same
Greater Smaller

Rationale
 Same Same

Incorrect on both counts. Absorption costing (AC) inventories fixed overhead, whereas variable costing (VC) expenses it as incurred. The ending
inventory for AC is larger by the amount of fixed overhead allocated to it, making the current ratio also larger for AC.

Furthermore, the amount of fixed overhead in the ending 5,000 units causes the total expense recognized for the life of the firm to be less for AC.
Therefore, retained earnings and total owners' equity (denominator of return on equity) are larger, causing the ratio to be smaller for AC.

Rationale
 Same Smaller
Incorrect for the current ratio. Absorption costing (AC) inventories fixed overhead, whereas variable costing (VC) expenses it as incurred. Ending
inventory for AC is larger by the amount of fixed overhead allocated to it, making the current ratio also larger for AC.

Rationale
 Greater Same
Incorrect for return on equity. Absorption costing (AC) inventories fixed overhead, whereas variable costing (VC) expenses it as incurred. The amount of
fixed overhead in the ending 5,000 units causes total expense recognized for the life of the firm to be less for AC. Therefore, retained earnings and total
owners' equity (denominator of return on equity) are larger, and the ratio is smaller for AC.

Rationale
 Greater Smaller
Current ratio = current assets/current liabilities. Return on stockholders' equity = net income/average owners' equity. Absorption costing allocates both
variable and fixed manufacturing costs to inventory. Variable costing assigns only variable manufacturing cost to inventory and expenses fixed
manufacturing overhead as a period cost. Therefore, ending inventory, and thus, current assets, are higher under absorption costing by the amount of
fixed overhead allocated to ending inventory. The current ratio under absorption costing is, therefore, higher than under variable costing. Income in the
current period is the same under both absorption costing and variable costings because the fixed overhead allocation rate has not changed, and ending
inventory quantities have not changed. Therefore, total expenses recognized for the life of the firm for absorption costing are less than for variable
costing by the amount of fixed overhead remaining in those 5,000 units at the end of Year 2. Thus, retained earnings are higher for absorption costing,
causing the denominator of return on stockholders' equity to be greater, and finally causing the ratio to be smaller for absorption costing.
Question 2
LOS.erm.obj.set.0030
aq.erm.obj.set.003_2-18
LOS: LOS.erm.obj.set.0030
Lesson Reference: ERM Strategy and Objective Setting
Difficulty: medium
Bloom Code: 3
An investment firm determines that investments in bitcoin are highly risky. For its portfolio, it sets a minimum investment of 3% and a maximum investment
of 8% in bitcoin. This is an example of setting
risk target (minimum) and risk roof (maximum).
risk roof (minimum) and risk target (maximum).
risk floor (minimum) and risk ceiling (maximum).
risk ceiling (minimum) and risk floor (maximum).

Rationale
 risk target (minimum) and risk roof (maximum).
Incorrect. The terms “risk target” and “risk roof” are incorrect here. The correct terms are “risk floor (3%)” and “risk ceiling (8%)”. The term “risk target”
is not included in the COSO ERM framework and seems to confuse a performance target with the concept of risk appetite. “Risk roof” is not included in
the COSO ERM framework but might be a cool band name and also sounds a bit like “risk ceiling,” which is included in the COSO ERM.

Rationale
 risk roof (minimum) and risk target (maximum).
Incorrect. The terms “risk target” and “risk roof” are incorrect here. The correct terms are risk floor (3%) and risk ceiling (8%). The term “risk target” is
not included in the COSO ERM framework and seems to confuse a performance target with the concept of risk appetite. “Risk roof” is not included in
the COSO ERM framework but might be a cool band name and also sounds a bit like “risk ceiling,” which is included in the COSO ERM framework.

Rationale
 risk floor (minimum) and risk ceiling (maximum).
Correct! A risk floor is a statement of the minimum amount of risk that an entity desires. A risk ceiling is a statement of the maximum amount of risk
that an entity desires.

Rationale
 risk ceiling (minimum) and risk floor (maximum).
Incorrect. A risk floor is a statement of the minimum amount of risk that an entity desires. A risk ceiling is a statement of the maximum amount of risk
that an entity desires. This answer is incorrect because the risk ceiling is the maximum and the risk floor is the minimum, and this answer reverses this
statement.
Question 3
LOS.erm.comp.princ.0010
aq.erm.comp.princ.004_0718
LOS: LOS.erm.comp.princ.0010
Lesson Reference: ERM Components, Principles, and Terms
Difficulty: medium
Bloom Code: 3
The Resource Development Company mines for rare earth minerals in developing countries. The company is currently assessing aspects of risk to determine
which risks are most and least important. This analysis most likely occurs as a part of which component in the ERM framework?
Governance and Culture
Performance
Strategy and Objective-Setting
Information, Communication, and Reporting

Rationale
 Governance and Culture
Incorrect. Governance is the allocation of roles, authorities, and responsibilities among stakeholders, the board, and management. An organization's
culture is its core values, including how the organization understands and manages risk. The listed activity concerns risk prioritization, which occurs in
the performance component of ERM, not in the governance and culture component.

