1. Which of the following statements is not true regarding the Sarbanes Oxley Act for public companies?

a. Requires companies to publicly report on its financial reporting controls

b. Requires public company to disclose wthether its audit committee has a member that is a financial expert

c. Requires its internal auditors to test financial reporting controls.

d. Requires their external auditors to assess the company's financial reporting controls

2. Which of the following is not considered as part of review of General IT Ccontrols":

a. Information & Physical security controls.

b. Application based controls.

c. System change management controls.

d. Business Continuity & Disaster Recovery controls.

3. What is the most accurate statement about Internal Auditing:

a. IA are employees of an organization .

b. IA is a control that reviews other controls.

c. An IA department will prevent or detect major frauds.

d. IAs role is best described as being the police of the organization.

4. Which of the following components of IT contingency planning is most important?

a. Verification of systems routines

b. Security over the contingency site

c. Documentation of the plan

d. Integration of the IT disaster recovery plans with the business plans.

5. Which of the following is the best answer regarding differences between the COSO and ERM frameworks;

i) Monitoring

ii)Information

iii)Risk Response

iv) Strategical Objectives

v) Control Activities

Group of answer choices

a. i, iii, & v only

b. ii & v only

c. iii & iv only

d. i, ii & v only

6. Which of the following is not an effective method to help prevent procurement fraud?

Group of answer choices

a. Proper segregation of duties

b. Open competition

c. Rotating procurement staff and responsibilities

d. Analysis of unusual inventory levels

e. All of the above are appropriate preventive controls

7. Which of the following statements is the least accurate about formal audit engagement communication:

Group of answer choices

a. Provide an opportunity for the engagement client to respond

b. Document the corrective actions by qppropriate management.

c. Provide a formal means by which the external auditor assesses potential reliance on internal auditors work

d. Should not include managements responses to recommendations

8. Which of the following is not considered part of a company's "Monitoring"activities (as defined by COSO)?

I. Regluar management & supervisory activities.

II. Monthly reports of activities or performance.

III. Fraud prevention & detection activities.

IV. Annual performance reviews.

Group of answer choices

a. Only I and IV are not a part of monitoring activities.

b. Only I and III are not a part of monitoring activities.

c. Only II and III are not part of moiitoring activities.

d. None of the above (all listed activities are part of monitoring)

9. Which of the following is the least accurate regarding risk management?

Group of answer choices

a. Should consider impact and likelihood to determine critical risks

b. Is a fairly subjective process requiring sound judgment and experience.

c. Management fully documents their risk assessment of operations.

d. Requires consideration of inherent risk factors and risk control analysis.

e. Residual risk is what remains of inherent risks after internal controls are put in place

10. Evaluation of ICFR includes which of the following financial reporting assertions (objectives):

I. Occurrence

II. Safeguarding

III Completeness

IV. Valuation

Group of answer choices

a. Only I, II and III are relevant

b. Only I, III and IV are relevant

c. Only II, III and IV are relevant

d. All of the above