Flashcards Becker U5 P1

U5
Answer
E.1. Governance, Risk, and Compliance: Part 1
1. Commitment to ethics and integrity
Question 2. Board independence and oversight
What are the five principles associated with the control environment component of the 3. Organizational structure
Committee of Sponsoring Organizations' (COSO) Internal Control Integrated Framework? 4. Commitment to competence
5. Accountability
FC-00290 CSO: 1E1a LOS: 1E1c #1 © Becker Professional Education. All rights reserved.
U5
Answer
To promote efficiency and effectiveness of operations
Question To ensure reliable financial reporting
What are the objectives of internal control? To encourage compliance with applicable laws and regulations
FC-00128 CSO: 1E1a LOS: 1E1b #2 © Becker Professional Education. All rights reserved.
U5 Page 1 of 43
U5
Answer
1. Management override of internal controls.
Question 2. Human error, which may include errors in the design or use of automated controls.
What are some inherent limitations of internal control? 3. Deliberate circumvention of controls by collusion of two or more people.
FC-00129 CSO: 1E1a LOS: 1E1a #3 © Becker Professional Education. All rights reserved.
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 Some examples of factors that would tend to increase inherent risk include:
Question Technological developments that make a product obsolete

Provide some examples of factors that would increase inherent risk. A lack of working capital
A decline in overall industry or economy
High-volume transactions
Complex transactions
Amounts derived from estimates
FC-01419 CSO: 1E1c LOS: 1E1n #4 © Becker Professional Education. All rights reserved.
U5 Page 2 of 43
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 Inherent The susceptibility of a relevant assertion to a material misstatement
Risk: assuming that there are no related controls.
Question The risk that a material misstatement that could occur in a relevant
What are the two components of the risk of material misstatement? Control Risk: assertion will not be prevented or detected (and corrected) on a timely
basis by the entity's internal control.
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 AR = RMM × DR
Where:
Question RMM = Risk of material
State the audit risk model, including the relationship of detection risk to substantive misstatement
tests. DR = Detection risk
There is an inverse relationship between RMM and DR. As the acceptable level of
detection risk increases, the assurance required from substantive tests decreases. As
the acceptable level of detection risk decreases, the assurance required from
substantive testing must increase.
U5 Page 3 of 43
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 The following duties should be segregated:
Question Authorization (human resources, supervisory staff, timekeeping, and cost accounting)
What functions should be segregated related to payroll and personnel? Record keeping (payroll department)
Custody of assets (treasurer)
ARC
FC-00175 CSO: 1E1b LOS: 1E1i #7 © Becker Professional Education. All rights reserved.
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 The three framework objectives within COSO are:
Question Operating objectives pertain to the effectiveness and efficiency of the entity’s
Name and describe the three objectives within the COSO framework. operations.
Reporting objectives pertain to the reliability, timeliness, and transparency of an
entity’s reporting.
Compliance objectives are necessary to ensure the entity is adhering to all laws
and regulations.
U5 Page 4 of 43
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 The COSO cube shows a graphical three-dimensional depiction of the relationship
between an entity’s three objectives, its five integrated control components, and the
Question entity’s organizational structure.
What is the purpose of the COSO cube?
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 In order to have an effective internal control environment for an entity, the five
components and 17 related principles must be both present and functioning.
Question
What is necessary for the five components of the COSO framework to create an effective Additionally, the five components must operate together as an integrated system, to
internal control environment for an entity? reduce the risk to an acceptable level that the entity will not achieve its objectives.
U5 Page 5 of 43
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 The following inherent limitations may still exist with an effective internal control
system:
Question
Identify some inherent limitations that may exist even with an effective internal control Breakdowns in internal control due to error or human failure
system. Issues pertaining to the suitability of the entity’s objectives
External events beyond the control of the entity
Faulty or biased judgment in decision-making
Management override of controls
Circumvention of controls through collusion
FC-01306 CSO: 1E1b LOS: 1E1g #11 © Becker Professional Education. All rights reserved.
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 If a major deficiency is identified related to the presence and functioning of a
component or relevant principle, or with respect to the components operating together
Question in an integrated manner, the entity may not conclude that it has an effective internal
What constitutes ineffective internal control under the COSO framework? control system in place under the COSO framework.
U5 Page 6 of 43
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 Inherent risk is the risk to an entity in the absence of any direct or focused actions by
management to alter its severity.
Question
Within the context of enterprise risk management, what is the meaning of inherent risk?
U5
Answer
E.1. Governance, Risk, and Compliance: Part 1 D Diversifiable Risk
U Unsystematic Risk (Nonmarket/firm specific)
Question
Distinguish between diversifiable and nondiversifiable risk. N Nondiversifiable Risk
S Systematic Risk (Market)
FC-00516 CSO: 1B1b LOS: 1B1e #14 © Becker Professional Education. All rights reserved.
U5 Page 7 of 43
U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer
Nonissuers:
System Controls and Security Measures
Statements on Auditing Standards (SASs), issued by the AICPA Auditing Standards Board
Question
Which standards provide the most authoritative U.S. auditing guidance for nonissuers Issuers:
and issuers, and who issues those standards? Auditing Standards (ASs), issued by the Public Company Accounting Oversight Board
(PCAOB)
FC-00003 CSO: 1E1e LOS: 1E1s #15 © Becker Professional Education. All rights reserved.