Rationale
 Performance
Correct! The listed activity concerns risk prioritization, which occurs in the performance component of ERM, not in the governance and culture
component. This component is concerned with risk identification and assessment, which helps an organization achieve its strategy and business
objectives.

Rationale
 Strategy and Objective-Setting
Incorrect. Strategy and objective setting are concerned with integrating ERM with strategic planning and objective setting. For example, an
organization's risk appetite is partly a function of its strategy. The listed activity concerns risk prioritization, which occurs in the performance
component of ERM, not in the strategy and objective setting component.

Rationale
 Information, Communication, and Reporting
Incorrect. Communication is the continual, iterative process of obtaining and sharing information to facilitate and enhance ERM. This function includes
reporting on the organization's risk, culture, and performance. The listed activity concerns risk prioritization, which occurs in the performance
component of ERM not in the information, communication, and reporting component.
Question 4
LOS.inter.cont.roles.respon.0010.wml
aicpa.aq.inter.cont.roles.respon.004_17
LOS: LOS.inter.cont.roles.respon.0010.wml
Lesson Reference: Internal Control Roles and Responsibilities
Difficulty: hard
Bloom Code: 3
According to COSO, the presence of a written code of conduct provides for a control environment that can
Override an entity's history and culture.
Encourage teamwork in the pursuit of an entity's objectives.
Ensure that competent evaluators are implementing and monitoring internal controls.
Verify that information systems are providing persuasive evidence of the effectiveness of internal controls.

Rationale
 Override an entity's history and culture.
Incorrect. A code of conduct would likely make it less likely for an organization to override its history and culture since the code of conduct would help
embody and transmit the organization's culture.

Rationale
 Encourage teamwork in the pursuit of an entity's objectives.
Correct! A code of conduct helps facilitate shared goals and encourages teamwork.

Rationale
 Ensure that competent evaluators are implementing and monitoring internal controls.
Incorrect. The code of conduct is largely unrelated to the monitoring of internal controls.

Rationale
 Verify that information systems are providing persuasive evidence of the effectiveness of internal controls.
Incorrect. The code of conduct is largely unrelated to verifying that information systems are providing persuasive evidence of the effectiveness of
internal controls.
Question 5
LOS.oth.reg.fram.gov.0010.wml
aicpa.aq.oth.reg.fram.gov.012_19
LOS: LOS.oth.reg.fram.gov.0010.wml
Lesson Reference: Other Regulatory Frameworks and Provisions
Difficulty: hard
According to the Sarbanes-Oxley Act of 2002, anyone who knowingly alters, destroys, covers up, or makes a false entry in any record or document with the
intent to obstruct or influence the investigation of any matter within the jurisdiction of any department or agency of the United States may be fined and/or
imprisoned for up to:
Five years.
Ten years.
Fifteen years.
Twenty years.

Rationale
 Five years.
Incorrect. The actual number is twenty.

Rationale
 Ten years.
Incorrect. The actual number is twenty.

Rationale
 Fifteen years.
Incorrect. The actual number is twenty.

Rationale
 Twenty years.
Correct! This is the maximum punishment for making a false entry with intent to obstruct an investigation.
Question 6
LOS.intro.prjct.rsk.0040.wml
RMCB-0064
LOS: LOS.intro.prjct.rsk.0040.wml
Lesson Reference: Introduction and Project Risk
Difficulty: medium
Which of the following rates is most commonly compared to the internal rate of return to evaluate whether to make an investment?
Short-term rate on US Treasury bonds.
Prime rate of interest.
Weighted-average cost of capital.
Long-term rate on US Treasury bonds.

Rationale
 Short-term rate on US Treasury bonds.
This answer is incorrect because it may or may not provide an estimate of the company’s cost of funds.

Rationale
 Prime rate of interest.
This answer is incorrect because it may or may not provide an estimate of the company’s cost of funds.

Rationale
 Weighted-average cost of capital.
This answer is correct. The weighted-average cost of capital provides a measure of the cost of the funds that the company is considering investing in a
project.

Rationale
 Long-term rate on US Treasury bonds.
This answer is incorrect because it may or may not provide an estimate of the company’s cost of funds.
Question 7
LOS.it.syst.dev.imp.0020.wml
AICPA.08011647BEC.IV
LOS: LOS.it.syst.dev.imp.0020.wml
Lesson Reference: System Development and Implementation
Difficulty: medium
Bloom Code: 2
Which of the following implementation approaches has been described as "sink or swim?"
Parallel.
Cold turkey.
Phased.
Pilot.

