P1 1e.17bbb6c Notes

PART 1
PART 1 UNIT 5
5
1E. Internal Controls
Module
1 E.1. Governance, Risk, and Compliance: Part 1 3
2 E.1. Governance, Risk, and Compliance: Part 2

E.2. System Controls and Security Measures 19
NOTES
5–2 © Becker Professional Education Corporation. All rights reserved.

1
MODULE
PART 1 UNIT 5
E.1. Governance, Risk,

and Compliance: Part 1
Part 1
Unit 5
This module covers the following content from the IMA Learning Outcome Statements.
CMA LOS Reference: Part 1—Section E.1. Governance, Risk, and Compliance: Part 1
The candidate should be able to:

d. identify the board of directors' responsibilities with respect to ensuring that the
company is operated in the best interest of shareholders
e. identify the hierarchy of corporate governance; i.e., articles of incorporation, bylaws,
policies, and procedures
f. demonstrate an understanding of corporate governance, including rights and
responsibilities of the CEO, the board of directors, the audit committee, managers, and
other stakeholders; and the procedures for making corporate decisions
n. define inherent risk, control risk, and detection risk
p. describe the major internal control provisions of the Sarbanes-Oxley Act (Sections 201,
203, 204, 302, 404, and 407)
q. identify the role of the PCAOB in providing guidance on the auditing of internal
controls
r. differentiate between a top-down (risk-based) approach and a bottom-up approach to
auditing internal controls
s. identify the PCAOB preferred approach to auditing internal controls as outlined in
Auditing Standard No. 5
t. identify and describe the major internal control provisions of the Foreign Corrupt
Practices Act
w. demonstrate an understanding of external auditor responsibilities, including the types
of audit opinions the external auditors issue
© Becker Professional Education Corporation. All rights reserved. Module 1 5–3

1 E.1. Governance, Risk, and Compliance: Part 1 PART 1 UNIT 5
1 Corporate Governance
Corporate governance refers to processes and mechanisms by which a company is directed

and controlled.
LOS 1E1e 1.1 Hierarchy of Corporate Governance

The hierarchy of corporate governance includes articles of incorporation, bylaws, policies, and
procedures. The articles of incorporation are created first, then the bylaws, followed by the
policies and procedures. In terms of legal hierarchy, the articles of incorporation are the highest
because they are approved by the state (government). The bylaws are second highest in the
hierarchy because they are approved by owners of the company (shareholders). Policies and
procedures are the lowest because they are created and approved by the board of directors
and employees.
Articles of
Incorporation
Bylaws
Policies and
Procedures
1.1.1 Articles of Incorporation

When a corporation is formed, articles of incorporation are filed in the state in which the
corporation is being incorporated. The articles of incorporation provide a basic structure for the
company. The articles of incorporation include:
the name of the corporation;
the names and address of the corporation's registered agent (i.e., the person on whom
process may be served if the corporation is sued);
the names and addresses of each of the incorporators; and
the number of shares authorized to be issued.
The articles of incorporation are rarely amended unless there is a material change to the
corporation (e.g., change in control).
1.1.2 Bylaws
In addition to the articles of incorporation, a corporation generally will have bylaws containing
rules for running the corporation. Bylaws include more detailed information than the articles of
incorporation. For example, bylaws may set out the authority of the corporation's officers, how
meetings are conducted, how officers are elected, etc. Bylaws are adopted by the incorporators
or the board of directors and may be repealed or modified by the board of directors. They are
not part of the articles of incorporation and are not required to be filed with the state.
5–4 Module 1 E.1.Education

© Becker Professional Governance, Risk, and
Corporation. Compliance:
All rights reserved.Part 1
PART 1 UNIT
1 5 E.1. Governance, Risk, and Compliance: Part 1
1.1.3 Policies and Procedures

Policies and procedures provide structure for the day-to-day operations of a corporation.
These include the high-level policies (e.g., authority delegated to management) and the detailed
procedures for running the business (e.g., procedures for a sales transaction).
1.2 Rights and Responsibilities Within a Corporation LOS 1E1f
Within a corporation, positions have different rights and responsibilities, including the board of
directors, the audit committee, officers, managers, and shareholders.
1.2.1 Board of Directors LOS 1E1d

The board of directors may include employees of the corporation, such as company officers, and
parties external to the entity, such as certain government agencies.
The board of directors' responsibilities include overseeing the obligations and strategic direction
of an entity, including accurate financial reporting and disclosure. Among the specific duties of the
board of directors are the election, removal, and supervision of officers (the board generally reviews
the conduct of officers and may remove an officer with or without cause); adoption, amendment,
and repeal of bylaws; declaring dividends; determining officer compensation; and initiating
fundamental changes to the corporation's structure. These corporate decisions are often made by a
vote of the board.
Board members are fiduciaries of the corporation and must act in the best interests of the
corporation. However, members of the board are not insurers of the corporation's success.
A board member will not be liable to the corporation for acts performed or decisions made
in good faith, in a manner the director believes to be in the best interest of the corporation,
and with the care an ordinarily prudent person in a like position would exercise. Thus, board
members will be liable to the corporation only for negligent acts or omissions (e.g., failure
to obtain fire insurance, hiring a convicted embezzler as treasurer without performing a
background check, etc.).
1.2.2 Audit Committee

The audit committee is a committee of the board of directors, generally made up of three to
five members of the board who are outside directors. Outside directors are individuals who are
neither employees nor part of management and who do not have a material financial interest in
the company. The external auditor reports directly to the audit committee.
Public corporations (also referred to as issuers, short for issuers of financial statements) are
responsible for establishing an audit committee that is directly responsible for the appointment
and compensation of the public accounting firm employed by the corporation. The audit committee
assures that the auditor is independent of the company, reviews the scope of the audit, ensures
that any recommendations made by the auditor are given proper attention, helps solve any
disagreements related to the accounting treatment of any material items in the financial statements,
and makes reports to the board of directors and the stockholders when necessary.
The audit committee typically serves as an intermediary between the internal and external auditors
and management. The audit committee also establishes procedures to accept reports of complaints
regarding audit, accounting, or internal control issues, including whistle-blower hot lines.

1.2.3 Officers
Officers are individual agents (and employees) of the corporation who ordinarily conduct its day-
to-day operation. Officers are selected by the board and may be removed by the board with or
without cause. They are not elected by the shareholders. Corporate officers, like the corporate
board of directors, are subject to fiduciary duties and must discharge their duties in good
faith and with the same care as an ordinarily prudent person in a similar position. Officers will
generally have apparent authority to enter into contracts and act on behalf of the corporation
in the ordinary course of business. Corporate decisions are often made by officers and then are
implemented down the corporate chain. This is often referred to as the top-down approach.
These decisions often relate to achieving goals that will help meet the strategic direction set
by officers.
Officers may vary, but most corporations have a chief executive officer (CEO) and a chief
financial officer (CFO). The CEO is the highest executive and reports directly to the board of
directors. The CEO often has the highest level of authority within a corporation. The CEO is
responsible for all corporate operations and performance, and sets the vision, mission, and
goals for the corporation. In addition, the CEO also determines the strategic direction for the
company and helps create the plan to achieve those goals. The CFO is responsible for the
financial operations of the company, including financial planning and analysis. Typically, the CFO
reports to the CEO.
1.2.4 Managers
Managers are hired by officers or other employees to help with the day-to-day operations.
Management is responsible for the design, implementation, and maintenance of internal
control. Management is also responsible for the preparation and fair presentation of the
financial statements. Management may be given autonomy by the officers to set policy and
procedures related to the day-to-day operations of the company.
1.2.5 Shareholders
Shareholders have the right to vote to elect or remove members of the board of directors. They
also have the right to vote on whether to approve fundamental changes to the corporation, such
as dissolution, and a right to inspect certain corporate records. Generally, shareholders do not
have a right to a distribution (including cash dividends and repurchases of shares) unless and
until it is declared by the board of directors.
LOS 1E1p 2 Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 (SOX) had a profound effect on corporate governance. The act
was created in the wake of fraud that was committed by Enron and WorldCom corporations and
which led to their collapse and the restatement of financial statements of a number of other
U.S. Securities and Exchange Commission (SEC) reporting companies, also as the result of fraud.
The provisions in SOX include the creation of the Public Company Accounting Oversight Board
(PCAOB), expanded disclosures by corporations and specific representations required by officers
of public companies, harsher penalties for fraudulent activities, significant internal control
provisions, and additional rules for external auditors.
2.1 Section 101—PCAOB

Section 101 of the Sarbanes-Oxley Act provides for a Public Company Accounting Oversight
Board composed of five members. Two members must be CPAs and three members cannot
be CPAs.

PART 1 UNIT
The board is subject to oversight by the SEC and has the duty to:
register public accounting firms that prepare audit reports for issuers;
establish rules relating to the preparation of audit reports for issuers; and
conduct inspections, investigations, and disciplinary proceedings concerning registered
public accounting firms.
2.2 Section 201—Prohibited Services

Section 201 describes the services a registered public accounting firm that performs SEC audits
may not provide to the audit client. These include:
bookkeeping;
financial information systems design and implementation;
appraisal and valuation services;
actuarial services;
management functions or human resources services;
internal audit outsourcing services;
services as a broker, dealer, investment adviser, or investment banker;
legal services; or
expert services unrelated to the audit.
Tax services are permissible if preapproved by the audit committee.
2.3 Section 203—Audit Partner Rotation

Section 203 describes the requirement for rotation of the external auditor partner. Specifically,
the lead audit or coordinating partner and the reviewing partner must rotate off the audit
engagement every five years.
The goal of this section is to address the concern that long-term relationships between the audit
partner and the client may impair the objectivity of the partner. For example, the partner may
become too sympathetic to the client's interests if the partner has a long relationship with the
client. Therefore, the rotation of the audit partner should help the firm remain objective and
allow the partners to report on a company's activities without bias or conflict of interest.
2.4 Section 204—Registered Firms Must Report to Audit Committees

Section 204 requires public accounting firms registered with the PCAOB to report directly to the
audit committee. In addition, all auditing services and permitted non-audit services provided by
an auditor to an issuer should be preapproved by the audit committee of the issuer.
Registered firms must report the following to the audit committees of audited corporations:
The critical accounting policies and practices to be used;
Alternative accounting treatments discussed with the corporation's management, the
ramifications of the alternatives, and the treatment the firm prefers; and
Material written communications between the audit firm and management, including a
schedule of unadjusted audit differences and any management letter.