To provide financial statement users with an opinion on whether the financial
statements are fairly presented, in all material respects, in accordance with the
Question applicable financial reporting framework.
State the primary purpose of an audit.
FC-00001 CSO: 1E1e LOS: 1E1w #16 © Becker Professional Education. All rights reserved.
U5 Page 8 of 43
S Professional Skepticism
E Ethical Requirements
Question J Professional Judgment
What are the five general GAAS requirements related to the conduct of an audit? Sufficient and Appropriate Audit E
E
vidence
C Compliance with GAAS
System Controls and Security Measures The nature of financial reporting

Question The nature of audit procedures
Identify three inherent limitations of an audit. Timeliness of financial reporting and the balance between benefit and cost
U5 Page 9 of 43
A modification to the auditor's report is necessary when:
Question the auditor determines that the financial statements as a whole are materially
When should an auditor's opinion be modified? misstated (GAAP issue); or
the auditor is unable to obtain sufficient appropriate audit evidence to conclude
that the financial statements as a whole are free from material misstatement
(GAAS issue).

The purpose of an emphasis-of-matter paragraph is to reference a matter that is
appropriately presented in the financial statements, but is of such importance that it is
Question fundamental to the user's understanding of the financial statements.
What is the purpose of an emphasis-of-matter paragraph (nonissuer)?
U5 Page 10 of 43
When audit evidence indicates that there is material misstatement of the financial
statements.
Question
When would an auditor use professional judgment to determine whether to issue a A qualified opinion is issued when the auditor concludes that misstatements,
qualified opinion or an adverse opinion? individually or in the aggregate, are material but not pervasive to the financial
statements.
An adverse opinion is issued when the auditor concludes that misstatements,

individually or in the aggregate, are both material and pervasive to the financial
statements.

When there is a limitation on the scope of the audit.
Question A qualified opinion is issued when an auditor is unable to obtain sufficient appropriate
When would an auditor use professional judgment to determine whether to issue a audit evidence on which to base an opinion and the auditor determines that the
qualified opinion or a disclaimer of opinion? possible effects could be material but not pervasive.
A disclaimer of opinion is expressed when the auditor is unable to obtain sufficient

appropriate audit evidence on which to base an opinion and the auditor determines
that the possible effects could be both material and pervasive.
U5 Page 11 of 43
System Controls and Security Measures Uncertainty Opinion

No material misstatement Unmodified opinion (Note: The
Question and management's auditor may add an emphasis-of-
How do uncertainties affect the auditor's report? analysis of uncertainty is matter or explanatory paragraph if
supported and properly the auditor determines that further
reported or disclosed. explanation is necessary.)
Unable to obtain sufficient
evidence involving Qualified opinion or disclaimer of
uncertainty (scope opinion
limitation).
Financial statements are
materially misstated due to
Qualified opinion or adverse opinion.
departure from GAAP
related to the uncertainty.
System Controls and Security Measures 1. The applicable financial reporting framework is referred to in the management's
Question responsibility paragraph and opinion paragraph.
Where in the standard unmodified opinion (nonissuer) does the auditor refer to (1) the 2. GAAS is referred to in the auditor's responsibility paragraph.
applicable financial reporting framework (i.e., GAAP or IFRS) and (2) generally accepted
auditing standards?
U5 Page 12 of 43
System Controls and Security Measures Reporting requirements for an other-matter paragraph include:
Question Placing the paragraph immediately after the opinion paragraph and after any
What are the reporting requirements for an other-matter paragraph (nonissuer)? emphasis-of-matter paragraph.
Using the heading "other-matter" or another appropriate heading.
System Controls and Security Measures Pervasive inability to obtain sufficient appropriate audit evidence.
Question Lack of independence (always results in disclaimer).
What situations may result in a disclaimer of opinion in an audit report? Going concern uncertainty (note: If adequate disclosure of going concern exists,
the auditor may choose between an unqualified opinion with an explanatory
paragraph or a disclaimer of opinion).
U5 Page 13 of 43
System Controls and Security Measures Additional Basis for Opinion