Rationale
 Parallel.
The new and old systems run concurrently until it is clear that the new system is working properly.

Rationale
 Cold turkey.
Also called the plunge or big bang approach. The old system is dropped and the new system is put in place all at once.

Rationale
 Phased.
The system is divided into modules that are brought on line one at a time.

Rationale
 Pilot.
Users are divided into groups and are trained on the new system one group at a time.
Question 8
LOS.it.bus.strat.0040.wml
aq.it.bus.strat.004_2017
LOS: LOS.it.bus.strat.0040.wml
Lesson Reference: IT and Business Strategy
Difficulty: easy
A company that sells hand-carved statues from rural Indonesia online is using a ___________ strategy:
Digitization
Product differentiation
Cost leadership
Integrated

Rationale
 Digitization
This is incorrect. Digitization is not a strategy—it is a description of how technology is changing business. Therefore, this is an incorrect answer.

Rationale
 Product differentiation
Correct! This is an example of a product differentiation strategy since competitors are unlikely to be able to sell this same product.

Rationale
 Cost leadership
This is incorrect. The sentence says nothing about cost or price. Therefore, this is not an example of a cost leadership strategy.

Rationale
 Integrated
This is incorrect. An integrated strategy is not a strategy available to a business.
Question 9
LOS.erm.obj.set.0060
tb.erm.obj.set.002_0718
LOS: LOS.erm.obj.set.0060
Lesson Reference: ERM Strategy and Objective Setting
Difficulty: medium
Bloom Code: 2
Which of the following statements about risk appetite, tolerance, and risk indicators are true?
Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at
any level of the business.
Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at
any level of the business.
Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at
any level of the business.
Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at
any level of the business.

Rationale
 Risk appetite applies to the development of strategy, tolerance applies in the implementation of strategy, and key risk indicators apply at
any level of the business.
Correct! These are the correct descriptions of the relationship of these terms to the strategy development process.

Rationale
 Key risk indicators apply to the development of strategy, risk appetite applies in the implementation of strategy, and tolerance applies at
any level of the business.
Incorrect. The correct relationships are as follows: Risk appetite applies to the development of strategy, tolerance applies in the implementation of
strategy, and key risk indicators apply at any level of the business.

Rationale
 Tolerance applies to the development of strategy, risk appetite applies in the implementation of strategy, and key risk indicators apply at
any level of the business.
Incorrect. The correct relationships are as follows: Risk appetite applies to the development of strategy, tolerance applies in the implementation of
strategy, and key risk indicators apply at any level of the business.

Rationale
 Tolerance applies to the development of strategy, key risk indicators apply in the implementation of strategy, and risk appetite applies at
any level of the business.
Incorrect. The correct relationships are as follows: Risk appetite applies to the development of strategy, tolerance applies in the implementation of
strategy, and key risk indicators apply at any level of the business.
Question 10
LOS.int.entwide.cloud.syst.0030.wml
AICPA.130502BEC-SIM
LOS: LOS.int.entwide.cloud.syst.0030.wml
Lesson Reference: Introduction to Enterprise-Wide and Cloud-Based Systems
What is an example of the use of the cloud to access hardware?
IaaS
PaaS
SAP
ERP

Rationale
 IaaS
IaaS is the use of the cloud to access virtual hardware.

Rationale
 PaaS
PaaS is the use of the cloud to create software.

Rationale
 SAP
SAP is an ERP software package and is not an example of the use of the cloud to access software and programs.

Rationale
 ERP
ERP is an enterprise-resource planning systems and is not an example of the use of the cloud to access software and programs.
Question 11
LOS.erm.monitor.rev.0030
aq.erm.monitor.rev.002_2-18
LOS: LOS.erm.monitor.rev.0030
Lesson Reference: ERM Monitoring, Review, and Revision
Difficulty: medium
Bloom Code: 3
An organization launches a new product and finds the product is performing better than expected and that the volatility of sales is less than expected. Which
of the following is the organization most likely to do?
Review its internal control procedures.
Investigate new technologies to improve product performance.
Revise its tolerance and decrease its risk appetite
Review its ERM practices.

Rationale
 Review its internal control procedures.
Incorrect. The processes implemented to ensure the achievement of management's objectives comprise inherent control. There is no indication in this
case that there are issues with internal control.

Rationale
 Investigate new technologies to improve product performance.
Incorrect. The product is performing better than expected. Hence, the suggested response would be an odd and inexplicable reaction to this case.

Rationale
 Revise its tolerance and decrease its risk appetite
Incorrect. Tolerance is the range of acceptable risks. Why would a company revise tolerance in response to finding out that a product performed better
than accepted? Similarly, decreasing risk appetite would not be a rational response to learning that a product performed better than accepted.

