Chapter 8: Internal controls II

True/False

1. Detective controls have built-in correction mechanisms to reverse the effects of an error or
irregularity. F. Detective controls are designed to detect and report errors or irregularities
but do not necessarily have built-in correction mechanisms.

2. An organisation should choose either COBIT or COSO as the framework for organisation-
wide internal control. F. each has different purpose.

3. If timeliness is a critical factor in its business processes, an organisation should choose online
real-time data processing over batch processing. T

4. Physical controls do not apply to computers because computers are normally password-
protected. F.

5. A password is considered strong if it contains a mix of alphanumeric characters, upper and

lower case characters and symbols even if its length is very short. F. (long)

6. As long as the documents are pre-numbered, it doesn't matter whether the numbers are
consecutive. F

7. Range checks can replace limit checks. F.

8. Validity and reasonableness checks ensure that data within the system is correctly and
accurately processed. T

9. Whereas a hot site should be located away from an organisation, a cold site can be located
nearby. T.

10. Computer-based internal controls mainly depend on the design of relevant programs rather
than the control environment and general controls.

11. Regulatory environment is not a threat to internal controls. F.

12. The smaller the number of employees, the less the less adequate the segregation of duties.

Multiple choice

13. The comparison of actual and budgeted figures and the conduct of variance analysis to
determine the source of the variance is a type of:

a. General control
b. Information processing control
c. Performance review
 Chapter 8: Internal controls II

d. Application control

14. Information processing controls are those that are put in place within the organisation to
work towards the _______ of transactions.

a. efficiency, effectiveness, and accuracy

b. timeliness, efficiency, and completeness
c. accuracy, completeness, and authorisation
d. authorisation, processing, accuracy

15. Which of the following statements is incorrect?

a. General controls operate across the organisation.

b. General controls relate to the overall environment in which different information
systems are located.
c. General controls relate to specific applications and processes.
d. General controls affect the operation of various information systems within an
organisation indirectly.

16. Which of the following statements is incorrect?

a. Application controls are designed around the control objectives of a specific business
process or system.
b. Application controls operate within the scope of general controls.
c. Application controls only provides reasonable assurance that all transactions have
occurred, are authorised, and are completely and accurately recorded and processed.
d. None of the above.

17. An antivirus program scans and monitors files in a computer continuously for viruses. This is
an example of:

a. Preventive control
b. Detective control
c. Corrective control
d. Application control

18. Which of the following statements is true?

a. Good preventative controls should always be able to stop all risks from occurring.
b. Sometimes corrective control is the only option available.
c. Detective and corrective controls, when used together, can substitute preventive
control.
d. A mixture of preventive, detective and corrective controls should always be used.
8.2
 Chapter 8: Internal controls II

19. A computer virus is found in a file in the computer system. Because a solution for recovering
the file is not yet available, the infected file is quarantined by the antivirus software.
Quarantining the infected file is an example of:

a. Preventive control
b. Detective control
c. Corrective control
d. None of the above.

20. Which of the following is NOT a major aim of a computerised accounting information
system?

a. Proper authorisation.
b. Timeliness.
c. Proper recording.
d. User friendly

21. Which of the following statements is true?

a. Proper recording of transactions is essentially about completeness.

b. Proper recording of transactions is essentially about accuracy.
c. Proper recording of transactions is essentially about storing data in only one place.
d. None of the above.

22. Which of the following statements is NOT true?

a. Organisations with inadequate computing power should consider batch processing.

b. Organisations with sufficient computing power should always use online real-time data
processing.
c. Online data gathering and batch processing is a compromise between online real-time
processing and batch processing.
d. None of the above.

23. Which of the following is NOT a form of physical control?

a. Servers are placed in a locked room.

b. A username and a password are needed to log into a computer.
c. Security cameras are put in place.
d. None of the above.

24. Which of the following is an example of poor segregation of duties?

8.3
 Chapter 8: Internal controls II

a. The inventory control department is allowed to receive incoming goods.

b. Warehouse personnel are allowed to ship goods to customers.
c. The purchasing department is allowed to generate purchase requisitions.
d. All of the above.