2.5 Section 302—Corporate Responsibility for Financial Reports

Section 302 describes corporate officials' responsibility for certifying financial reports. Corporate
officials, typically the chief executive officer (CEO) and chief financial officer (CFO), must sign
certain representations regarding annual and quarterly reports, including their assertion that:
They have reviewed the report.
The report does not contain untrue statements or omit material information.
The financial statements fairly present in all material respects the financial condition and
results of operations of the issuer.
The CEO and CFO signing the report have assumed responsibility for internal controls,
including assertions that:
y Internal controls have been designed to ensure that material information has been
made available.
y Internal controls have been evaluated for effectiveness as of a date within 90 days prior
to the report.
y Their report includes their conclusions as to the effectiveness of internal controls based
on their evaluation.
The CEO and CFO signing the report assert that they have made the following disclosures to
the issuer's auditors and the audit committee:
y All significant deficiencies and material weaknesses in the design or operation of
internal controls that might adversely affect the financial statements.
y Any fraud (regardless of materiality) that involves management or any other employee
with a significant role in internal controls.
The CEO and CFO signing the report must also represent whether there have been any
significant changes to internal controls.
LOS 1E1q 2.6 Section 404—Management Assessment of Internal Control

Section 404 describes the assessment of internal controls that must be performed and disclosed
by management. Each annual report is required to contain a report that includes the following:
A statement that management is responsible for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.
An assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness
of the internal control structure and procedures for financial reporting.
The auditor must attest to management's assessment of internal control.
2.7 Section 407—Disclosure of Audit Committee Financial Expert

Section 407 describes the requirement that at least one member of the audit committee should be
a financial expert. Financial reports of the issuer must disclose the existence of a financial expert on
the committee or the reasons why the committee does not have a member who is a financial expert.
A financial expert qualifies through education; past experience as a public accountant; or past
experience as a principal financial officer, controller, or principal accounting officer for an issuer.
Knowledge of the financial expert should include:
Understanding of GAAP
Experience in the preparation or auditing of financial statements for comparable issuers
Application of GAAP

PART 1 UNIT
Experience with internal controls

Understanding of audit committee functions
3 The Foreign Corrupt Practices Act (FCPA)
The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 to prohibit U.S. individuals and
entities from paying bribes to advance an individual's or entity's business interests. Compliance
with the act requires following accounting transparency guidelines and placing internal controls
to ensure proper reporting and disclosure of assets.
Businesses subject to the FCPA include corporations, partnerships, limited partnerships,
business trusts, and unincorporated organizations. Penalties for violations of the act include up
to five years in prison, up to $100,000 in fines, or both. Enforcement of the act is shared by the
U.S. Department of Justice and a special unit within the SEC.
3.1 Internal Control Elements of the FCPA LOS 1E1t
Issuers (companies trading on a U.S. stock exchange, "issuers" of audited financial statements)
must comply with specific accounting and control provisions under the FCPA. These include:
Making and keeping detailed accounting records to reflect transactions of the issuer
accurately and fairly; and
Devising and maintaining a system of internal accounting controls sufficient to provide
reasonable assurance that:
y transactions are properly authorized by management;
y transactions are recorded to allow the preparation of financial statements and maintain
accountability for assets;
y access to assets are properly authorized by management; and
y review and reconciliation of assets are regularly performed.
4 The External Audit LOS 1E1w
An external auditor is hired to provide financial statement users with an opinion on whether
the financial statements are presented fairly, in all material respects, in accordance with the
applicable financial reporting framework.

Pass Key
The applicable financial reporting framework is the financial reporting framework that is
acceptable in view of the nature of the entity and the objective of the financial statements,
or that is required by law or regulation. Acceptable financial reporting frameworks include
general purpose frameworks designed to meet the needs of a wide range of users (e.g.,
U.S. Generally Accepted Accounting Principles [GAAP] and International Financial Reporting
Standards [IFRSs]), and special purpose frameworks.
The auditor's report gives credibility to the financial statements. The auditors, as a group
independent of management, have an objective view and can report on a company's activities
without bias or conflict of interest. Without a report from an independent auditor, a company's
financial statements would be meaningless, because the public would have little faith in financial
statements issued by the inherently biased company.
The financial statements of an enterprise are prepared by the management of the enterprise,
not by the independent auditor. Further, the financial statements are the product and property
of the enterprise; the independent auditor merely audits and expresses an opinion on the
financial statements and their accompanying notes.
4.1 External Auditor Responsibilities

In an audit, an auditor provides reasonable assurance about whether the financial statements
are free from material misstatement, whether due to error or fraud, and expresses an opinion
on the financial statements based on the audit. The auditor is also responsible for:
maintaining professional skepticism;
complying with relevant ethical requirements;
exercising professional judgment throughout the planning and performance of the audit;
obtaining sufficient appropriate audit evidence;
communicating with management and those charged with governance; and
complying with generally accepted auditing standards (GAAS), which includes proper
supervision of the audit team and documenting results.
4.2 Reasonable Assurance

Reasonable assurance is a high, but not absolute, level of assurance. The auditor is unable to
obtain absolute assurance that the financial statements are free from material misstatements
because of inherent limitations in the audit process. Inherent limitations include the nature
of financial reporting (e.g., financial statements include estimates made by management),
the nature of the audit procedures (e.g., complete information may not be provided by
management), and timeliness of financial reporting (e.g., the auditor must complete the audit
within a reasonable period of time).
4.3 Phases of the External Audit

An audit includes several phases:
Engagement acceptance
Assess risk and plan response

PART 1 UNIT
Perform procedures and obtain evidence

Form conclusions
Communication and reporting
4.4 Engagement Acceptance

The first phase of the audit is engagement acceptance. In this phase, the external auditor is
selected by those charged with governance (e.g., for issuers, the audit committee of the client's
board of directors). As part of the engagement acceptance, the auditor should agree to the
terms of the engagement with management or those charged with governance, as appropriate.
The agreement should be documented in an engagement letter or other suitable form of
written agreement.
4.5 Assess Risk and Plan Response

During the assess-and-plan phase, the auditor plans the audit. This includes determining the
materiality and performing risk assessment procedures related to understanding the entity and
its environment, including internal control, identifying risk, and responding to the risk.
4.5.1 Audit Risk LOS 1E1n
Audit risk is the risk that the auditor may unknowingly fail to appropriately modify the auditor's
opinion on financial statements that are materially misstated. Audit risk should be reduced to an
appropriately low level before an opinion on the financial statements is expressed.
Audit risk is composed of:
Inherent Risk: Risk inherent in certain accounts or transactions.
Control Risk: Risk that an error will not be prevented or detected (and corrected) by the
internal control system in a timely manner.
Detection Risk: Risk that an auditor will conclude that a material error does not exist when,
in fact, one does.
4.5.2 Understanding the Entity's Internal Control

As part of obtaining an understanding of the entity, the auditor should obtain an understanding
of the entity's internal control. This understanding of the five components of internal control
(control environment, risk assessment, control activities, information and communication,
and monitoring activities) should be sufficient to allow the auditor to evaluate the design and
implementation of relevant controls; assess the risks of material misstatement; and design the
nature, extent, and timing of further audit procedures.
4.6 Perform Procedures and Obtain Evidence

Audit evidence is obtained throughout the audit and includes all the information the auditor
uses to arrive at conclusions on which the audit opinion is based. Audit evidence is gathered
through the audit when performing:
Risk assessment procedures
Test of controls
Substantive procedures
Other audit procedures

4.6.1 Management Representation Letter

At the conclusion of the audit, the independent auditor must obtain a management
representation letter from the client. The auditor prepares the text of the representation letter,
which is then printed on client letterhead and signed by the client. This is the last piece of
evidence obtained in an audit and should address all financial statements and periods covered
by the report, even if current management was not present during all such periods.
External auditors require management to prepare a representation letter because it
confirms oral and written representations made by management, indicates and documents
the continuing appropriateness of those representations, and reduces the possibility of
misunderstanding concerning matters that are the subject of the representations.
4.7 Form Conclusions

At the end of fieldwork, the auditor should form conclusions based on the procedures
performed and evidence obtained. The auditor's evaluation of audit results should include
evaluation of the following:
The results of tests performed during the overall review of the financial statements.
Misstatements found during the audit, including uncorrected misstatements.
The qualitative aspects of the company's accounting practice.
Conditions identified during the audit that relate to fraud risk.
The presentation of the financial statements, including disclosures.
The sufficiency and appropriateness of the audit evidence obtained.
4.8 Communication and Reporting

The final stage of the audit is reporting. In the reporting stage, the auditor issues an opinion on
the financial statements.
4.8.1 Communication
The auditor should communicate with management and those charged with governance
throughout the audit. There are certain required communications, which include matters
related to the auditor's responsibility, planned scope and timing of the audit engagement, and
significant audit findings.
An auditor should follow certain procedures when errors or irregularities (fraud) are suspected.
Generally, the error or irregularity should be discussed with an appropriate level of management
at least one level above those involved.
4.8.2 Audit Opinions

In order to form an opinion on the financial statements, the auditor should take into account
the following:
1. Whether sufficient appropriate audit evidence was obtained (as required by generally
accepted auditing standards, or GAAS); and
2. Whether the financial statements are prepared, in all material respects, in accordance with
the requirements of the applicable financial reporting framework (e.g., generally accepted
accounting principles, or GAAP).

PART 1 UNIT
Financial statements generally mean a complete set of general‑purpose financial statements,

including the related notes. The applicable financial reporting framework determines the form
and content of a complete set of financial statements. For example, under U.S. GAAP, a complete
set of financial statements includes a balance sheet, a statement of income (or comprehensive
income), a statement of changes in equity, a cash flow statement, and related notes.
ial Statem
Financrially Corr ents
Mate ect
Fi
n
an
cia
Unmodified
es
l
(Unqualified)
St
su
ate
it Is
Qualified Qualified
me
Aud
nt I
ssue
s
Disclaimer Adverse
Materiality of Issue
Material and Material but None or Material but Material and
pervasive not pervasive immaterial not pervasive pervasive
4.8.3 Unmodified (Unqualified) Opinion

An unmodified (unqualified) opinion states that the financial statements present fairly, in all
material respects, the financial position, results of operations, and cash flows of the entity in
conformity with the applicable financial reporting framework. Note that unmodified is the term
used for nonissuers and unqualified is the term used for issuers. Issuers, short for "issuers of
financial statements," are public corporations that trade stock on a public exchange and file with
the Securities and Exchange Commission. Nonissuers are privately held corporations, whose
stock does not trade on a public stock exchange.
In certain circumstances, the auditor may determine that it is necessary to add additional
communications to the auditor's report without modifying the auditor's opinion. This is done
using emphasis-of-matter, other-matter, and explanatory paragraphs. Nonissuers use the terms
emphasis‑of‑matter and other‑matter, and issuers use the term explanatory.
4.8.4 Graphic
Modifications to #1 A1 Forming
the Auditor's an Audit Opinion_VF
Opinion
The auditor's report should be modified when the auditor concludes that the financial
statements as a whole are materially misstated (financial statement issue), or the auditor is
unable to obtain sufficient appropriate audit evidence to conclude that the financial statements
as a whole are free from material misstatement (audit issue).
There are three types of modified opinions: The qualified opinion, the adverse opinion, and the
disclaimer of opinion.