Rationale
 Review its ERM practices.
Correct! The organization should review its ERM practices to better understand why it misestimated the risks related to the new product.
Question 12
LOS.erm.comm.report.0080
aq.erm.comm.report.004_0718
LOS: LOS.erm.comm.report.0080
Lesson Reference: ERM Communication and Reporting
Difficulty: medium
Bloom Code: 2
While both views highlight risk severity, the _______ view of risk is from the entity-wide level while the _______ view of risk is from the perspective of units or
levels with the entity.
incident, root cause
root cause, incident
portfolio, profile
profile, portfolio

Rationale
 incident, root cause
Incorrect. The disclosure of incidents provides insight into the effectiveness of risk responses, not of risks themselves. In addition, incident reports are
not, in general, level- or entity-specific perspectives on risk. The analysis of root causes (asking “why”) enables users to understand assumptions and
changes underpinning the portfolio and profile views of risk. However, such reports aren't, in general, linked to a specific level of reporting and
therefore are not a good answer to this question. In addition, the analysis of risk causes may or may not be concerned with risk severity.

Rationale
 root cause, incident
Incorrect. The analysis of root causes (asking “why”) enables users to understand assumptions and changes underpinning the portfolio and profile
views of risk. However, such reports aren't, in general, linked to a specific level of reporting and therefore are not a good answer to this question. In
addition, the analysis of risk causes may or may not be concerned with risk severity. The disclosure of incidents provides insight into the effectiveness
of risk responses, not of risks themselves. In addition, incident reports are not, in general, level- or entity-specific perspectives on risk.

Rationale
 portfolio, profile
Correct! The portfolio view of risk is from the entity-wide perspective while the profile view of risk is from the level of units or levels within the entity.

Rationale
 profile, portfolio
Incorrect. The profile view of risk is from the level of units or levels within the entity, not the entity level. The portfolio view of risk is from the entity-wide
perspective, not from the view of units or levels within the entity. Hence, this is an incorrect answer.
Question 13
LOS.intro.wrkcap.mgmt.0010.wml
AICPA0811615BEC.III.C
LOS: LOS.intro.wrkcap.mgmt.0010.wml
Lesson Reference: Introduction to Working Capital Management
Difficulty: medium
Bloom Code: 4
Which one of the following would not be considered an element of concern in working capital management?
Accounts receivable.
Inventory.
Accounts Payable.
Property, plant, and equipment.

Rationale
 Accounts receivable.
Accounts receivable are a current asset and an element of working capital. It would be of concern in managing working capital.

Rationale
 Inventory.
Inventory is a current asset and an element of working capital. It would be of concern in managing working capital.

Rationale
 Accounts Payable.
Accounts payable are a current liability and an element of working capital. This would be of concern in managing working capital.

Rationale
 Property, plant, and equipment.
Property, plant, and equipment is not an element of working capital. Although management of property, plant, and equipment would be a
management concern, it would not be a factor in the management of working capital, which is comprised of current assets and current liabilities.
Question 14
LOS.int.entwide.cloud.syst.0020.wml
tb.int.entwide.cloud.syst.003_17
LOS: LOS.int.entwide.cloud.syst.0020.wml
Lesson Reference: Introduction to Enterprise-Wide and Cloud-Based Systems
Difficulty: hard
Bloom Code: 3
A data analyst at Hubert Humbert Fashion Designers is using a component of its organization-wide ERP system to analyze customer sales to determine the
optimal opening and closing times for its retail stores. The analyst is most likely using the _________ component of the system.
CRM
OLAP
OLTP
Supply chain management

Rationale
 CRM
Incorrect. This is not a customer relations issue.

Rationale
 OLAP
Correct! This is an example of a data mining application within an online analytical processing (OLAP) system.

Rationale
 OLTP
Incorrect. This is not an application of an online transaction processing (OLTP) system.

Rationale
 Supply chain management
Incorrect. This issue is unrelated to supply chain management.
Question 15
LOS.erm.comm.report.0050
aq.erm.comm.report.001_2-18
LOS: LOS.erm.comm.report.0050
Lesson Reference: ERM Communication and Reporting
Difficulty: medium
Bloom Code: 3
Data from ______________ is typically structured, while data from ________ is typically unstructured.
board meeting minutes; a governmental water scarcity report that is used by a beverage company
staffing increases or decreases due to restructuring; email about decision making and performance.
emerging interest in a new product from a competitor; an entity's risk tolerance
marketing reports from website tracking services; government-produced geopolitical reports and studies

Rationale
 board meeting minutes; a governmental water scarcity report that is used by a beverage company
Incorrect. Board meeting minutes are unstructured (text); data about water scarcity is typically structured (i.e., numeric).

Rationale
 staffing increases or decreases due to restructuring; email about decision making and performance.
Correct! Staffing data are typically structured; email is unstructured (text).

Rationale
 emerging interest in a new product from a competitor; an entity's risk tolerance
Incorrect. Emerging interest in a new product from a competitor will be unstructured; an entity's risk tolerance will be structured.

