Corp Govern Entity-Level Controls (38) Flashcards Preview

BEC MCQ > Corp Govern Entity-Level Controls (38) > Flashcards

Flashcards in Corp Govern Entity-Level Controls (38) Deck (9)
Loading flashcards...
1
Q

Computer program libraries can best be kept secure by:

A

restricting physical and logical access.

Installing a logging system for program access would permit detection of unauthorized access but would not prevent it. Monitoring physical access to program library media would control only unauthorized physical access. Denying all remote access via terminals would likely be inefficient and would not secure program libraries against physical access.

2
Q

In a large public corporation, evaluating internal control procedures should be the responsibility of:

A

internal audit staff who report to the board of directors.

3
Q

To properly control access to accounting database files, the database administrator should ensure that database system features are in place to permit:

A

access only to authorized users.

A database is a structured set of interrelated files combined to eliminate redundancy of data items within the files and to establish logical connections between data items. Many of these files contain sensitive data. Proper control requires that the database administrator permit access only to authorized users of this data.

Permitting read-only access to accounting database files would, unfortunately, preclude any updating of those files. Updating from privileged utilities would produce a security breach. User updates of their access profiles is a security issue.

4
Q

To be effective, analytical procedures in the overall review stage of an audit engagement should be performed by which of the following?

A

An audit manager or partner who has a comprehensive knowledge of the client’s business and industry

5
Q

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

A.Control baseline

B.Change identification

C.Change management

D.Control revalidation/update

A

Change identification

The baseline understanding of internal control effectiveness is the starting point. Monitoring identifies changes in the environment or internal control system and the entity’s ability to manage those changes. To “identify and address changes” is part of change identification.

The control baseline is limited to the controls in effect before the change is identified. Change management is the process of implementing needed changes, not identifying them. Control revalidation is a later part of the process after the need for control changes has been identified.

6
Q

Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?

A.Control environment

B.Risk assessment

C.Information and communication

DMonitoring activities

A

Monitoring activities

Monitoring of controls assesses the quality of internal control performance over time, including assessing the design and operation of controls on a timely basis and taking necessary corrective actions.

7
Q

The change control process should never be released without testing. The procedures for a well-defined change control process would include the following:

A

The change control board approves the change and assigns a project manager.
The project manager makes sure all paperwork has been received and approved.
The project manager sets up schedules for all personnel involved.
The projects are completed.
Changes are tested and approved before release.

8
Q

An online database management system for sales and receivables was recently expanded to include credit approval transactions. An evaluation of controls was not performed prior to implementation.

If certain data elements were not defined in the expansion, the following problem could result:

A.Unlimited access to data and transactions

B.Incomplete transaction processing

C.Unauthorized program execution

D.Manipulation of the database contents by an application program

A

Incomplete transaction processing

Failure to completely define the program specification blocks (PSB) prevents the application program from accessing or changing data, resulting in incomplete processing.

Data element definition allows application programs to access or change data; therefore, if they are not defined, no access takes place.
Without the program specification blocks, the application program cannot access data and cannot execute.
The desired manipulation of the database contents by an application program cannot take place if program specification blocks are not defined.

9
Q

Communications risk is concerned with the unauthorized access to and manipulation of which of the following?

A

DATA