Qualified Opinion: A qualified opinion states that except for the effects of the matter(s)
to which the qualification relates, the financial statements present fairly, in all material
respects, the financial position, results of operations, and cash flows of the entity in
conformity with the applicable financial reporting framework.
Adverse Opinion: An adverse opinion states that the financial statements do not present
fairly the financial position, results of operations, or cash flows of the entity in conformity
with the applicable financial reporting framework.
Disclaimer of Opinion: A disclaimer of opinion states that the auditor does not express an
opinion on the financial statements.
4.8.5 Brief Summary of When to Use Different Opinions

The chart below summarizes when to use different opinions.
Financial Statements Inability to Obtain Sufficient
Are Materially Misstated Appropriate Audit Evidence
Materiality of Problem (Financial Statement Issues) (Audit Issues)
None or immaterial Unmodified (unqualified) Unmodified (unqualified)

Material but not pervasive Qualified opinion Qualified opinion
Material and pervasive Adverse opinion Disclaimer of opinion
Pervasive effects on the financial statements are those which, in the auditor's professional
judgment:
are not confined to specific elements, accounts, or items of the financial statements;
if so confined, represent a substantial proportion of the financial statements; or
are disclosures fundamental to the users' understanding of the financial statements.
4.8.6 Emphasis-of-Matter, Other-Matter, and Explanatory Paragraphs

An emphasis-of-matter paragraph (used for nonissuer or privately held companies), other-
matter paragraph (nonissuer), or explanatory paragraph (issuer) is included in the auditor's
report when required by standards or at the auditor's discretion.
Emphasis-of-Matter Paragraph (nonissuer): An emphasis-of-matter paragraph is used
when referring to a matter that is appropriately presented or disclosed in the financial
statements and is of such importance that it is fundamental to the users’ understanding of
the financial statements. The inclusion of an emphasis-of-matter paragraph in the auditor’s
report does not affect the auditor’s opinion.
Other-Matter Paragraph (nonissuer): An other-matter paragraph is included in the
auditor's report when required by GAAS or at the auditor's discretion. Other-matter
paragraphs refer to matters other than those presented or disclosed in the financial
statements that are relevant to the users' understanding of the audit, the auditor's
responsibilities, or the auditor's report.
Explanatory Paragraph (issuer): An explanatory paragraph is included in the auditor's
report when required by PCAOB auditing standards or at the auditor's discretion.
The inclusion of an explanatory paragraph in the auditor's report does not affect the
auditor's opinion.

PART 1 UNIT
Below is a summary of the different circumstances that require an emphasis-of-matter, other-

matter, or explanatory paragraph:
Client Nonissuer Issuer

Paragraph Type Emphasis-of-Matter Other Matter Explanatory
Going concern
 
Material justified change in accounting principle  
Material misstatement in prior financial
statements is corrected  
Special purpose framework  *
Change in audit opinion  Or:  
Restrict use of report  
Prior financial statements audited by prior auditor
and prior auditor's report is not presented  
Comparative financial statements where the current
year is audited and prior period is not audited  *
Material inconsistency in other information  *
Report on supplementary information within
auditor's report  *
Refer to required supplementary information  *
Report on compliance included in auditor's report  *
*Although PCAOB guidelines do not specify the location for the explanatory paragraph for these
circumstances, the explanatory paragraph generally is placed after the opinion paragraph
5 Integrated Audit LOS 1E1r
Issuers are required to have an integrated audit. In an integrated audit, two audits are
simultaneously performed, and two opinions are rendered on (1) the fairness of the financial
statements and (2) the operating effectiveness of internal controls. Nonissuers are not required
to have an integrated audit but may choose to have an integrated audit performed.
There are two methods to the audit of the operating effectiveness of internal controls: the top-
down approach (risk-based approach) or the bottom-up approach.
5.1 Top-Down Approach (Risk-Based Approach)

A top-down approach should be used in selecting controls to test. The auditor evaluates
overall risks at the financial statement level, considers controls at the entity level, and then
focuses on accounts, disclosures, and assertions for which there is a reasonable possibility of
material misstatement.

5.1.1 Entity-Level Controls

The auditor should identify and test entity-level controls that are important to the auditor's
overall opinion about internal control. Entity-level controls include controls related to:
The control environment
Management override
The company's risk assessment process
Centralized processing
Monitoring the results of operations
Monitoring other controls
Period-end financial reporting
Policies that address significant business control and risk management practices
The auditor's evaluation of entity-level controls can result in increasing or decreasing the testing
that the auditor otherwise would have performed on other controls. Entity-level controls that are
working effectively may allow the auditor to reduce the testing of lower-level controls, or might
affect the nature, extent, or timing of the auditor's tests of lower-level controls.
5.2 Bottom-Up Approach

Prior to Sarbanes-Oxley, the bottom-up approach was used by many companies. This approach
treats all controls equally regardless of the underlying risk. As a result, the entity would apply
the same level of examination to each internal control process. This often resulted in more
time and effort spent on controls over routine transactions that pose little to no risk in material
misstatements of the financial statements, rather than focusing on high-risk controls and entity-
level controls that pose a higher risk of material misstatement.
LOS 1E1s 5.3 Preferred Approach: Top-Down

Although the bottom-up approach is a method of internal control testing, PCAOB Auditing
Standards and AICPA Statements on Auditing Standards require the auditor to use a top-down
approach in auditing internal control. The top-down approach has the following advantages over
the bottom-up approach:
Results in a more detailed examination of internal controls that are more likely to result in a
material misstatement
More effective at controlling risks
More efficient testing of controls

PART 1 UNIT
Question 1 MCQ-12416
Which of the following most likely represents a responsibility of the external auditor?
a. Provide absolute assurance on the fairness of the financial statements.
b. Comply with generally accepted auditing standards, which includes authorizing
transactions on behalf of the client.
c. Issue an opinion on the fairness of the financial statements.
d. Design, implement, and maintain internal control relevant to the preparation and
fair presentation of financial statements.
Which opinion would an auditor most likely render if the financial statements are materially
and pervasively misstated due to a company departing from the applicable financial
reporting framework?
a. Unmodified
b. Qualified
c. Disclaimer
d. Adverse
Which of the following responsibilities is least likely to be a responsibility for the board
of directors?
a. Declaring dividends.
b. Determining the policies and procedures related to the day-to-day operations of
the company.
c. Initiating fundamental changes to the corporation's structure.
d. Electing officers.

NOTES

2
MODULE
PART 1 UNIT 5
E.1. Governance, Risk, and Compliance: Part 2 Part 1

E.2. System Controls and Security Measures Unit 5
This module covers the following content from the IMA Learning Outcome Statements.
CMA LOS Reference: Part 1—Section E.1. Governance, Risk, and Compliance: Part 2

a. demonstrate an understanding of internal control risk and the management of internal
control risk
b. identify and describe internal control objectives
c. explain how a company's organizational structure, policies, objectives, and goals, as
well as its management philosophy and style, influence the scope and effectiveness of
the control environment
g. describe how internal controls are designed to provide reasonable (but not absolute)
assurance regarding achievement of an entity's objectives involving (i) effectiveness
and efficiency of operations, (ii) reliability of financial reporting, and (iii) compliance
with applicable laws and regulations
h. explain why personnel policies and procedures are integral to an efficient control
environment
i. define and give examples of segregation of duties
j. explain why the following four types of functional responsibilities should be performed
by different departments or different people within the same function: (i) authority
to execute transactions, (ii) recording transactions, (iii) custody of assets involved in
the transactions, and (iv) periodic reconciliations of the existing assets to recorded
amounts
k. demonstrate an understanding of the importance of independent checks and
verification
l. identify examples of safeguarding controls
m. explain how the use of prenumbered forms, as well as specific policies and procedures
detailing who is authorized to receive specific documents, is a means of control
o. define and distinguish between preventive controls and detective controls
u. identify and describe the five major components of COSO's Internal Control—Integrated
Framework (2013)
v. assess the level of internal control risk within an organization and recommend risk
mitigation strategies
© Becker Professional Education Corporation. All rights reserved. Module 2 5–19 E.1. Go
2 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures PART 1 UNIT 5
CMA LOS Reference: Part 1—Section E.2. System Controls and Security Measures

a. describe how the segregation of accounting duties can enhance systems security
b. identify threats to information systems, including input manipulation, program
alteration, direct file alteration, data theft, sabotage, viruses, Trojan horses, theft,
and phishing
c. demonstrate an understanding of how systems development controls are used to
enhance the accuracy, validity, safety, security, and adaptability of systems input,
processing, output, and storage function
d. identify procedures to limit access to physical hardware
e. identify means by which management can protect programs and databases from
unauthorized use
f. identify input controls, processing controls, and output controls and describe why each
of these controls is necessary
g. identify and describe the types of storage controls and demonstrate an understanding
of when and why they are used
h. identify and describe the inherent risks of using the Internet as compared to data
transmissions over secured transmission lines
i. define data encryption and describe why there is a much greater need for data
encryption methods when using the Internet
j. identify a firewall and its uses
k. demonstrate an understanding of how flowcharts of activities are used to assess controls
l. explain the importance of backing up all program and data files regularly, and storing
the backups at a secure remote site
m. define business continuity planning
n. define the objective of a disaster recovery plan and identify the components of such a
plan including hot, warm, and cold sites
LOS 1E1u 1 COSO Internal Control Framework
The Committee of Sponsoring Organizations (COSO), an independent private sector initiative,

was initially established in the mid-1980s to study the factors that lead to fraudulent financial
reporting. The private "sponsoring organizations" include the five major financial professional
associations in the United States: the American Accounting Association (AAA), the American
Institute of Certified Public Accountants (AICPA), the Financial Executives Institute (FEI), the
Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).
In 1992, COSO issued Internal Control—Integrated Framework ("the framework") to assist
organizations in developing comprehensive assessments of internal control effectiveness.
Material from Internal Control—Integrated Framework, © 2013 Committee of Sponsoring Organizations of the Treadway
Commission (COSO). Used with permission.
5–20 Module 2 E.1. Governance, Risk, and Compliance:

© BeckerPart 2, and E.2.
Professional System
Education Controls and
Corporation. Security
All rights Measures
reserved.
PART 1 UNIT
2 5 E.1. Governance, Risk, and Compliance: Part 2, and E.2. System Controls and Security Measures
In 2013, the framework received an update to deal with changes in technology, business models,
globalization, outsourcing, and regulatory environment. One significant enhancement to the
2013 update was the formalization of fundamental concepts that were part of the original 1992
framework. Specifically, these fundamental concepts have evolved into 17 principles that have
been categorized within the five major internal control components. COSO's framework is widely
regarded as an appropriate and comprehensive basis to document the assessment of internal
controls over financial reporting.
The framework is used by company management and its board of directors to obtain an initial
understanding of what constitutes an effective system of internal control and to provide insight
as to when internal controls are being properly applied within the organization. The framework
also provides confidence to external stakeholders that an organization has a system of internal
control in place that is conducive to achieving its objectives.
Pass Key
An effective system of internal control requires more than adherence to policies and
procedures by management, the board of directors, and the internal auditors. It requires
the use of judgment in determining the sufficiency of controls, in applying the proper
controls, and in assessing the effectiveness of the system of internal controls. The
principles-based approach of the framework supports the emphasis on the importance of
management judgment.
1.1 Definition of Internal Control