Rationale
 marketing reports from website tracking services; government-produced geopolitical reports and studies
Incorrect. Marketing reports from website tracking services typically will be structured; however, government-produced geopolitical reports and
studies typically also will be structured.
Question 16
LOS.mang.cyber.risk.0020.wmlLOS.mang.cyber.risk.0010.wml
aq.mang.cyber.risk.003_2017
LOS: LOS.mang.cyber.risk.0010.wml
LOS: LOS.mang.cyber.risk.0020.wml
Lesson Reference: Managing Cyber Risk: Part I—Applying COSO Principles to Cyber Risk
Difficulty: hard
A new attack involves hacking into medical records and then offering these records for sale on the black market. A medical records company in Brazil learned
of this attack and has built controls into its systems to prevent hackers from accessing its systems. This is an IT application of the COSO principle of _______
and evidences _______ controls.
The organization obtains or generates and uses relevant, quality information to support the functioning of internal control; preventive.
The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support
the functioning of internal control. Detective.
The organization communicates with external parties regarding matters affecting the functioning of internal control. Detective.
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to
acceptable levels. Preventive.

Rationale
 The organization obtains or generates and uses relevant, quality information to support the functioning of internal control; preventive.
This answer is incorrect. This is not an example of obtaining and using information to support the functioning of internal control. However, the example
does illustrate a preventive control.

Rationale
 The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support
the functioning of internal control. Detective.
This answer is incorrect. This is not an example of internal communication. In addition, this is a preventive control, not a detective control.

Rationale
 The organization communicates with external parties regarding matters affecting the functioning of internal control. Detective.
This is an incorrect answer. This is not an example of externally communicating information to support the functioning of internal controls. In addition,
this is a preventive control, not a detective control.

Rationale
 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to
acceptable levels. Preventive.
Correct! This statement is accurate. The example illustrates the creation of a control activity to reduce risk. In addition, the example does illustrate a
preventive control.
Question 17
LOS.cost.relev.0010.wml
PLAN-0102
LOS: LOS.cost.relev.0010.wml
Lesson Reference: Non-Routine Decisions: Relevant Costs
Difficulty: medium
Which of the following statements is true regarding opportunity cost?
Opportunity cost is recorded in the accounts of an organization that has a full costing system.
The potential benefit is not sacrificed when selecting an alternative.
Idle space that has no alternative use has an opportunity cost of zero.
Opportunity cost is representative of actual dollar outlay.

Rationale
 Opportunity cost is recorded in the accounts of an organization that has a full costing system.
This answer is incorrect because opportunity cost is a concept only used in making decisions. It is not recorded in financial records.

Rationale
 The potential benefit is not sacrificed when selecting an alternative.
This answer is incorrect because opportunity cost is a potential benefit that is sacrificed when selecting an alternative.

Rationale
 Idle space that has no alternative use has an opportunity cost of zero.
This answer is correct. Items that have no alternative use have no opportunity cost.

Rationale
 Opportunity cost is representative of actual dollar outlay.
This answer is incorrect because opportunity cost is not a dollar outlay. It is a potential benefit that is sacrificed when selecting a particular decision
alternative.
Question 18
LOS.it.bus.strat.0010.wml
aq.it.bus.strat.003_2017
LOS: LOS.it.bus.strat.0010.wml
Lesson Reference: IT and Business Strategy
Difficulty: easy
Governance is primarily the responsibility of:
Top management.
The board.
The CEO.
Those individuals who are identified by SOX Section 404 as responsible for the system of internal control.

Rationale
 Top management.
This statement is false—top management does not bear primary responsibility for governance. Therefore, this is an incorrect answer.

Rationale
 The board.
Correct! This statement is true. Governance is primarily the responsibility of the board of directors.

Rationale
 The CEO.
This statement is false—the CEO does not bear primary responsibility for governance. Therefore, this is an incorrect answer.

Rationale
 Those individuals who are identified by SOX Section 404 as responsible for the system of internal control.
This statement is false—SOX Section 404 identifies top management as bearing responsibility for internal control. Therefore, this is an incorrect answer
since the board is primarily responsible for corporate governance.
Question 19
LOS.ent.fraud.mgmt.0060
aq.ent.fraud.mgmt.004_17
LOS: LOS.ent.fraud.mgmt.0060
Lesson Reference: Fraud Risk Management
Difficulty: medium
Bloom Code: 3
Overland Stage and Transport uses a fraud risk assessment heat map that charts the significance (on the vertical axis) and the likelihood (on the horizontal
axis) of frauds as a part of its fraud risk management program. The company's use of a fraud risk heat map best relates to which of the following activities?
Establishing a fraud risk management program
Selecting, developing, and deploying fraud controls
Selecting, developing, and deploying evaluation and monitoring processes
Performing a comprehensive fraud risk assessment

Rationale
 Establishing a fraud risk management program
Incorrect. Establishing a fraud risk management program would not include assessing fraud risks.