Opinion Section* Paragraph Section*
Question Qualified Except for Yes Standard
Compared to a standard unqualified opinion for an issuer, determine the paragraphs Adverse Do not present fairly Yes Standard
that are modified in an audit report when the following opinions are issued due to
financial statement issues (misstatement):
*Note: The section headings ("Opinion on the Financial Statements" and "Basis for
Opinion") are the same as the standard unqualified report when a qualified or adverse
Qualified
opinion is issued.
Adverse

An effective system of internal control requires the use of judgment in determining the
sufficiency of controls, applying the proper controls, and assessing the effectiveness of
Question the system of internal controls.
How does the principles-based approach support an effective system of internal control
under the COSO framework? The principles-based approach of the COSO framework emphasizes the importance of
management judgment.
FC-01301 CSO: 1E1d LOS: 1E1e #28 © Becker Professional Education. All rights reserved.
U5 Page 14 of 43
System Controls and Security Measures 1. Control Environment

Question 2. Risk Assessment
What are the components of the Committee of Sponsoring Organizations' (COSO) 3. Information and Communication
Internal Control Integrated Framework? 4. Monitoring
5. Existing Control Activities
CRIME
FC-00289 CSO: 1E1e LOS: 1E1u #29 © Becker Professional Education. All rights reserved.
System Controls and Security Measures 1. Specify objectives

Question 2. Identify and analyze risks
What are the four principles associated with the risk assessment component of the 3. Consider potential for fraud
Committee of Sponsoring Organizations' (COSO) Internal Control Integrated Framework? 4. Identify and assess changes
U5 Page 15 of 43
Auditors have a responsibility to exercise due professional care and to observe the
standards of fieldwork. They should bring any disagreements with the conduct of the
Question audit to the attention of the auditor-in-charge (generally a partner).
What are the responsibilities of auditors when there are disagreements among
members of the audit team? The auditor also has the right to document the disagreement, and, if necessary, to
disassociate from the opinion.
System Controls and Security Measures Control environment

Question Risk assessment
What are the five components of internal control? Information and communication systems
Monitoring
CRIME Existing control activities
(CRIME)
U5 Page 16 of 43
The control environment sets the tone of an organization, influencing the control
consciousness of its employees, and providing the foundation for the other components
Question of internal control.
Why is the control environment particularly important to internal control?
System Controls and Security Measures Communication and enforcement of integrity and ethical values
Question Management's commitment to competence
What factors are included in the control environment? Participation of those charged with governance
Management's philosophy and operating style
Organizational structure
Assignment of authority, responsibility, and accountability
Human resource policies and practices
U5 Page 17 of 43
Risk assessment is an entity's identification and analysis of risks to the achievement of
its objectives with respect to financial reporting. Risk assessment involves identification,
Question analysis, and management of business risks relevant to the preparation of financial
Describe the risk assessment component of internal control. statements.
System Controls and Security Measures Identify and record all valid transactions.
Question Process and account for system overrides or bypasses to controls.
What functions are served by an entity's information system with respect to financial Describe transactions in a timely manner and in sufficient detail to allow proper
reporting? classification.
Measure and record the proper monetary value of transactions.
Determine and ensure proper recording of transactions and events in the
appropriate time period.
Present transactions and related disclosures properly in the financial statements.
U5 Page 18 of 43
System Controls and Security Measures The methods used to communicate roles, responsibilities, and significant matters
Question related to financial reporting.
What functions should an auditor understand about an entity's communication system Communications between management and those charged with governance, and
with respect to financial reporting? between management and external parties.