Internal control is a process that is designed and implemented by an organization's
management, board of directors, and other employees to provide reasonable assurance that the
organization will achieve its operating, reporting, and compliance objectives.
1.2 Application to Management and Board

The framework assists an entity's management and board of directors in the following areas:
Effectively applying internal control within the overall organization, on a divisional
(operating) unit level or at a functional level.
Determining the requirements of an effective system of internal control by ascertaining
whether the components and principles exist and are functioning properly.
Allowing judgment and flexibility in the design and implementation of the system of internal
control within all operational and functional areas of the organization.
Identifying and analyzing risks and then developing acceptable actions to mitigate or
minimize these risks to an acceptable level.
Eliminating redundant, ineffective, or inefficient controls.
Extending internal control application beyond an organization's financial reporting.
1.3 Application to Stakeholders

The framework also provides value to external stakeholders and other parties that interact with
the organization by providing:
Greater understanding of what constitutes an effective system of internal controls.
Greater confidence that management will be able to eliminate ineffective, redundant, or
inefficient controls.
Greater confidence that the board has effective oversight of the organization's
internal controls.
Improved confidence that the organization will achieve its stated objectives and will be
capable of identifying, analyzing, and responding to risks affecting the organization.
1.4 COSO Cube

The 2013 framework continues to use a cube to depict the relationship between an entity's
objectives, integrated internal control components, and organizational structure.
The three categories of objectives (operations, reporting, and compliance) are shown as columns
on the cube, and the five internal control components (control environment, risk assessment,
control activities, information and communication, and monitoring activities) are depicted as
rows. Additionally, the entity's organizational structure (entity level, division, operating unit, and
function) is shown on the cube as a third dimension.
Function
Control Environment
Operating Unit
Division
Risk Assessment
Entity Level
Control Activities
Information & Communication
Monitoring Activities
Internal Control—Integrated Framework, © 2013

Committee of Sponsoring Organizations of the
Treadway Commission (COSO). Used with permission.
LOS 1E1b 1.5 Framework Objectives

There are three categories of objectives within the framework.
1. Operations Objectives
Operations objectives relate to the effectiveness and efficiency of an entity's operations.
This category includes financial and operational performance goals as well as ensuring that
the assets of the organization are adequately safeguarded against potential losses.

Professional System
All rights Measures
reserved.
PART 1 UNIT
2. Reporting Objectives
Reporting objectives pertain to the reliability, timeliness, and transparency of an entity's
external and internal financial and nonfinancial reporting as established by regulators,
accounting standard setters, or the firm's internal policies.
3. Compliance Objectives
Compliance objectives are established to ensure the entity is adhering to all applicable laws
and regulations.
1.6 Components of Internal Control (CRIME)

The updated framework retained the original five integrated components of internal control,
including the control environment, risk assessment, information and communication,
monitoring activities, and (existing) control activities. These components and the 17 related
fundamental principles are needed to achieve the three objectives of internal control.
Each of the 17 principles is intended to be suitable to all entities and is presumed to be relevant.
However, management may determine that a principle is not relevant to a component.
In addition, the framework introduces 81 points of focus. Some points of focus may not be
suitable or relevant, and others may be identified. They are intended to facilitate designing,
implementing, and conducting internal control by providing examples. They are not intended to
be used as a checklist, and there is no requirement to separately assess whether points of focus
are in place.
Pass Key
The COSO framework does not prescribe which controls an entity should implement
for effective internal control. Instead, an organization's selection of controls requires
management's judgment based on factors unique to the entity.
Illustration 1 Components of Internal Control (CRIME)
1
Control Environment
2 3 4 5
Risk Information Monitoring Existing
Assessment and Control
by Management Communication Activities
Systems
A2 control environment p52

Pass Key
Remember that it would be a CRIME if you forgot the five components of internal control:
y Control Environment
y Risk Assessment
y Information and Communication
y Monitoring
y (Existing) Control Activities
LOS 1E1c 1.6.1 Control Environment

LOS 1E1h The control environment includes the processes, structures, and standards that provide the
foundation for an entity to establish a system of internal control. The importance of internal control
and expected standards of conduct is established through a "tone at the top" approach taken by
the senior management and board of directors of an entity. The five principles related to the control
environment are:
Commitment to Ethics and Integrity: There is a commitment to ethical values and overall
integrity throughout the organization. Points of focus include setting the tone at the top,
establishing standards of conduct, evaluating adherence to standards of conduct, and
addressing deviations in a timely manner.
Board Independence and Oversight: The board is independent from management and
oversees the development and performance of internal control. Points of focus include
establishing oversight responsibilities and providing oversight for the system of internal control.
Organizational Structure: Management establishes an organizational structure. Points
of focus include establishing reporting lines, as well as defining, assigning, and limiting
authorities and responsibilities that are appropriate to the organization's objectives.
Commitment to Competence: Personnel policies and procedures are established to
ensure that there is a commitment to hire, develop, and retain competent employees. Other
points of focus include evaluating competence and addressing shortcomings in addition to
succession planning.
Accountability: Individuals are held accountable for their internal control responsibilities.
Points of focus include establishing performance measures, incentives, and rewards, and
evaluating those for ongoing relevance while considering excessive pressures.
1.6.2 Risk Assessment

Risk assessment is an entity's identification and analysis of risks to the achievement of its
objectives. The four principles related to risk assessment are:
Specify Objectives: The organization creates objectives that allow for identification and
assessment of the risks related to those objectives. Points of focus include identifying
objectives that reflect management's choices while complying with applicable accounting
standards, laws, and regulations.
Identify and Analyze Risks: The organization identifies risks across the entity and analyzes
risks in order to determine how the risks should be managed. Points of focus include analyzing
internal and external factors, involving appropriate levels of management, and determining how
to respond to risks.

Professional System
All rights Measures
reserved.
PART 1 UNIT
Consider Potential for Fraud: The organization considers the potential for fraud in
assessing risks. Points of focus include assessing incentives and pressures, opportunities
and attitudes, and rationalizations.
Identify and Assess Changes: The organization identifies and assesses changes that could
significantly affect the system of internal control. Points of focus include assessing changes
in the external environment, business model, and leadership.
1.6.3 Information and Communication

Information and communication systems support the identification, capture, and exchange
of information in a timely and useful manner. The three principles related to information and
communications are:
Obtain and Use Information: The organization obtains or generates and uses relevant,
high-quality information to support the functioning of internal control. Points of focus
include management identifying and defining information requirements within the internal
control component level.
Internally Communicate Information: The organization internally communicates
information necessary to support the functioning of internal controls, including relevant
objectives and responsibilities. Points of focus include the flow of information up, down, and
across the organization using a variety of methods and channels.
Communicate With External Parties: The organization communicates with external
parties regarding matters that affect the functioning of internal control. Points of focus
include management having open, two-way external communication channels using a
variety of methods and channels.
1.6.4 Monitoring Activities

Monitoring is the process of assessing the quality of internal control performance over time
by assessing the design and operation of controls on a timely basis and taking the necessary
corrective actions. The two principles related to monitoring activities are:
Ongoing and/or Separate Evaluations: The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain whether the components of internal
control are present and functioning. One point of focus is to consider establishing baseline
understandings.
Communication of Deficiencies: The organization evaluates and communicates internal
control deficiencies in a timely manner to parties responsible for taking corrective action.
One point of focus is monitoring corrective actions.
1.6.5 (Existing) Control Activities

Control activities are set forth by an entity's policies and procedures to ensure that the directives
initiated by management to mitigate risks are performed.
Control activities may be detective or preventive in nature and may include automated and
manual activities (e.g., approvals, reconciliations, verifications). Segregation of duties is usually
part of the control activities developed by an organization, and when not practical, management
should develop alternative controls. The three principles related to control activities are:
1. Select and Develop Control Activities: The organization selects and develops control
activities that contribute to the mitigation of risks to acceptable levels. Points of focus
include integrating with risk assessment when selecting activities and considering
entity‑specific factors.
2. Select and Develop Technology Controls: The organization selects and develops general
control activities over technology to support the achievement of objectives. Points of focus
include determining dependencies between the use of technology in business processes
and establishing relevant technology infrastructure control activities.
3. Deployment of Policies and Procedures: The organization deploys control activities
through policies that establish what is expected and procedures that put policies into action.
Points of focus include establishing responsibility and accountability for executing policies
and procedures and taking corrective action.
Pass Key
The candidate should be familiar with the five components of internal control (in bold) and
each of the 17 principles within the components. (CRIME)
Control Environment
Commitment to ethical values and integrity
Board independence and oversight
Organizational structure
Commitment to competence
Accountability
Risk Assessment
Specify objectives
Identify and analyze risks
Consider the potential for fraud
Identify and assess changes
Information and Communication
Obtain and use information
Internally communicate information
Communicate with external parties
Monitoring Activities
Ongoing and/or separate evaluations
Communication of deficiencies
(Existing) Control Activities
Select and develop control activities
Select and develop technology controls
Deploy through policies and procedures

Professional System
All rights Measures
reserved.
PART 1 UNIT
Illustration 2 COSO Application
y Risk: Management is unaware of risks that could affect the company.