Rationale
 Selecting, developing, and deploying fraud controls
Incorrect. Selecting, developing, and deploying fraud controls would not include assessing fraud risks.

Rationale
 Selecting, developing, and deploying evaluation and monitoring processes
Incorrect. Selecting, developing, and deploying evaluation and monitoring processes would not include, as a primary activity, assessing fraud risks.
Evaluation and monitoring is concerned with assessing the effectiveness of fraud risk management.

Rationale
 Performing a comprehensive fraud risk assessment
Correct! The company's use of a fraud risk heat map relates to performing a comprehensive fraud risk assessment.
Question 20
LOS.it.syst.dev.imp.0040.wml
AICPA.060637BEC
LOS: LOS.it.syst.dev.imp.0040.wml
Lesson Reference: System Development and Implementation
Difficulty: easy
Bloom Code: 2
In which of the following stages of computer system development would training occur?
Planning phase.
Analysis phase.
Design phase.
Implementation phase.

Rationale
 Planning phase.
Note: Most systems' life cycle descriptions combine planning and analysis into a single phase. In the planning and analysis phase, a proposal for a new
system is submitted. If the proposal receives preliminary approval, a feasibility study is conducted to evaluate the costs and benefits of the system.
During this time, the systems analyst meets with the end users to determine the information requirements of the system (data to be input, processing
tasks, reports to be generated, etc.).

Rationale
 Analysis phase.
Note: Most systems' life cycle descriptions combine planning and analysis into a single phase. In the planning and analysis phase, a proposal for a new
system is submitted. If the proposal receives preliminary approval, a feasibility study is conducted to evaluate the costs and benefits of the system.
During this time, the systems analyst meets with the end users to determine the information requirements of the system (data to be input, processing
tasks, reports to be generated, etc.).

Rationale
 Design phase.
Note: Most systems' life cycle descriptions call this phase the development phase or, sometimes, the design and development phase. In the
development and design phase, the systems analysts build detailed descriptions of the system, usually using various flowcharting techniques. Based on
these instructions, the programmers build the programs necessary to process the data and produce the reports.

Rationale
 Implementation phase.
Note: Most systems' life cycle descriptions call this phase the installation and operation phase. During this phase, the users are trained on the new
system, the data is converted from the old system to the new system, and the system is moved from the program development area to the production
library.
Question 21
LOS.coso.erm2.0030.wml
aq.coso.erm2.001
LOS: LOS.coso.erm2.0030.wml
Lesson Reference: Internal Control Monitoring Purpose and Terminology
Difficulty: easy
According to the COSO framework, evaluators who monitor controls within an organization should have which of the following sets of characteristics?
Competence and objectivity.
Respect and judgment.
Judgment and objectivity.
Authority and responsibility.

Rationale
 Competence and objectivity.
(Correct!) COSO indicates that the evaluator must have competence and objectivity. The other answers are incorrect because they do not describe the
desired characteristics.

Rationale
 Respect and judgment.
Incorrect. These not the characteristics that are specified in COSO.

Rationale
 Judgment and objectivity.
Incorrect. These not the characteristics that are specified in COSO.

Rationale
 Authority and responsibility.
Incorrect. These not the characteristics that are specified in COSO.
Question 22
LOS.erm.intro.strat.0050
tb.erm.intro.strat.002_0818
LOS: LOS.erm.intro.strat.0050
Lesson Reference: Introduction to COSO Enterprise Risk Management: Strategy and Risk
Difficulty: hard
Bloom Code: 3
Multi National United Corporation is a private contractor that relocates aliens to temporary housing facilities. On its company home page, the company lists
the following words: “integrity,” professional,” “teamwork,” and “security.” These words are probably part of the company's ____________
Core values.
Mission statement.
Statement of position (SOP).
Vision.

Rationale
 Core values.
Correct! These adjectives are most likely statements of the company's core values, which are the entity's beliefs and ideals about what is good or bad,
acceptable or unacceptable, and are statements that influence the behavior of the organization.

Rationale
 Mission statement.
Incorrect. A mission statement is an entity's core purpose, which establishes what it wants to accomplish and why it exists. While some of the listed
words may be in a mission statement, the words are most likely to be part of an entity's core values.

Rationale
 Statement of position (SOP).
Incorrect. Statements of position are issued by the AICPA's accounting standards division. They would not appear on a private contractor's home page.