The monitoring process may include:
Question Management and supervisory activities
What activities may be considered part of the monitoring component of internal control? Separate internal control evaluations
The internal audit function
Evaluation of communications from external parties
U5 Page 19 of 43
System Controls and Security Measures Prenumbering of documents

Question Authorization of transactions
Name some control activities that are relevant to an audit. Independent checks to maintain asset accountability
Documentation
PAIDTIPS
Timely and appropriate performance reviews
Information processing general and application controls
Physical controls for safeguarding assets
Segregation of duties

Authorizing transactions
Recording transactions
Question Maintaining Custody of the related assets
What functions should be segregated?
Segregation of duties is your ARC to protect against a flood of troubles.
FC-00138 CSO: 1E1e LOS: 1E1i #40 © Becker Professional Education. All rights reserved.
U5 Page 20 of 43
System Controls and Security Measures An auditor obtains an understanding of internal control to evaluate the design of
controls and determine whether they have been implemented; to assess the risk of
Question material misstatement; and to design the nature, extent, and timing of further audit
Why does an auditor obtain an understanding of the client's internal control? procedures.

The audit committee typically:
Question 1. Selects and appoints the independent auditor and sets the audit fee.
What are the functions of the audit committee? 2. Reviews the nature and details of the audit engagement.
3. Reviews the quality of the auditor's work.
4. Reviews the scope of the audit.
5. Determines that any recommendations made by the auditor are given proper
attention.
6. Maintains lines of communication between the auditor and the board of directors.
7. Helps solve any disagreements related to the accounting treatment of material
items in the financial statements.
8. Evaluates the internal control of the company with the help of the independent
auditor.
9. Makes reports to the board of directors and the stockholders when necessary.
10. Assures that the auditor is independent of the company.
Note: The audit committee has additional responsibilities under Sarbanes-Oxley.
FC-00220 CSO: 1E1d LOS: 1E1f #42 © Becker Professional Education. All rights reserved.
U5 Page 21 of 43
System Controls and Security Measures 1. Select and develop control activities.
Question 2. Select and develop technology controls.
What are the three principles associated with the (existing) control activities component 3. Deploy through policies and procedures.
of the Committee of Sponsoring Organizations' (COSO) Internal Control Integrated
Framework?
System Controls and Security Measures 1. Obtain and use information.

Question 2. Internally communicate information.
What are the three principles associated with the information and communication 3. Communicate with external parties.
component of the Committee of Sponsoring Organizations' (COSO) Internal Control
Integrated Framework?
U5 Page 22 of 43
The five components of the COSO framework are useful for identifying and evaluating
the effectiveness of an entity’s internal control.
Question
Differentiate the COSO framework from the Audit framework. In contrast, the Audit framework focuses on how a given control prevents or detects
and corrects material misstatements in an entity’s financial reporting.
System Controls and Security Measures 1. Ongoing and Separate Evaluations

Question 2. Communication of Deficiencies
What are the two principles associated with the monitoring component of the
Committee of Sponsoring Organizations' (COSO) Internal Control Integrated Framework?
U5 Page 23 of 43
System Controls and Security Measures Public company audit committees

Question Corporate responsibility for financial reports
Title III of the Sarbanes-Oxley Act, Corporate Responsibility, includes four topics Improper influence on conduct of audits
pertaining to financial reporting. What are they? Forfeiture of certain bonuses and profits
FC-00272 CSO: 1E1e LOS: 1E1p #47 © Becker Professional Education. All rights reserved.
System Controls and Security Measures 1. Appointment of the auditor.

Question 2. Compensation of the auditor.
The Sarbanes-Oxley Act defines the responsibilities of the audit committee of an issuer 3. Oversight of the auditor.
as including: a. Resolve disagreements between management and the auditor.
b. The auditor reports directly to the audit committee.
U5 Page 24 of 43
System Controls and Security Measures 1. Each member of the audit committee shall be a member of the board of directors
Question of the issuer but shall be otherwise independent.
The Sarbanes-Oxley Act defines the criteria for the independence of audit committee 2. Audit committee members may not accept any consulting, advisory, or other
members for issuers as including the following characteristics: compensation or fees from the issuer other than pursuant to their roles on the
board.
3. Audit committee members may not be an affiliated person (a person who can
influence financial decisions) of the issuer or any subsidiary of the issuer.
System Controls and Security Measures 1. Receipt, retention, and treatment of complaints received by issuers regarding:
Question a. Accounting
The Sarbanes-Oxley Act requires that an issuer's audit committee establish a complaint b. Internal controls
procedure that includes: c. Auditing
2. Confidential or anonymous submissions by employees of issuers regarding
questionable accounting or auditing matters.
U5 Page 25 of 43
System Controls and Security Measures The CEO and CFO must certify the following for annual and quarterly reports:
Question 1. The officers have reviewed the report.