— Component: Risk assessment.
— Principle: The company identifies risks to achieving its objectives and analyzes risks to
determine how the risks should be managed.
— Control Activity: Periodic risk assessments are reviewed by management, including
internal audit assessments.
y Risk: Employees act in an unethical or unlawful manner.
—Component: Control environment.
—Principle: The company demonstrates a commitment to integrity and ethical values.
—Control Activity: A code of conduct or ethics policy exists and includes provisions
about conflicts of interest, related party transactions, illegal acts, and the monitoring
of the code by management, the audit committee, and board of directors.
2 Internal Control Risk LOS 1E1a
LOS 1E1g
Internal control risk is the risk that the internal control policies and procedures established by
an organization will not be sufficient to support the achievement of its operating, reporting, or LOS 1E1v
compliance objectives.
2.1 Inherent Limitations of Internal Control

A well-designed system of internal control provides only reasonable (not absolute) assurance
regarding the achievement of objectives due to the following three inherent limitations of
internal control:
1. Management override of internal control
2. Human error, which may include errors in the design or use of automated controls
3. Deliberate circumvention of controls by collusion of two or more people
2.2 Risk Assessment and Mitigation

Management should assess the entity's internal control risk and determine the extent to which
resources (time, labor, and dollars) will be allocated to reducing the level of risk to an acceptable
level. Generally, the level of internal control risk is too high if there are no internal controls
relative to an objective or if established internal controls are not operating effectively. Risk
mitigation strategies include establishing new internal controls, replacing ineffective internal
controls, or establishing compensating controls. A compensating control is an alternative control
that is put in place when the existing control is too difficult or impractical to implement.
2.3 Internal Control Assessment Tools

Management has several tools to document and assess the adequacy of the system of
internal controls. The three primary tools are flowcharts, written narratives, and other internal
control documentation.
LOS 1E2k 2.3.1 Flowcharts

A flowchart is a symbolic diagram representing the sequential flow of authority, processes,
and documents. It can be an essential aid in understanding and evaluating internal control. A
flowchart may be combined with any of the tools listed above to help management understand
and analyze risk. IT flowcharts are used as documentation tools in programming and are useful
to evaluate internal control in an automated accounting environment.
System Flowcharts: An adequate flowchart shows the origin of each document in the
system, its subsequent processing, and its final disposition. Flowcharts are useful in
evaluating internal control because they document the steps in a process and the practices
in use. The use of standard symbols makes flowcharts easy to understand.
Program Flowcharts: IT flowcharts are initially created to document the logic and existing
flow of a computer program. These flowcharts are used to evaluate both the flow of the
program and the internal controls related to the IT function in general.
Flowchart organization should:
y Show the general flow of documents and data.
y Start at the top of the page and move from top to bottom and from left to right.
y Use descriptive wording familiar to the reader.
y Avoid intersecting flow lines by using off-page/on-page connectors.
Illustration 3 Flowcharting Symbols

Professional System
All rights Measures
reserved.
PART 1 UNIT
2.3.2 Written Narratives

A written narrative is a written version of a flowchart. A written narrative is a description of the
system of internal control. Note that flowcharts are more appropriate for documenting complex
control structures; written narratives are more appropriate for less complex structures.
2.3.3 Other Internal Control Documentation

Other types of internal control documentation include manuals documenting an entity's
accounting system and related controls, manuals documenting an entity's operating systems
(such as inventory control and manufacturing processes) and related controls, and an entity's
organizational charts outlining designated lines of authority and responsibility.
3 Internal Control Policies and Procedures
Internal control policies and procedures are checks and balances implemented by management
to protect a company from threats to the achievement of its operating, financial reporting, and
compliance objectives.
3.1 Internal Control Categories

Internal controls can function as preventive controls, detective controls, safeguarding controls,
and/or physical controls.
3.1.1 Preventive Controls LOS 1E1o
Preventive controls are proactive measures implemented prior to an action, event, or

transaction in order to prevent errors or fraud when those actions, events, or transactions occur.
Preventive controls are generally the most effective. Strong, preventive controls will keep invalid
transactions from being processed and assets from being misappropriated. Each business
should tailor these preventive controls to its specific operational and industry needs.
Preventive controls over financial reporting are designed to provide reasonable assurance that
only valid transactions are recognized, approved, and submitted for processing. Most preventive
controls are applied before the processing activity occurs.
Examples of preventive controls include the following:
Employee screening and periodic fraud policy training
Segregation of duties
Access control by using passwords and multi-authentication tools
Physical controls over company assets and cataloging usage
3.1.2 Detective Controls

Detective controls are designed to provide reasonable assurance that errors or irregularities
are discovered and corrected on a timely basis. Detective controls over financial reporting are
normally performed after the record-keeping processing for a transaction has been completed.
Examples of detective controls include the following:
Reviewing financial performance such as budget to actual data
Conducting a physical inventory count
Performing a reconciliation of accounts such as fixed assets and cash
LOS 1E1l 3.1.3 Safeguarding Controls

Safeguarding controls limit access to authorized personnel only. This access includes both direct
or physical access to assets, and to indirect access such as through the authorization to acquire,
use, or dispose of assets.
Examples of safeguard controls for cash and related accounts include the following:
Lockbox system for collecting cash receipts from customers
Direct deposit of pay in lieu of the distribution of physical paychecks or cash to employees
Write-offs of uncollectible accounts only by the credit department manager
LOS 1E2d 3.1.4 Physical Controls

Physical controls for safeguarding assets involve security devices and limited access to programs
and restricted areas, including computer facilities. Physical controls include:
Physical segregation and security of assets, protective devices, and bonded or independent
custodians (e.g., banks, safe deposit boxes, lock boxes, and independent warehouses).
Authorized access to assets and records (such as through the use of computer access codes,
prenumbered forms, and required signatures on documents for the removal or disposition
of assets).
Periodic counting and comparison of actual assets with amounts shown in accounting
records (e.g., physical counts and inspections of assets, reconciliations, and user review of
computer-generated reports).
3.2 Key Control Activities

Control activities are the policies and procedures that help ensure that management directives
are carried out and that necessary steps to address risks are taken. Key control activities include
segregation of duties, independent checks and verification, and the use of prenumbered forms.
LOS 1E1i 3.2.1 Segregation of Duties

LOS 1E1j Segregation of duties involves ensuring that individuals do not perform incompatible duties.
Duties should be segregated such that the work of one individual provides a cross-check on
the work of another individual. Generally, assigning different people the responsibilities of
authorizing transactions, recording transactions, and maintaining custody of the related assets
reduces the opportunities for any individual to both perpetrate and conceal errors or fraud in
the normal course of duties. It is much less likely that two employees would collude to commit
fraud than would a single employee.
Illustration 4 Segregation of Duties for Internal Control
One employee has sole responsibility for depositing all checks received by an organization.
The employee records, issues, and mails all paper checks as well as reconciles the monthly
bank account statement and updates the accounts payable and accounts receivable
ledgers. The employee has custody of the checks received, and completes the record
keeping for all checks received from customers and mailed out to vendors. This employee
performs the only review over the receipt and payment of funds, the bank reconciliation.
In this scenario, the employee could easily steal from the company in several ways, such
as through cash skimming schemes, using company assets for personal use, or other
records-falsification techniques that would conceal theft.

Professional System
All rights Measures
reserved.
PART 1 UNIT
The following four categories should be segregated:

Authorization: The process of reviewing and approving transactions.
Record Keeping: The process of creating and maintaining the books and records related to
revenues, expenditures, inventory, and personnel transactions.
Custody of Assets: Access to or control over cash, checks, and physical assets.
Reconciliation: The process of verifying the transactions processed in the record-keeping
function. Reconciliation ensures that transactions are valid, properly authorized, and
properly recorded.
Some examples of incompatible responsibilities include the following:
An employee who … Should not …
Opens the mail, endorses the checks, and Prepare the deposit ticket and make the
prepares the list of checks physical deposit in the bank account
Prepares payroll input and processes payroll Distribute payroll checks
Prepares cash disbursements Sign all checks and disbursements
Records inventory transactions Have physical access to inventory
Reconciles the bank accounts Book entries to the general ledger
3.2.2 Independent Checks and Verification LOS 1E1k
Independent checks involve the verification of work performed by others to ensure accuracy
and to prevent errors or fraud. Examples include review of bank reconciliations, comparisons of
accounting records to supporting documentation, and comparisons of physical inventory counts
to inventory records. Due to the smaller number of employees, small businesses often have
difficulty creating a clear division of roles and implementing a rotation of responsibilities.
3.2.3 Prenumbered Forms LOS 1E1m
By using prenumbered documents, management may account for all transactions; each
sequentially numbered transaction is either attached to a transaction or properly voided.
Prenumbered documents assists in segregation of duties. For example, purchasing may receive
a purchase requisition from production to order supplies. If the purchase requisitions are
prenumbered, all transactions can be matched to the supporting documentation and checked
for proper authorization before payment is made. Any missing documents are a control to
alert management that there may be either a purchase requisition that was improperly used or
missing documentation that may indicate error or fraud.
Prenumbering of forms helps to ensure that all transactions are recorded and that no
transaction is recorded more than once. For example, cash receipts need to be prenumbered to
ensure that the cash receipt was posted to the related accounts receivable. If any sequentially
numbered cash receipt is not accounted for, management can investigate to determine whether
that cash receipt was voided or if the cash was misappropriated.
LOS 1E2c 4 Information System Development Controls
Information system development controls are designed to enhance the security and accuracy
of data input into the system, strengthening the validity of the outputs from the system. During
the input, processing, and output stages, controls are designed to protect against internal and
external threats. The system development control design that provides this security must be
able to adapt in order to continuously provide protection in an ever-changing environment.
LOS 1E2f 4.1 Types of System Development Controls

Information system development controls are named for the system processing step to which
they belong. The same tactics may occur in many places, but input controls accompany input
processes where data is fed into the system. Processing controls accompany steps where
calculations, transformations, or aggregations are performed on the data. Output controls
accompany steps where the results of processing are formatted and prepared for other
stakeholders, whether those are end-user managers making decisions or other processes.
4.1.1 Input Controls

Input controls are designed to ensure that the data being entered into the system is both factually
accurate and properly authorized. Authorized individuals input data and identifying credentials (a
process called credentialing) into the system in order for the input to be accepted. If credentials pass
the initial input controls, a second layer of input controls checks that the supplied data meets other
established parameters. This second layer includes the technical structure of the file, including data
types (such as text or numbers), and field checks (such as numerical upper and lower limits).
Illustration 5 Operation of Input Controls
An input file containing sales transactions is loaded into the operations system from a
store at the proper time, carrying the proper credentials for the store and the owner. Input
controls accept the authorization for this file to be read into the system. However, during the
initial read the file is seen to be less than half the size of a typical file for that store during this
time of year. Because the number of sales transactions is too low (outside of the lower limit
for this input control), a contingency trigger interrupts processing and sends notifications
to both the store manager and the operations analyst to check to make sure the entire file
was transmitted. Processing resumes when either authorized person (the store owner or
operations analyst) submits their credentials and replaces or confirms the input file.
4.1.2 Processing Controls

Processing controls are designed to ensure that transformations to the input data are executed
correctly, and that all data communication during processing is appropriately secured. The most
basic type of processing control is an audit trail, which involves the creation of a record during
particular steps within a process in order for a control to be reviewed by other employees or
potentially auditors. By examining this processing control, error or fraud may be discovered and
traced to the specific processing step where it occurred.
Another processing control is security over system processing. Files that have been created
by an audit trail and any other data that has been processed must be secured for use only by
authorized persons and authorized systems for further processing. Security processing controls
involve credentialing for report files as well as use of secure file transfer protocols (to transfer
files from one process or location to another) and file encryption.

