Part 1 – Financial Planning, Performance, and Analytics

Effective January 1, 2020

Section E. Internal Controls

1. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0001)

The Sarbanes-Oxley Act has multiple sections, which one of the following is not a correct statement for
Section 404?

a. Section 404 of SOX requires that public companies establish and maintain a system of internal controls,
which is then audited by external auditors.
b. Section 404 of SOX requires that publicly held companies document their internal controls.
c. Section 404 of SOX requires that internal auditor to establish and document internal control procedures and
to include in the annual report a report on the company’s internal control over financial reporting.
d. Section 404 of SOX requires that external auditor must attest to and report on management’s assessment
of the effectiveness of internal control .

2. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0002)

Auditing Standard No.5 provides guidance for the external auditor in complying with Section 404 requirements.
It requires auditors to perform their internal control assessment using a top-down, risk assessment (TDRA)
approach, which one of the following is not a correct statement for TDRA?

a. TDRA is a hierarchical approach that applies specific risk factors to determine the scope of work
(ie., the controls to test) and evidence required in the assessment of internal controls.
b. TDRA begins at the financial statement level with the auditor's understanding of the overall risks to internal
control over financial reporting.
c. TDRA involve identifying and evaluating the company’s whistleblower hotline and its code of conduct.
d. The TDRA is a principles-based approach that gives the auditor the absolute assurance that detection risk is
eliminated.

3. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0003)

Auditing Standard issued by the PCAOB requires the external auditor to express an opinion on both the system
of internal control over financial reporting and the fair presentation of financial statements. Auditors use different
audit approaches, which of the following is true statement as per PCAOB?

a. Auditor should use top-down approach to audit internal controls over financial reporting.
b. Auditor should use bottom-up approach to audit internal controls over financial reporting.
c. Auditor should use top-down and a bottom-up approach to audit internal controls over
financial reporting depending on the situation.
d. Auditor should focus first on performing detailed tests of controls at the process, transaction,
and application levels.

Prepared by: Sameh.Y.El-lithy. CMA,CIA. 1

4. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0004)

All organizations linked to the Internet are subject to the risk of cyberattack. Malicious
hackers conduct cyberattacks using various methods and tactics, however companies protect
themselves from these attacks through different methods and tools, which of the following
is not a correct statement regarding vulnerability testing and penetration testing:

a. Vulnerability testing identifies weaknesses in the IT infrastructure.

b. A penetration test is an authorized attempt by either an internal audit team or an external
security consulting firm to break into the organization’s information system.
c. Penetration testing is the most common form of “something you are” authentication.
d. Vulnerability testing provides information on targets for penetration testing and how to
mitigate identified vulnerabilities.

5. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0005)

A disaster recovery plan (DRP) outlines the procedures to restore an organization’s IT function
in the event that its data center is destroyed. Organizations have options for replacing their
IT infrastructure, which includes not just computers, but also network components such as
routers and switches, software, data, Internet access, printers, and supplies. Airlines and
financial institutions will most likely tend to use

a. Cold site
b. Hot site
c. Warm site
d. Operating site

6. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0006)

Interruptions to business processes due to the unavailability of systems or information can

cause significant financial losses. Therefore, an organization should have a formal disaster
recovery plan to fall back on in the event of a hurricane, fire, earthquake, flood, or criminal
or terrorist act. A disaster recovery plan expect specifies all of the following except:

a. Which employees will participate in disaster recovery and what their responsibilities will be.
b. What hardware, software, and facilities will be used.
c. The steps to communicate the incident to all regulating bodies.
d. The priority of applications that should be processed.

7. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0007)

Simply having a disaster recovery plan and a business continuity plan, however, is not enough.
Both plans must be well documented. Which of the following least likely to be documented
in such plans:

a. Instructions for notifying appropriate staff and steps to take to resume operations.
b. Vendor documentation of all hardware and software.
c. Operating instructions, especially if temporary replacements have to be hired, and
modifications made to default configurations.
d. All top management strategic plans and long term strategies.