The Sarbanes-Oxley Act assigns the following corporate responsibilities for financial 2. The report does not include untrue statements or omit material information.
reports for issuers: 3. The financial statements are fairly stated.
4. The signing officers make assertions regarding their responsibilities for internal
control.
5. The signing officers have disclosed internal control weakness and instances of
fraud to the auditors and the audit committee.
6. The status of changes to internal control subsequent to the date of their evaluation.
System Controls and Security Measures The CEO and CFO must certify the following for annual and quarterly reports:
Question 1. The officers are responsible for establishing and maintaining internal controls.
The Sarbanes-Oxley Act assigns the following corporate responsibilities regarding 2. Internal control is designed to ensure that material information is provided to
internal controls that must accompany financial reports: internal and external users.
3. Internal controls have been evaluated within 90 days prior to the report.
4. The officers' conclusions regarding internal control effectiveness as of the
evaluation date.
U5 Page 26 of 43
System Controls and Security Measures The CEO and CFO must certify the following for annual and quarterly reports to the
auditors and the audit committee:
Question
The Sarbanes-Oxley Act assigns the following corporate responsibilities regarding the 1. All significant deficiencies in the design or operation of internal controls.
required disclosures to the auditors and audit committee by officers: 2. Any fraud, whether or not material, that involves management.

No officer or director may take any action to fraudulently influence, coerce, manipulate,
or mislead an independent CPA engaged in an audit of the financial statements of an
Question issuer for the purpose of rendering the financial statements materially misleading.
The Sarbanes-Oxley Act specifically prohibits improper influence on the conduct of
audits defined as follows:
U5 Page 27 of 43
System Controls and Security Measures 1. Refund to the issuer of any bonus or other incentive- based or equity-based
Question compensation during the 12-month period following the first public issuance of the
The Sarbanes-Oxley Act imposes certain financial penalties on officers who are financial document.
responsible for material misstatements resulting from their misconduct. Penalties 2. Refund any profits realized from the sale of securities of the issuer during the 12-
include: month period following the first public issuance of the financial document.
System Controls and Security Measures Disclosures in periodic reports

Question Enhanced conflict-of-interest provisions
Title IV of the Sarbanes-Oxley Act, Enhanced Financial Disclosures, includes the following Disclosures of transactions involving management and principal stockholders
topics: Management assessment of internal controls
Certain exemptions
Code of ethics for senior financial officers
Disclosure of audit committee financial expert
Enhanced review of periodic disclosures by issuers
U5 Page 28 of 43
System Controls and Security Measures 1. All adjusting entries identified by the public accounting firm reporting on the
Question financial statements.
The Sarbanes-Oxley Act requires certain disclosures in periodic reports. Those 2. The financial statements disclose all material off-balance sheet transactions
disclosures include: including operating leases, contingent obligations, and relationships with
unconsolidated subsidiaries.
3. Pro forma financial statements shall include all relevant information and shall not
include misleading or untrue information.

Prohibitions on personal loans to executives, with some exceptions.
Question
The Sarbanes-Oxley Act includes certain enhanced conflict-of-interest provisions. Those
provisions include:
U5 Page 29 of 43
System Controls and Security Measures Reporting by persons with ownership of 10 percent or more. Statements are filed at the
time of registration, when a person achieves 10 percent ownership, and when there has
Question been a change in ownership.
The Sarbanes-Oxley Act includes provisions for disclosure of transactions involving
management and principal stockholders. Those provisions include:
System Controls and Security Measures 1. Management's assertion that it is responsible for adequate internal control
Question structure.
The Sarbanes-Oxley Act includes provisions for management assessment of internal 2. Management's conclusions regarding its assessment of the effectiveness of the
controls. Those provisions include a report showing: internal control structure and procedures for financial reporting.
3. The auditor's attestation regarding management's assessment of internal control.
U5 Page 30 of 43
The issuer must disclose the existence of a financial expert on the committee or the
reasons why the committee does not have a member who is a financial expert.
Question
The Sarbanes-Oxley Act includes provisions for audit committee disclosures. Those
disclosures include:
System Controls and Security Measures A financial expert qualifies through education, past experience as a public accountant,
or past experience as a finance officer for an issuer. Knowledge of the financial expert
Question should include:
For purposes of service on the audit committee, what qualifies an individual for
classification as a financial expert? 1. Understanding of GAAP.
2. Experience in the preparation or auditing of financial statements for comparable
issuers.
3. Application of GAAP.
4. Experience with internal controls.
5. Understanding of audit committee functions.
U5 Page 31 of 43
System Controls and Security Measures Criminal penalties for altering documents
Question Statute of limitations for securities fraud
Title VIII of the Sarbanes-Oxley Act considers what topics? Whistle-blower protection
Criminal penalties for securities fraud