Professional System
All rights Measures
reserved.
PART 1 UNIT
Illustration 6 Operation of Processing Controls
An analyst receives transaction reports from each retail store in the corporation and uses
a program to consolidate the files into one report containing all transaction records in
chronological order for the day. Each day, the analyst preserves the individual store reports
and the consolidated reports in the company's cloud-based file storage system.
Another analyst later takes the consolidated file and uses it as input to another program
in order to organize the sales by store owner (some owners have multiple retail stores)
to calculate royalties owed to the parent company. The second analyst also saves the
consolidated file (the output from the first process that is now the input for the second
process) and the new output file detailing sales by owner in the company's file storage
system, where it can be used by other analysts for different purposes.
The benefits of following this process control include error detection, fraud detection, and
promotion of good business continuity practices. The first analyst's output file should be
identical to the second analyst's input file. Any other analyst should be able to run the
same program against the same input file stored on record and get the same output file
stored on record. If the files are not the same or the output results are different, then it
is possible that an error or fraud has occurred, or that the data became corrupted. Lastly,
with backups in existence, if a data file was corrupted, lost or stolen, then work can proceed
from the most recent backup.
4.1.3 Output Controls

Output controls are designed to ensure that the results of system processing are presented
in a useful state to only authorized persons and processes. Credentialing, secure file
transmission, and file encryption are output controls used to protect output from misuse or
theft. Output should be presented in industry-approved formats and standards, for example,
including the use of a four-digit year (not a two-digit year) to represent the date. If standards
are not observed, subsequent use of the data may necessitate spending additional resources
reformatting the data or users may risk data misinterpretation.
Output controls should also be triggered when a process makes a recommendation that is highly
risky or unusual. In such cases, analysts and executives should review the recommendation
before authorizing it. For example, if a computer process produces output that reflects an
unusually high order quantity in a period when sales are sharply decreasing, output controls
should require managerial approval instead of automatically approving the high order quantity.
Illustration 7 Operation of Output Controls
Interest rates on loans are calculated from economic factors such as national savings rates,
the consumer price index, currency exchange rates, and stock and bond market activities.
These calculations may occasionally result in a recommended interest rate being negative,
meaning that the bank should pay the borrower interest to take out a loan. It is sometimes
appropriate for a bank to use negative interest rates, but less often than such calculations
may recommend. A prudent output control would require an executive-level bank manager
to approve or modify any system recommendation for a negative interest rate.
LOS 1E2g 4.1.4 Storage Controls

Storage controls are designed to ensure that the appropriate records are retained, retrieved,
and accessed only by authorized people and processes. Stored data must be protected in
several ways. Physical controls help to secure the physical location of the data. Examples of
physical controls are controlled access, air gaps (computers physically isolated from the Internet
or other systems), and security patrols. Credentialing ensures authorized access and encryption
protects the data from unauthorized retrieval or use.
The use of processing and storage sites hosted by a third-party provider should require the use
of legal contracts to limit access to a customer's stored data by the hosting company. Detection
controls are designed for the stored data to ensure contract compliance. A version control
system provides an additional layer of security and provides additional benefits of keeping
system files in date order and creating automatic backup copies of the files or information
systems. In the event a file or system needs to be reloaded from backup, the backup can be
accurately selected from a source dated prior to the observed problem.
LOS 1E2a 4.2 Segregation of Accounting Duties and Systems Security

Segregation of accounting duties is crucial in system design. Because authorization, record
keeping, and custody of assets should be separated to discourage fraud, all systems should
be designed to facilitate this. The information system takes the record-keeping segment of the
process, maintaining records of all transactions and their effects throughout the company.
Security in information systems depends on (1) proper authorization of transactions by
accountable individuals, (2) accounting employees to keep accurate records of transactions, and
(3) other functions to check for proper authorization and record keeping before approving the
movement of funds and/or inventory in accordance with established procedures.
The information system's input controls are a check against errors or fraud in the input files.
Employees in the accounting function may use audit trails from processing controls to detect
any errors or hidden functions to prevent and detect theft, embezzlement, or other fraud.
LOS 1E2e 4.3 Information System Security

Access to data is linked to each employee's log-in credentials. This allows IT to set limits on
each employee's ability to use any part of a program. Such programs also keep records of every
action taken and link those actions to the employee who performed the action.
In addition to log-in credentials, programs and databases have protocols that prevent changes
to the program or database unless each part of the change adheres to internal rules, including:
Version Controls: Allow only one change at a time, incorporating all users' changes in a
sequential manner so that no content is overwritten or lost.
Access Controls: Allow only authorized users to make changes.
Validity Controls: Allow only data types that meet certain parameters (such as being
numerical or within a specified range) and may restrict the relationship with other data
points after changes are made.
LOS 1E2d 4.3.1 Threats to Information System Security

Computer software and hardware, including peripheral devices, require preventive controls
over physical systems. Computers at customer-serving offices should be secured with log-in
credentials as well as secured against being physically stolen. For this reason, the computer
that controls a point-of-sale system is kept in a locked location with a small opening for wires to
reach a screen and a keyboard. Other employee-use computers should be behind a locked door
in a restricted-access area for employees only.

Professional System
All rights Measures
reserved.
PART 1 UNIT
Computer servers should also be stored in locked rooms, accessible only by authorized
employees. This control exists to prevent anyone without authorized credentials from accessing,
stealing, altering, or destroying sensitive company data by either stealing a hard drive or
destroying a server. Another physical security feature in a server room is a lack of physical
labeling. An unauthorized individual would have a difficult time searching for a particular set of
files or data to steal in a server room where every server is essentially physically identical.
Peripheral devices may create vulnerabilities that are just as significant as exposed core hardware
and software. They could be assets that allow indirect access to core systems, such as an IoT
(Internet of Things) piece of equipment. Or peripheral devices could be more supportive in nature,
particularly central heating and cooling systems, which are critical to maintain low temperature
levels for servers, switches, and other items found in a data center. Access to central cooling
systems that support such equipment should be given the same level of physical access controls
because tampering with it could be just as detrimental, potentially causing equipment to overheat.
4.3.2 External Threats to Information System Security LOS 1E2b
External parties, such as contractors, cloud-services providers, customers, competitors, and

hackers, may gain access to a company's data. These external parties gain access by attacking
the company's people and systems in a variety of ways, including:
Phishing: A scheme in which a fraudster sends e-mails or other communications in an
attempt to coax an employee with system access into giving his or her credentials to the
attacker.
Trojan Horse: An apparently benign program or application that executes a malicious script
or program in an attempt to capture a user's credentials, steal data from the computer or
alter files, or cause destruction to the computer's software and operating system.
Ransomware: Encryption of data files by an attacker that requires victims to pay in order to
receive an encryption key to recover the data.
Viruses: A computer program that invades a host system, replicating itself (much like an
actual virus) and concealing itself within system files in order to observe actions and steal
data, such as passwords.
Once an attacker has access to the system, the attacker may attempt to copy, steal, deny access,
alter, or destroy input data files. An attacker who seeks to sell data or ransom it back to the company
may attempt to copy, steal, or deny access to the data; someone who is either a former disgruntled
employee or engaging in corporate espionage may be more likely to alter or destroy files or systems.
Criminals may profit from their actions by adding programs to fraudulently divert profits into their
personal accounts or to disrupt the targeted company for pay offered by a competitor.
Illustration 8 Phishing With Ransomware Attack
A health care organization's lead IT engineer received what appeared to be a voice mail
sent to his e-mail, with a link taking him to a page that prompted him to enter his domain
username and password. Once the attacker obtained the engineer's credentials from this
phishing attack, the attacker was able to gain access to the company's internal network using
the employee's user information on an open port accessible via the public Web. This attacker
then encrypted all files in the company's shared drives, rendering all files inaccessible by
company employees. The fraudster then sent an e-mail to the company's management
requesting $80,000 to be paid in digital currency and sent to a private key. After being
advised by its legal counsel to pay, the company's forensic accountant paid the attacker, and
in return the company received the decryption key to regain access to all of its files.
LOS 1E2h 4.3.3 Internet Security

Internet use is inherently risky because data transmissions are routed through unpredictable
paths. Even if data is sent from one company-owned computer to another company-owned
computer, that data may circulate to other computers outside of the originating company's
network. Security safeguards along this path may vary widely, so sensitive data should be
encrypted to protect it from unauthorized copying or altering as the data flows throughout this
channel. These issues are further complicated if the data is exposed to wireless networks during
any of these steps along the path because they have notoriously weak security systems in place,
making such copying significantly easier.
LOS 1E2i 4.3.4 Encryption

Encryption is a preventive control that is used to protect data. There are various types of encryption
mechanisms, but the most basic types of encryption involve the use of a computer algorithm to
transform data from a readable state into an unreadable state in a process called encoding. The
encryption program is designed to prevent unintended access by use of one or multiple encryption
keys. The encryption key is typically a string of characters that serve as input parameters to unlock
or undo the encryption. An encryption key can also be thought of as a set of instructions that the
program needs to undo the initial encoding that it performed, returning the data to its original state.
Data encryption is particularly important when using the Internet because of the type of
data being exchanged. Financial services companies and banks transmit personal account
numbers. Health care institutions swap sensitive medical data and other personally identifiable
information, such as Social Security numbers or demographic data. Other companies that do
not deal directly with personal health or financial information may store payment data for
future transactions, such as online retailers that accept payment from credit cards. The use of
encryption for transactions and data storage adds a layer of protection for all parties involved.
LOS 1E2j 4.3.5 Firewalls

Firewalls are network security systems that are intended to protect a company by monitoring,
controlling, and restricting incoming and outgoing traffic. Firewalls are used to selectively allow
or deny communications traffic based on a set of predetermined rules designed by company
administrators. Firewalls may deny access based on port or the Internet protocol (IP) address of
the incoming communication, which can be as macro-focused as excluding nations or regions, or
as micro-focused as excluding companies or individuals.
Firewalls can deny access depending on which programs are used for the communication. This
type of restriction is often used to block communications that contain executable code attached
to the message. Firewalls may be used to deny use or filter types of Internet content. For
example, websites tagged as gaming or adult are frequently blocked by employers.
Additionally, a firewall may be set up on a default-allow policy (in which traffic is allowed unless
specifically excluded) or a default-deny policy (traffic is only allowed from specifically identified sites).
LOS 1E2m 5 Business Continuity Planning

LOS 1E2n
Business continuity planning is the creation of plans and the pre-positioning of assets so that
the business can continue to function during and after a disruption. The disruption could be a
natural event, such as a fire, flood, or tornado, or the disruption could be social or economic,
such as a war or pandemic, a major recession, an active shooter, or a data breach. The company
creates strategies in advance to minimize disruptions. Such measures include creating emergency
planning policies and purchasing business interruption insurance. Some strategies used in an
event may include pre-positioning backup-data computer hardware, or even entire facilities at
alternative locations, or both if the cost of doing so is justified by the risk of the disruption.