Rationale
 Vision.
Incorrect. A vision is an entity's aspirations for its future state or what an organization aims to achieve over time. The listed words are most likely to be
part of an entity's core values, not part of its vision.
Question 23
LOS.intro.coso.int.ctrl.0040.wml
aq.intro.coso.int.ctrl.001
LOS: LOS.intro.coso.int.ctrl.0040.wml
Lesson Reference: Introduction to COSO, Internal Control, and the COSO Cube
Difficulty: medium
Gimbly Cricket Corp. created a decision aid, linked to its data warehouse, to enable senior management to monitor, in real time, changes in oil production at
its oil wells in Kazakhstan. This is an example of:
Internal, financial reporting
Internal, nonfinancial reporting.
External, financial reporting.
External, nonfinancial reporting.

Rationale
 Internal, financial reporting
This answer is incorrect because while this is an internal report, it is nonfinancial. (Oil production is not in currency.)

Rationale
 Internal, nonfinancial reporting.
(Correct!) This answer is correct because this is an internal report, and it is nonfinancial. (Oil production is not in currency.)

Rationale
 External, financial reporting.
This answer is incorrect because this is an internal, not an external, report, and it is nonfinancial. (Oil production is not in currency.)

Rationale
 External, nonfinancial reporting.
This answer is incorrect because this is an internal, not an external, report.
Question 24
LOS.erm.gov.cult.0030
tb.erm.gov.cult.003_0818
LOS: LOS.erm.gov.cult.0030
Lesson Reference: ERM Governance and Culture
Difficulty: easy
Bloom Code: 2
The following statement is adapted from the annual report of a large corporation: “Overall responsibility for overseeing the management of risks,
compliance with our risk management framework and risk appetite lies with _______.”
The CEO
The board of directors
Management
The risk management team

Rationale
 The CEO
Incorrect. The ultimate responsibility for these ERM components rests with the board of directors, not the CEO.

Rationale
 The board of directors
Correct! The ultimate responsibility for these ERM components rests with the board of directors.

Rationale
 Management
Incorrect. The ultimate responsibility for these ERM components rests with the board of directors, not with management.

Rationale
 The risk management team
Incorrect. The ultimate responsibility for these ERM components rests with the board of directors, not with the risk management team.
Question 25
LOS.oth.reg.fram.gov.0010.wml
aq.oth.reg.fram.gov.010_17
LOS: LOS.oth.reg.fram.gov.0010.wml
Lesson Reference: Other Regulatory Frameworks and Provisions
Difficulty: medium
Bloom Code: 3

Copyright © 2017 by the American Institute of Certified Public Accountants, Inc., is reprinted and/or adapted with permission.

Which of the following situations most clearly illustrates a breach of fiduciary duty by one or more members of the board of directors of a corporation?

A corporation previously has distributed 50% of its earnings as dividends. This year it has annual earnings per share of $2, and the board
of directors voted 4 to 1 against paying any dividend to finance growth.
A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the
vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board
(absent the vendor co-owner) unanimously approved the purchase.
Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years
that the fifth person has been a director, the individual did not attend two other meetings.
A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same
city that would have been suitable for use by the corporation.

Rationale
 A corporation previously has distributed 50% of its earnings as dividends. This year it has annual earnings per share of $2, and the board of
directors voted 4 to 1 against paying any dividend to finance growth.
Incorrect. Whether or not to pay dividends is typically at the discretion of the board of directors, and in that choice alone there is no breach of fiduciary
duty absent some additional facts.

Rationale
 A director of a corporation who co-owns a computer vendor negotiated the purchase of a computer system by the corporation from the
vendor, making a disclosure to the corporation and the other board members. The purchase price was competitive, and the board (absent the
vendor co-owner) unanimously approved the purchase.
Incorrect. This related-party transaction is worrisome, but given the full disclosure, the fair price, and the unanimous approval by the board (with the
conflicted director abstaining from the vote), the process prevents there from being a breach of fiduciary duty.

Rationale
 Two directors of a corporation favor business expansion, two oppose it, and the fifth did not attend the meeting. During the five years that
the fifth person has been a director, the individual did not attend two other meetings.
Incorrect. Directors are expected to be diligent in attending meetings, but perfect attendance at board meetings is neither required nor expected. Three
misses in five years by itself certainly does not constitute a breach of fiduciary duty.

Rationale
 A director who learned that the corporation is thinking of buying retail space in a city personally purchased a vacant building in the same
city that would have been suitable for use by the corporation.
Correct! This director has breached a fiduciary duty by appropriating a business opportunity (to acquire retail space) for himself or herself.
Question 26
LOS.erm.comp.princ.0010
tb.erm.comp.princ.001_0718
LOS: LOS.erm.comp.princ.0010
Lesson Reference: ERM Components, Principles, and Terms
Difficulty: easy
Bloom Code: 2
Pierce and Pierce is an investment and brokerage company that manages client investments and seeks exceptional market opportunities for these clients.
The company recently issued a report on its investment philosophy and risk management culture. This initiative most likely occurs as a part of which
component in the ERM framework?
Governance and Culture
Performance
Strategy and Objective-Setting
Information, Communication, and Reporting

Rationale
 Governance and Culture
Incorrect. Governance is the allocation of roles, authorities, and responsibilities among stakeholders, including attracting, retaining, and developing
capable individuals. The listed activities are part of Information, Communication, and Reporting activities.