Title IX, White-Collar Crime Penalty Enhancements, includes the following:
Question Attempt and conspiracy
Title IX of the Sarbanes-Oxley Act considers what topics? Amended sentencing guidelines for white-collar offenses
Failure of corporate officers to certify financial reports
U5 Page 32 of 43
Each certified financial report must include a written statement:
Question 1. That the periodic report complies with the Securities Exchange Act of 1934.
An issuer periodic report containing financial statements filed with the SEC must include 2. That information in the report fairly presents, in all material respects, the financial
the following written certifications: condition and operating results of the issuer.
3. Which must be signed by the CEO and CFO of the issuer, who bear responsibility
for these statements.

Title XI, Corporate Fraud Accountability, includes the following:
Question Tampering with a record or impeding an official proceeding
Title XI of the Sarbanes-Oxley Act considers what topics? Temporary freeze of authority for the SEC
Authority of the SEC to prohibit persons from serving as officers or directors
Retaliation against informants
U5 Page 33 of 43
Document tampering will result in fines and/or a prison term of not more than 20 years.
Question Retaliation against informants providing information to the SEC will result in fines and
Under Title XI, Corporate Fraud Accountability, what are the penalties for tampering with /or a prison term of not more than 10 years.
a document used in an official proceeding or retaliating against an informant providing
information to the SEC?

The duties of systems analysts, computer programmers, and computer operators
should be segregated (although many companies combine systems analysts and
Question computer programmers).
Identify functions that should be segregated in an IT department.
U5 Page 34 of 43
System Controls and Security Measures Programmed controls are:
Question 1. Input controls

What are three types of programmed controls? 2. Processing controls
3. Output controls

It is important that computer operators' and computer programmers' duties be
segregated, because a person performing both functions would have the opportunity to
Question make unauthorized and undetected program changes.
Why is it important to have segregation of duties between computer operators and
computer programmers?
U5 Page 35 of 43
Safeguarding of files and records is important because inadequate protection may
result in loss or damage that might drive an organization out of business; hardware can
Question always be replaced, but data often cannot be.
Why is it important to safeguard files and records?
FC-00428 CSO: 1E2d LOS: 1E2l #71 © Becker Professional Education. All rights reserved.

Encryption involves using a password or a digital key to scramble a readable (plaintext)
message into an unreadable (ciphertext message). The intended recipient of the
Question message then uses either the same or another digital key (depending on the encryption
What is encryption? method) to convert the ciphertext message back into plaintext.
FC-00429 CSO: 1E2d LOS: 1E2i #72 © Becker Professional Education. All rights reserved.
U5 Page 36 of 43
System Controls and Security Measures 1. Password Length: The longer the better. Passwords should be greater than seven
Question characters. Many organizations' standard is eight characters.
What characteristics should a password management policy address? 2. Password Complexity: Complex passwords feature three of the following four
characteristics: uppercase characters, lowercase characters, numeric characters,
and ASCII characters (e.g., ! @ # $ % ^ & * or ?).
3. Password Age: The National Security Agency (NSA) recommends that passwords
should be changed every 90 days. Administrative passwords should be changed
more frequently.
4. Password Reuse: The NSA recommends that password reuse of the previous 24
passwords be restricted. The goal is to prevent users from alternating between
their favorite two or three passwords.
FC-00430 CSO: 1E2b LOS: 1E2e #73 © Becker Professional Education. All rights reserved.
System Controls and Security Measures 1. Program-level policy