25. Which of the following is an example of good segregation of duties?

a. The sales department is allowed to bill customers.

b. The accounts receivable department is allowed to prepare bills.
c. The warehouse personnel are allowed to maintain the inventory record.
d. None of the above.

26. Which of the following statements is true?

a. Transaction authorisation should be separated from transaction processing.

b. Asset record-keeping must be separated from asset custody.
c. An organisation should be structured in such a way that any successful fraud would
require the collusion of two or more employees with incompatible duties.
d. All of the above.

27. A cash disbursement clerk issues a cheque that has been approved by the treasurer. This is an
example of:

a. Separating record-keeping from asset custody

b. Separating transaction processing to transaction authorisation
c. Separating asset custody from transaction processing.
d. Separating transaction authorisation from record-keeping.

28. Which of the following is the strongest password?

a. ah@123re$d
b. Nik890102336757099924PoT
c. A_d33erZb#4G
d. Qwertyuiopasdfghjklzxcvbnm1234567890

29. Which of the following statements is true?

a. Strong passwords are not required to be changed periodically.

b. As long as a strong password is devised, it can be as the password to multiple accounts
of a single user.
c. A good control system should force the users to change their password periodically.
d. None of the above.

8.4
 Chapter 8: Internal controls II

30. When developing a backup policy, one should consider:

a. Keeping multiple backups and multiple versions of backups

b. Storing backups offsite
c. Deciding what and how frequently to backup
d. All of the above.

31. The prenumbering of cheques helps to achieve completeness because it:

a. provides control over cheques

b. prevents the issue of false cheques
c. allows us to account for all cheques through a sequence check
d. allows us to ensure all cheque payments are properly authorised

32. A purchase order is entered into a computer purchasing system. The purchase is for $25,000
and has been entered by the purchase clerk. Company policy dictates that purchases over $2000
must be entered by the purchasing manager. This is an example of a breach of controls relating
to:

a. Timeliness
b. Input accuracy
c. Input validity
d. Authorisation

33. Which of the following statements is true?

a. Standardised forms help ensure completeness.

b. Standardised forms help ensure accuracy.
c. Standardised forms can be seen as a preventive control.
d. All of the above.

34. A reasonableness check that is used when processing fortnightly employee wage payments
would best be used to:

a. avoid the entry of false employee names

b. detect any employees who have their payments entered twice
c. detect any potentially incorrect employee numbers
d. detect potentially high values for hours worked

35. Which of the following controls will best help detect inventory input accuracy concerns
when entering credit sales into a system?

a. A batch total of the number of sales invoices in the batch

8.5
 Chapter 8: Internal controls II

b. A hash total of the number of inventory items ordered across all invoices
c. A hash total of customer numbers from all sales invoices
d. A sequence check on sales invoice numbers

36. Which control would best help achieve the aim of correct valuation for purchase transactions
entered into a system?

a. Range checks - checking the quantity ordered against acceptable ranges

b. Validity checks - checking the supplier is listed in our supplier master file
c. Sequence check - ensuring the purchase order number is the next number in the
sequence
d. Authorisation - getting a manager to approve all purchases

37. An example of an output control in a payroll system may be that:

a. Only the HR manager can change an employee's rate of pay

b. Only an employee with a valid employee number and password can request a summary
of wages received over the past month
c. Only the Payroll Clerk can enter payroll details each month
d. Employees have read only access to payroll details

38. Disaster recovery plans include all of the following except:

a. Temporary sites
b. Staffing
c. Employee evacuation procedures
d. Business relationships restoration

39. Disadvantages of manual controls include all of the following except:

a. Manual controls are prone to human errors

b. Manual controls are prone to inconsistent application
c. Manual controls used up too many human resources
d. Manual controls are easier to avoid and work around.

40. Advantages of computer-based controls include all of the following except:

a. Consistent application
b. Independent on control environment and general controls
c. Timely execution
d. Greater degree of difficulty in working around or avoiding the control

8.6
Chapter 8: Internal controls II

8.7