Prepared by: Sameh.Y.El-lithy. CMA,CIA. 2

8. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0008)

PCAOB Auditing Standard No.5 requires auditors to follow a risk-based approach to the
development of auditing procedures. Auditors are also required to scale the audit to the size
of the organization and to follow other prescribed approaches to perform the audit. In
addition, Auditing Standard No.5 provides guidance for the external auditor in complying with
Section 404 requirements. It requires auditors to perform their internal control assessment
using a top-down, risk assessment (TDRA) approach. Which of the following is not a correct
statement regarding the top-down approach?

a. A TDRA approach begins at the financial statement level with the auditor's understanding of
the overall risks to internal control over financial reporting.
b. A TDRA approach begins by identifying the risks that a material misstatement of the financial
statements would not be prevented or detected in a timely manner.
c. A TDRA approach ensures the proper testing of the controls for the assessed risk of misstatement
to each relevant assertion.
d. A TDRA approach rely almost exclusively on detailed tests of controls over individual processes,
transactions, and applications.

9. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0009)

Documenting an organization's information system and related control procedures often can be
done most effectively through a flowchart that visually depicts the flow of transactions through
the process from initiation to storage of data. All of the following are benefits from a flowchart
except:

a. A flowchart assists in properly identifying risks at each point in the process or system and help
identify gaps or flaws in the controls.
b. A flowchart can be useful for summarizing the internal auditor's information about the
organization processes.
c. A flowchart aid in design, Development, and implementation of new accounting information
systems or new control procedures.
d. A flowchart is a good preventive control tool that eliminate fraud and collusion especially in the
receivable sales cycle.

10. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0010)

A flowchart is a pictorial, analytical technique used to describe some aspect of an information

system in a clear, concise, and logical manner. A special type of flowchart, called an internal
control flowchart, all of the following are correct statements regarding this type of flowchart
except:

a. Internal control flowchart used to describe, analyze, and evaluate internal controls to identify
system weaknesses or inefficiencies such as inadequate communication flows.
b. Internal control flowchart used to describe, analyze, and evaluate internal controls to identify
insufficient segregation of duties.
c. Internal control flowchart used to describe, analyze, and evaluate internal controls to identify
unnecessary complexity in document flows unnecessary complexity in document flows.
d. Internal control flowchart used to describe, analyze, and evaluate internal controls to identify
the relationships among system input, processing, storage, and output.

Prepared by: Sameh.Y.El-lithy. CMA,CIA. 3

11. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0011)

In the past, top executives often were involved indirectly in crafting their own compensation
packages by hiring the consultants who designed those packages. Now, in response to recent
scandals, the role of board compensation committees is increasing. Which of the following is
not a correct statement:

a. Accountants can help these committees improve their company’s compensation plans by
providing advice concerning the financial and tax effects of proposed changes in executive
compensation.
b. Accounting expertise can be especially helpful is in identifying the appropriate metrics
to use when linking compensation to performance.
c. Accountants can also help board compensation committees comply with legal and regulatory
requirements such as tax regulations.
d. Accountants should encourage the use of short-term performance-based incentive compensation
rather than long term incentive.

12. CSO: Section E.1. Governance, risk, and compliance (1.E.1_SE-0012)

All of the following are true statements regarding the compensation committee except:

a. The compensation committee and full board should carefully consider the compensation amount
and mix for executives and directors and .valuate the incentives and risks associated with a heavy
emphasis on short-term performance-based incentive compensation for executives and directors.

b. The compensation committee of the board should have charters, authorized by the board, that
outline how compensation committee will be organized, the committees’ duties and
responsibilities, and how they report to the board.

c. Compensation committee should be composed of independent directors only, and should have
access to independent outside advisors who report directly to the committee.

d. Compensation committee should be managed by the company’s CFO and hold quarterly meeting
to update compensation mix.

13. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0013)

All of the following represents methods and procedure to reduce the risk over data transmitted
over a network except:

a. Data encryption.
b. Routing verification.
c. Electronic eavesdropping.
d. Message acknowledgment.

Prepared by: Sameh.Y.El-lithy. CMA,CIA. 4

14. CSO: Section E.2 Systems controls and security measures (1.E.1_SE-0014)

Organizations develop and test business continuity plans to be reasonably certain that they will
be able to operate in spite of any interruptions—such as power failures, power loss ranked as the
top cause of business disruptions over the past years, which of the following will be appropriate
for a company face frequent power outage:

a. Uninterruptible power system

b. Cold Site
c. Parallel system
d. Hot site

Prepared by: Sameh.Y.El-lithy. CMA,CIA. 5