Question 2. Program-framework policy
What are the four types of computer security policies? 3. Issue-specific policy
4. System-specific policy
U5 Page 37 of 43
Information security policies state how an organization plans to protect its tangible and
intangible information assets.
Question
What defines an information security policy?
System Controls and Security Measures Access controls limit access to documentation, data files, programs, and computer
hardware to authorized personnel. Examples include locks, passwords, user
Question identification codes, assignment of security levels, callbacks on dial-up systems, the
What are access controls? setting of file attributes, and the use of firewalls.
FC-00445 CSO: 1E2a LOS: 1E2d #76 © Becker Professional Education. All rights reserved.
U5 Page 38 of 43
A firewall is a system, often both hardware and software, of user identification and
authentication that prevents unauthorized users from gaining access to network
Question resources.
What is a firewall?
FC-00446 CSO: 1E2c LOS: 1E2j #77 © Becker Professional Education. All rights reserved.

Disaster recovery consists of plans for continuing operations in the event of destruction
of not only programs and data but also processing capability.
Question
What is disaster recovery and what is the difference between a hot site and a cold site? A hot site is an off-site location that is equipped to take over a company's data
processing. A cold site is an off-site location that has all of the electrical connections and
other physical requirements for data processing but does not have the actual
equipment.
FC-00447 CSO: 1E2e LOS: 1E2n #78 © Becker Professional Education. All rights reserved.
U5 Page 39 of 43
System Controls and Security Measures 1. Full backup

Question 2. Incremental backup
What are three types of backups to perform to recover lost data? 3. Differential backup
FC-00448 CSO: 1E2d LOS: 1E2l #79 © Becker Professional Education. All rights reserved.
System Controls and Security Measures 1. Disaster recovery service

Question 2. Internal disaster recovery
What are three types of disaster recovery? 3. Multiple data center backups
U5 Page 40 of 43
System Controls and Security Measures 1. Cold site

Question 2. Warm site
What are the three types of off-site location? 3. Hot site
System Controls and Security Measures The disadvantage is the cost and effort required to implement the plan.
Question
What is the disadvantage of a disaster recovery and business continuity plan?
U5 Page 41 of 43
System Controls and Security Measures 1. Change in the needs of a business

Question 2. Technological advance
What are six reasons organizations constantly improve or replace information systems? 3. Improvements in business processes
4. Competitive advantages
5. Productivity gains
6. System age and need for replacement

IT risk is the business risk associated with the use, ownership, operation, involvement,
influence, and adoption of IT within an enterprise.
Question
Define IT risk.
U5 Page 42 of 43
System Controls and Security Measures 1. IT benefit/value enablement risk is related to missed opportunities to use
Question technology to improve business processes.
What are the three categories of IT risk? 2. IT program and project delivery risk is related to the contribution of IT to new or
improved business solutions.
3. IT operations and service delivery risk is related to all aspects of the performance
of IT systems and services.
System Controls and Security Measures 1. Identify threats.

Question 2. Evaluate the probability that the threat will occur.
What are the six steps in the IT risk assessment process? 3. Evaluate the exposure in terms of potential loss from each threat.
4. Identify the controls that could guard against the threats.
5. Evaluate the costs and benefits of implementing controls.
6. Implement controls that are determined to be cost-effective.
Page 43 of 43

Flashcards Becker U5 P1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Flashcards Becker U5 P1

Uploaded by

Copyright:

Available Formats

U5

Question Technological developments that make a product obsolete

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures The nature of financial reporting

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

An adverse opinion is issued when the auditor concludes that misstatements,

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

A disclaimer of opinion is expressed when the auditor is unable to obtain sufficient

System Controls and Security Measures Uncertainty Opinion

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures Additional Basis for Opinion

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Control Environment

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Specify objectives

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures Control environment

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures Prenumbering of documents

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

Note: The audit committee has additional responsibilities under Sarbanes-Oxley.

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Obtain and use information.

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Ongoing and Separate Evaluations

System Controls and Security Measures Public company audit committees

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Appointment of the auditor.

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

Question 1. The officers have reviewed the report.

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures Disclosures in periodic reports

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures Programmed controls are:

Question 1. Input controls

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Program-level policy

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Full backup

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Disaster recovery service

System Controls and Security Measures 1. Cold site

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Change in the needs of a business

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

U5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. Answer

System Controls and Security Measures 1. Identify threats.

You might also like