Rationale
 Performance
Incorrect. The Performance component is concerned with risk identification and assessment that helps an organization achieve its strategy and
business objectives. The listed activities are part of Information, Communication, and Reporting activities.

Rationale
 Strategy and Objective-Setting
Incorrect. The Strategy and Objective-Setting component concerns analyzing the business context, defining risk appetite, evaluating business
strategies, and formulating business objectives. The listed activities are part of Information, Communication, and Reporting activities.

Rationale
 Information, Communication, and Reporting
Correct! Communication is the process of obtaining and sharing information to facilitate and enhance ERM. This function includes reporting on the
organization's risk, culture, and performance. The listed activities are part of the information, communication and reporting process.
Question 27
LOS.mang.cyber.risk.0010.wml
tb.mang.cyber.risk.003_17
LOS: LOS.mang.cyber.risk.0010.wml
Lesson Reference: Managing Cyber Risk: Part I—Applying COSO Principles to Cyber Risk
Difficulty: medium
Bloom Code: 3
Risk identification should be mapped to:
An organization's industry.
Organizational personnel.
Liabilities.
Asset utilization.

Rationale
 An organization's industry.
Correct! Cyber risks are often planned by hackers to exploit specific weaknesses, and achieve specific outcomes, in an industry—for example, targeting
financial services firms to steal money.

Rationale
 Organizational personnel.
Incorrect. Though this is possible and perhaps even desirable in some situations (e.g., Brad Pitt works for our company) risk identification is not usually
linked to specific organizational personnel.

Rationale
 Liabilities.
Incorrect. Risk identification is not usually mapped to specific liabilities in a normal risk analysis.

Rationale
 Asset utilization.
Incorrect. Risk identification is not usually mapped to asset utilization in a normal risk analysis.
Question 28
LOS.int.entwide.cloud.syst.0040.wml
AICPA.130503BEC-SIM
LOS: LOS.int.entwide.cloud.syst.0040.wml
Lesson Reference: Introduction to Enterprise-Wide and Cloud-Based Systems
Which of the following risks increases the least with cloud-based computing compared with local server storage for an organization that implements cloud-
based computing?
Data loss.
Vendor security failure.
Global visibility.
System hacks.

Rationale
 Data loss.
The risk of data loss increases with cloud-based computing compared with local server storage computing.

Rationale
 Vendor security failure.
The risk of vendor security failures increases with cloud-based computing compared with local server storage computing.

Rationale
 Global visibility.
Global visibility is not a risk of cloud-based computing.

Rationale
 System hacks.
The risk of system hacks increases with cloud-based computing compared with local server storage computing.
Question 29
LOS.intro.coso.int.ctrl.0040.wml
AICPA.130526BEC-SIM
LOS: LOS.intro.coso.int.ctrl.0040.wml
Lesson Reference: Introduction to COSO, Internal Control, and the COSO Cube
This is the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives.
Control activities.
Control environment.
Information and communication.
Risk assessment.

Rationale
 Control activities.
Control activities are, "...the policies and procedures that ensure that actions are taken to address the risks related to the achievement of
management's objectives."

Rationale
 Control environment.
The control environment is "...management's philosophy toward controls, organizational structure, system of authority and responsibility, personnel
practices, policies, and procedures."

Rationale
 Information and communication.
Information and communication enables an organization's people to identify, process, and exchange the information needed to manage and control
operations.

Rationale
 Risk assessment.
Risk assessment is, "...the process of identifying, analyzing, and managing the risks involved in achieving the organization's objectives."
Question 30
LOS.erm.cloud.computing.0020.wml
tb.erm.cloud.computing.001_17
LOS: LOS.erm.cloud.computing.0020.wml
Lesson Reference: ERM for Cloud Computing
Difficulty: medium
Bloom Code: 3
Max's Hardware Boutique is considering using a CSP. Max should request all of the information below about the CSP except
References from other CSP users.
Privacy compliance policies.
Employee salary information.
Network infrastructure and load reports.

Rationale
 References from other CSP users.
Incorrect. Max should request this information. References from other cloud service providers are important to the decision to hire a CSP.

Rationale
 Privacy compliance policies.
Incorrect. Max should request this information. Information about cloud service providers’ compliance with privacy policies is important to the decision
to hire a CSP.

Rationale
 Employee salary information.
Correct! This would be unusual information to request from a CSP. It is unclear what value this information would provide.

Rationale
 Network infrastructure and load reports.
Incorrect. Max should request this information. Information about cloud service providers’ network infrastructure and load report is important to
determining the capacity and availability of the CSP.