Professional System
All rights Measures
reserved.
PART 1 UNIT
Disaster recovery planning (DRP) differs from business continuity planning in that business
continuity planning is the creation of strategies to cover every likely potential disruption to
business, whereas disaster recovery is the execution of one or more of those plans in the
moment when they are needed. Disasters cause business continuity issues; therefore, disaster
recovery plans are a significant part of business continuity planning. DRP is more tactical
compared with continuity planning, which is more strategic.
5.1 Objectives of a Disaster Recovery Plan

For each potential interruption to business continuity (including disasters), a plan must be made
to bring the business from its disrupted state to an operational state as quickly and effectively
as possible. Organizations will often set timelines for different organizational components to be
recovered, placing a higher priority and earlier target recovery date for functions that are critical
to a company's operations. Functions with the most importance usually include information
systems infrastructure and access to capital from financial institutions, which have a more
immediate recovery timeline closer to 24 to 48 hours, whereas something like access to printers
may be closer to five to seven days.
5.2 Data Backup and Recovery Procedures

5.2.1 Use of a Disaster Recovery Service
Disaster recovery service providers, referred to as disaster recovery as a service (DRaas) or managed
service providers (MSPs), may provide a simple backup of data, or more complex services, such
as systems file syncing, to ensure data loss prevention and to coordinate recovery plans among
different systems, applications, infrastructure, and even full IT environment replication.
5.2.2 Internal Disaster Recovery

Organizations with the requirement for instantaneous resumption of processing after a disaster
(e.g., banks and houses) may provide their own duplicate facilities in separate locations. Data
might be mirrored (i.e., updated and stored in both locations), and processing can be switched
almost instantaneously from one location to another. A duplicate data center and data mirroring
are expensive, and most organizations adopt cheaper solutions.
5.2.3 Multiple Data Center Backups

Using a data center to back up another or back up to a cloud provider, assuming that there
is enough capacity to process the essential applications.
Organizations also must decide what types of backups to perform in order to recover
lost data.
yy Full backup is an exact copy of the entire database. Full backups are time consuming,
so most organizations only do full backups weekly and supplement them with daily
partial backups.
yy Two types of partial backups are possible:
—An
— incremental backup involves copying only the data items that have changed since
the last backup. This produces a set of incremental backup files, each containing the
results of one day's transactions. Restoration involves first loading the last full backup
and then installing each subsequent incremental backup in the proper sequence.
—A
— differential backup copies all changes made since the last full backup. Thus, each
new differential backup file contains the cumulative effects of all activity since the
last full backup. Consequently, except for the first day following a full backup, daily
differential backups take longer than incremental backups. Restoration is simpler,
however, because the last full backup needs to be supplemented with only the most
recent differential backup, instead of a set of daily incremental backup files. Many
organizations make incremental and differential backups daily.
5.2.4 Alternative Processing Facilities

1. Cold Site: A cold site is an off-site location that has all the electrical connections and other
physical requirements for data processing, but it does not have the actual equipment. Cold
sites usually require one to three days to be made operational because equipment has to be
acquired. Organizations that utilize a cold-site approach normally utilize generic hardware
that can be readily (and quickly) obtained from hardware vendors. Cold sites are the
cheapest form of off-site location.
2. Hot Site: A hot site is an off-site location that is equipped to take over the company's data
processing. Backup copies of essential data files and programs may also be maintained at
the location or a nearby data storage facility. In the event of a disaster, the organization's
personnel need to be shipped to the disaster recovery facility to load the backup data onto
the standby equipment.
yy Telecommunications Network
The most difficult aspect of recovery is often the telecommunications network.
yy Floor Space and Equipment Determination
Disaster recovery service providers normally have an extensive amount of floor space
and an extensive amount of equipment, but they would have nowhere near enough if
all customers (or even a significant number of similar customers) declare a disaster at
the same time. How much is needed is determined on a probabilistic basis; to a disaster
recovery services provider, geographic and industry diversification of customers is
extremely important.
yy Personnel Issues
Effective recovery, and especially rapid effective recovery, is often a function of having
knowledgeable personnel involved.
3. Warm Site: A warm backup site is a facility that is already stocked with all the hardware that
it takes to create a reasonable facsimile of the primary data center.
In order to restore the organization's service, the latest backups must be retrieved and
delivered to the backup site. Next, a bare-metal restoration of the underlying operating
system and network must be completed before recovery work can be done. The advantage
of the warm backup site is that a restoration can be accomplished in a reasonable amount
of time. The disadvantage is that there is still a continued cost associated with the warm
backup site because a contract must be maintained with the facility to keep it up to date.
The warm backup site is the compromise between the hot backup site and the cold
backup site.
5.3 Disaster Recovery Team

A company's disaster recovery team consists of key operations management personnel, and
for larger entities, a disaster recovery services provider. If application software packages are
utilized, the package vendors may be involved. For distributed processing, hardware vendors
may be involved. Senior management support is absolutely necessary for an effective disaster
recovery plan.
5.3.1 Steps in Disaster Recovery

The steps in a disaster recovery plan are to:
1. assess the risks;
2. identify mission-critical applications and data;

Professional System
All rights Measures
reserved.
PART 1 UNIT
3. develop a plan for handling the mission-critical applications;

4. determine the responsibilities of the personnel involved in disaster recovery; and
5. test the disaster recovery plan.
Depending on the organization, the disaster recovery plan may be limited to the restoration of
IT processing or may extend to restoration of functions in end-user areas (often called business
continuity). One factor that must be considered in business continuity is the paper records that
might normally be maintained in end-user areas and that might be lost in a disaster.
5.4 Advantages and Disadvantages of Disaster Recovery

and Business Continuity Plans
Disaster recovery and business continuity plans are part of overall risk management. If disaster
strikes or business is interrupted and plans are not already in place, the organization may go out
of business.
The advantage of having plans in place is being able to continue operations with minimal
disruptions; i.e., operations and cash flow continue.
The disadvantage of having plans in place is the cost and effort required to establish and
maintain business continuity plans and a disaster recovery plan.
5.5 Split-Mirror Backup

As the amount of data needed to support many large companies grows, so do the time and
resources that it takes those companies to back up and recover their data. One often-used,
effective backup method is known as a split-mirror backup, which is useful when the main
systems must always be online. A split-mirror backup uses a remote server to back up large
amounts of data offline that can be restored in the event of a disaster. A split-mirror backup
may be used either by the company internally or in conjunction with a disaster recovery
service provider.
5.6 Data Backup and Recovery Procedures LOS 1E2l
Data backups are necessary both for recovery in a disaster scenario and for recovery from
processing problems. Copies of key master files and records should be stored in safe places
located outside of the company. Copies of files kept on-site should be stored in fireproof
containers or rooms.
Backup of Systems That Can Be Shut Down: The backup process is relatively simple when
a system can be shut down for backup and maintenance. When this is the case, files or
databases that have changed since the last backup (or just all data) can be backed up, using
the son-father-grandfather or similar concept.
Backups of Systems That Do Not Shut Down: Effective backups are more difficult when
an information system cannot be shut down. Recovery often includes applying a transaction
log (a file of the transactions that had been applied to the databases) and reapplying those
transactions to get back to the point immediately before the failure.
Mirroring: Mirroring is the use of a backup computer to duplicate all of the processes and
transactions on the primary computer. Mirroring, which can be expensive, is sometimes
used by banks and other organizations for which downtime is unacceptable.
Employees of SecureCorp receive an e-mail that states the IT department is conducting an

audit of the strength of employee passwords. Employees are instructed to submit a list of their
passwords for each system they use for analysis and the IT department will coach employees
on how to create stronger passwords. Which of the following best describes this e-mail?
a. This is a best practice.
b. This is a phishing attack.
c. This is a Trojan horse.
d. This is a virus.
Endurant Co. is preparing an alternative location where it can run business operations
in the event of a catastrophic loss of its main operations center. This alternative location
contains basic furniture, telephone, and network connections and computer hardware.
Because Endurant uses cloud data services for its main operations center, the computers
at the alternative location are not loaded with current versions of the information system
or the underlying data. This saves time in maintaining those systems when no disaster is
in process. According to the disaster recovery plan, systems at the alternative site will be
loaded while most personnel are on the way to the alternative center.
Which of the following best describes this type of backup location?
a. Hot site
b. Warm site
c. Cool site
d. Cold site
Employees at ProductivMax Co. are generally only allowed access to intranet sites, specific
company-approved Web pages, and applications hosted within the company's network.
Employees are blocked from accessing any external Internet site unless they submit
a written request to the IT department for review and approval. Once the request is
approved, other employees may access the approved sites. ProductivMax has never had a
data breach; however, employees complain that the policies are too restrictive.
Which of the following best describes the security technology used by ProductivMax?
a. Solid-state communications network
b. Default-allow firewall
c. Default-deny firewall
d. End-to-end encryption

Professional System
All rights Measures
reserved.
PART 1 UNIT
Which of the following is not a viable strategy that management can use to manage risk at
a company?
a. Management can avoid the risk.
b. Management can monitor the risk.
c. Management can reduce the risk.
d. Management can share the risk.
The four categories of functional responsibilities that should be segregated within a

company to have appropriate segregation of responsibilities is captured in which of the
responses below?
a. Authorization, record keeping, custody of assets, verification
b. Reconciliation, custody of assets, verification, monitoring
c. Monitoring, record keeping, custody of assets, reconciliation
d. Authorization, record keeping, custody of assets, reconciliation
NOTES

Professional System
All rights Measures
reserved.
Class Question Explanations Part 1
UNIT 5
Unit 5, Module 1
1. MCQ-12416
Choice "c" is correct. The external auditor provides creditability to the financial statements. The
auditors, as a group independent of management, provide an objective view and can report on
a company's activities without bias or conflict of interest. To report on the financial statements,
the auditor must maintain professional skepticism, comply with ethical requirements, exercise
professional judgment throughout the planning and performance of the audit, and comply with
generally accepted auditing standards, which includes planning and performing an audit that
obtains sufficient and appropriate audit evidence.
The auditor's report on the financial statements includes an opinion on whether the financial
statements are presented fairly in accordance with the applicable financial reporting framework.
Choice "a" is incorrect. The external auditor provides reasonable, not absolute, assurance on the
fairness of the financial statements.
Choice "b" is incorrect. The external auditor should comply with GAAS and must remain
objective and independent of the client. Authorizing transactions on behalf of the client would
impair the auditor's independence.
Choice "d" is incorrect. Management, not the auditor, is responsible for the design,
implementation, and maintenance of internal control relevant to the preparation and fair
presentation of financial statements.
2. MCQ-12417
Choice "d" is correct. An auditor is responsible for issuing an opinion on the fairness of the
financial statements. The auditor can issue an unmodified, qualified, adverse, or disclaimer
opinion. The auditor will render an unmodified opinion when the financial statements are
presented fairly, in all material respect, in accordance with the financial reporting framework.
The auditor's report is modified when the auditor concludes the financial statements as a whole
are materially misstated or the auditor is unable to obtain sufficient audit evidence to conclude
that the financial statements as a whole are free from material misstatement. Qualified, adverse,
and disclaimers are modified opinions.
An auditor most likely will render an adverse opinion when the financial statements are
materially and pervasively misstated due to a departure from the applicable financial
reporting framework.
Choice "a" is incorrect. The auditor will render an unmodified opinion when the financial
statements are presented fairly, in all material respect, in accordance with the financial
reporting framework.
Choice "b" is incorrect. A qualified opinion is issued either when the financial statements are
materially (but not pervasively) misstated or when the auditor is unable to obtain sufficient
appropriate audit evidence on which to base an opinion and the auditor concludes that the
possible effects of any undetected misstatements are material but not pervasive.
Choice "c" is incorrect. A disclaimer of opinion is rendered when the auditor is unable to obtain
sufficient appropriate audit evidence on which to base an opinion and the auditor concludes
that the possible effects of any undetected misstatements could be both material and pervasive.
© Becker Professional Education Corporation. All rights reserved. CQ–61

Part 1 Class Question Explanations
3. MCQ-12418
Choice "b" is correct. The board of directors is elected by shareholders and directors have a
fiduciary duty to act in the best interest of shareholders. The board of directors has the highest
governing authority in a corporation and is responsible for overseeing the organization's
activities. Board members meet periodically to discuss and vote on strategic decisions of
the entity. The board of directors' responsibilities also include overseeing the obligations of
an entity, including accurate financial reporting and disclosure. Among the specific duties
of directors are the election, removal, and supervision of officers; adoption, amendment,
and repeal of bylaws; declaring dividends; determining officer compensation; and initiating
fundamental changes to the corporation's structure.
The board of directors is unlikely to be responsible for determining the policies and procedures
related to the day-to-day operations of a company. The board elects officers, who have the
responsibility to oversee the day-to-day operations of the company. Officers then hire managers
to help them with the day-to-day operations.
Choice "a" is incorrect. The board of directors' responsibilities include declaring dividends.
Choice "c" is incorrect. The board of directors' responsibilities include initiating fundamental
changes to the corporation's structure.
Choice "d" is incorrect. The board of directors' responsibilities include electing officers.
Unit 5, Module 2
1. MCQ-12420
Choice "b" is correct. Phishing attacks have been the most common form of cyberattack for
many years because an employee is often an easier target than a system. After gaining access,
an attacker can steal, alter, or destroy data or systems files to achieve a goal.
A situation in which an outside attacker claims to be a trusted source and asks for private
information that will enable the attacker to gain access is called a phishing attack. Any employee
who responds to such an e-mail unwittingly gives a password to an outsider who intends to
harm the company.
Choice "a" is incorrect. Passwords are intended to be secret and never shared. Employees
should never e-mail a list of their passwords to anyone, including the IT department.
Choice "c" is incorrect. A Trojan horse is malware hidden within an attachment, and when
an individual opens an innocent-looking image or link, the malware is installed on the
victim's computer.
Choice "d" is incorrect. A virus is a self-replicating, invasive computer program that gives an
attacker access to the computer or system.
CQ–62 © Becker Professional Education Corporation. All rights reserved.

Class Question Explanations Part 1
2. MCQ-12421
Choice "b" is correct. When disaster strikes, it is crucial that computer programs and data are
current to within a day in order to switch seamlessly to a new operations site. A hot site requires
the work to perform both of these operations, often meaning that the hot backup site must
have its own permanent employees to handle daily integrations of updates to the computers
there (operations resume within minutes). A warm site would take longer to become operational
during a disaster than a hot site, because the data and the system is not maintained, but other
assets are there and the site could be up and running fairly quickly (operations resume in hours).
A cold site chooses neither, opting to purchase hardware and load software only in the event it is
needed. A cold site is therefore the least expensive and the least immediately useful (operations
resume in one to three days).
A warm site is one where computer hardware and networking infrastructure is present, but the
most current version of the information system and/or the most current data is not present.
This is the compromise position between hot and cold sites.
Choice "a" is incorrect. This facility does not have the most current software and data ready in
anticipation of a disaster. It is not immediately ready for use and is not a hot site.
Choice "c" is incorrect. The term cool site is not used in business continuity planning.
Choice "d" is incorrect. This facility is equipped with computers and networking, which a cold site
would lack.
3. MCQ-12422
Choice "c" is correct. A firewall is a software program that selectively denies or allows access
into or out of the company's network. Firewalls can be configured to the specifications of the
IT department to block or deny traffic into or out of the network based on the IP address of
the outside party. This can be used to exclude individuals, regions or nations, or topics such as
gaming or adult content.
In the situation described, this firewall appears to be set up to deny all traffic by default and to
only allow traffic that is specifically permitted. This method can be safer than default-allow, but
there is the necessary initial setup period in which every site that employees legitimately need to
access must be identified and recorded.
Choice "a" is incorrect. Solid-state communications refer to the use of uninterrupted wire
or cable-based transmissions, avoiding any use of wireless networks, the Internet, or other
networks not owned by the company. Solid-state communications are highly secure and highly
expensive, and their use would result in a different use case than ProductivMax's.
Choice "b" is incorrect. This situation does describe a firewall; however, a default-allow firewall
would allow ProductivMax's employees to visit any site except for those sites specifically
excluded by IT. Default-allow firewalls have more problems with viruses and other cyberattacks
because this policy leads IT to update the firewall to decline access to sites where the company
has already experienced a negative event.
Choice "d" is incorrect. End-to-end encryption means that the data is encrypted before leaving
the communication source, by the company's own encryption standard and only decrypted
after it arrives at its destination, no matter how many different networks it passes through
from source to destination. End-to-end encryption would not affect the employees' use
of the Internet.
© Becker Professional Education Corporation. All rights reserved. CQ–63

Part 1 Class Question Explanations
4. MCQ-12423
Choice "b" is correct. Control risk is the possibility that one or more internal controls will
fail, causing the entity to not attain one or more of its objectives. Management has several
alternatives that are available to manage risk: avoiding the risk, reducing the risk, sharing the
risk, or accepting the risk.
Monitoring risk is not a risk strategy but a process of determining how the risk management
strategy is working at a company.
Choice "a" is incorrect. Avoiding the risk is a risk management strategy whereby management
removes the risk entirely.
Choice "c" is incorrect. Reducing the risk is a risk management strategy whereby management
allocates resources to drop the risk to an acceptable level.
Choice "d" is incorrect. Sharing the risk is a risk management strategy whereby management
outsources an activity associated with the risk or purchases insurance.
5. MCQ-12424
Choice "d" is correct. Functional responsibilities should be segregated by job function, person, or
department to prevent errors or fraud or both.
The following four categories of functional responsibilities should be segregated:
yyAuthorization: The process of reviewing and approving transactions.
yyRecord keeping: The process of creating and maintaining the books and records related to
revenues, expenditures, inventory, and personnel transactions.
yyCustody of assets: Access to or control over cash, checks, and any physical asset.
yyReconciliation: The process of verifying the transactions processed in the record-keeping
function. Reconciliation will ensure all transactions are valid, properly authorized, and
properly recorded.
Choice "a" is incorrect. Although authorization, record keeping, and custody of assets are three
of the four categories of functional responsibilities that should be segregated within a company,
verification is not.
Choice "b" is incorrect. Although reconciliation and custody of assets are two of the four
categories of functional responsibilities that should be segregated within a company, verification
and monitoring are not.
Choice "c" is incorrect. Although record keeping, custody of assets, and reconciliation are three
of the four categories of functional responsibilities that should be segregated within a company,
authorization is not.
CQ–64 © Becker Professional Education Corporation. All rights reserved.

P1 1e.17bbb6c Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

P1 1e.17bbb6c Notes

Uploaded by

Copyright:

Available Formats

PART 1

1 E.1. Governance, Risk, and Compliance: Part 1 3

2 E.1. Governance, Risk, and Compliance: Part 2

5–2 © Becker Professional Education Corporation. All rights reserved.

E.1. Governance, Risk,

The candidate should be able to:

© Becker Professional Education Corporation. All rights reserved. Module 1 5–3

Corporate governance refers to processes and mechanisms by which a company is directed

LOS 1E1e 1.1 Hierarchy of Corporate Governance

1.1.1 Articles of Incorporation

5–4 Module 1 E.1.Education

1.1.3 Policies and Procedures

1.2 Rights and Responsibilities Within a Corporation LOS 1E1f

1.2.1 Board of Directors LOS 1E1d

1.2.2 Audit Committee

© Becker Professional Education Corporation. All rights reserved. Module 1 5–5

LOS 1E1p 2 Sarbanes-Oxley Act of 2002

2.1 Section 101—PCAOB

5–6 Module 1 E.1.Education

2.2 Section 201—Prohibited Services

2.3 Section 203—Audit Partner Rotation

2.4 Section 204—Registered Firms Must Report to Audit Committees

© Becker Professional Education Corporation. All rights reserved. Module 1 5–7

2.5 Section 302—Corporate Responsibility for Financial Reports

LOS 1E1q 2.6 Section 404—Management Assessment of Internal Control

2.7 Section 407—Disclosure of Audit Committee Financial Expert

5–8 Module 1 E.1.Education

Experience with internal controls

3 The Foreign Corrupt Practices Act (FCPA)

3.1 Internal Control Elements of the FCPA LOS 1E1t

4 The External Audit LOS 1E1w

© Becker Professional Education Corporation. All rights reserved. Module 1 5–9

4.1 External Auditor Responsibilities

4.2 Reasonable Assurance

4.3 Phases of the External Audit

5–10 Module 1 E.1.Education

Perform procedures and obtain evidence

4.4 Engagement Acceptance

4.5 Assess Risk and Plan Response

4.5.1 Audit Risk LOS 1E1n

4.5.2 Understanding the Entity's Internal Control

4.6 Perform Procedures and Obtain Evidence

© Becker Professional Education Corporation. All rights reserved. Module 1 5–11

4.6.1 Management Representation Letter

4.7 Form Conclusions

4.8 Communication and Reporting

4.8.2 Audit Opinions

5–12 Module 1 E.1.Education

Financial statements generally mean a complete set of general‑purpose financial statements,

4.8.3 Unmodified (Unqualified) Opinion

© Becker Professional Education Corporation. All rights reserved. Module 1 5–13

4.8.5 Brief Summary of When to Use Different Opinions

None or immaterial Unmodified (unqualified) Unmodified (unqualified)

4.8.6 Emphasis-of-Matter, Other-Matter, and Explanatory Paragraphs

5–14 Module 1 E.1.Education

Below is a summary of the different circumstances that require an emphasis-of-matter, other-

Client Nonissuer Issuer

5 Integrated Audit LOS 1E1r

5.1 Top-Down Approach (Risk-Based Approach)

© Becker Professional Education Corporation. All rights reserved. Module 1 5–15

5.1.1 Entity-Level Controls

5.2 Bottom-Up Approach

LOS 1E1s 5.3 Preferred Approach: Top-Down