Hi, I have several questions. Please answer my questions, Thank you so much.

1. Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: 1. Safeguarding assets, including preventing or detecting, on a timely basis, the unauthorized acquisition, use, or disposition of material company assets 2. Maintaining records in sufficient detail to accurately and fairly reflect company assets 3. Providing accurate and reliable information 4. Providing reasonable assurance that financial reporting is prepared in accordance with GAAP 5. Promoting and improving operational efficiency, including making sure company receipts and expenditures are made in accordance with management and directors' authorizations 6. Encouraging adherence to prescribed managerial policies 7. Complying with applicable laws and regulations TRUE / FALSE 2. Five types of controls were mentioned in the textbook, they are (include a brief description of each)? 3. The Foreign Corrupt Practices Act (1977) The primary purpose of this Act was to prevent the bribery of foreign officials in order to obtain business. Required the establishment of internal accounting controls sufficient to meet these objectives: Transactions executed in accordance with management's general or specific authorizations Transactions are recorded as necessary to prepare financial statements and maintain accountability Access to assets is permitted only in accordance with management authorization Page 1 of 10 The recorded assets are compared with existing assets at reasonable intervals TURE / FALSE 4. What is the SarbanesOxley Act of 2002? (E.g. who does it apply to; what was it meant to accomplish; etc.) 5. Some of the important aspects of The SarbanesOxley Act are: 1. Public Company Accounting Oversight Board (PCAOB) A five member board, created by The SarbanesOxley Act, to control the auditing profession. 2. New rules for auditors Auditors must report specific information to the company's audit committee, such as critical accounting policies and practices, alternative GAAP treatments, and auditor management disagreements. CPA Auditors are prohibited from performing certain nonaudit services such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services. 3. New roles for audit committees Audit committee members must be on the company's board of directors and be independent of the company. 4. New rules for management Requires the CEO and CFO to certify that financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading. Management can be imprisoned up to 20 years and fined up to $5,000,000. 5. New internal control requirements Requires publicly held companies to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an adequate internal control structure and appropriate control procedures. Page 2 of 10 TRUE / FALSE 6. After the SarbanesOxley Act was passed, the Security & Exchange Commission mandated that management must: 1. Base its evaluation of Internal Control on a recognized control framework. The most likely frameworks are formulated by The Committee of Sponsoring Organizations (COSO). 2. 3. Disclose any and all material internal control weaknesses. Conclude that a company does not have effective internal controls over financial reporting if there are any material weaknesses. TRUE / FALSE 7. The Information Systems Audit and Control Foundation (ISACF) (now known as ISACA - Information Systems Audit and Control Association) developed the Control Objectives for Information and related Technology (COBIT) framework. COBIT is a framework of generally applicable information systems security and controls practices of Information Technology control. The COBIT framework allows 1. Management to benchmark the security and control practices of Information Technology environments 2. User of Information Technology services to be assured that adequate security and control exist 3. Auditors to substantiate their opinions on internal control and to advise on Information Technology security and control matters TRUE / FALSE 8. The COBIT framework addresses the issue of control from three dimensions, what are they? 9. What is the Committee of Sponsoring Organizations? (E.g., who are the members; what was/is the purpose; why is it important?) Page 3 of 10 10. COSO Internal Control Integrated Framework (a model of internal control) has five crucial components: 1. Control environment 2. Control activities 3. Risk assessment 4. Information and communication 5. Monitoring TRUE / FALSE 11. Enterprise Risk ManagementIntegrated Framework (ERM) (an internal control model) expands on the elements of the COSO Internal Control Integrated Framework (also an internal control model) and provides an allencompassing focus on the broader subject of enterprise risk management. The purpose is to achieve all the goals of the COSO Internal Control Integrated Framework and help the organization to: 1. 2. 3. 4. Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized Achieve its financial and performance targets Assess risks continuously and identify the steps to take and the resources to allocate to overcome or mitigate risk Avoid adverse publicity and damage to the entity's reputation TRUE / FALSE 12. The Control Objectives for Information and related Technology (COBIT) framework shows that achieving the organization's business and governance objectives requires adequate controls over IT resources to ensure that information provided to management satisfies seven key criteria: 1. __________the information must be relevant and timely. 2. __________the information must be produced in a costeffective manner. 3. __________sensitive information must be protested from unauthorized disclosure. 4. __________the information must be accurate, complete, and valid. 5. __________the information must be available whenever needed. Page 4 of 10 6. __________controls must ensure compliance with internal policies and with external legal and regulatory requirements. 7. __________management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities. 13. COBIT includes 34 generic IT processes that must be properly managed and controlled in order to produce information that satisfies the seven criteria listed above. Those processes are grouped into four basic management activities, which COBIT refers to as domains: 1. Plan and Organize (PO). Involves ten important processes for properly planning and organizing an organization's information systems. 2. Acquire and Implement (AI). Seven fundamental processes that pertain to the acquisition and implementation of technology solutions. 3. Deliver and Support (DS). Includes 13 critical processes for effectively and efficiently delivering the information management needs to run the organization. 4. Monitor and Evaluate (ME). Identifies four essential processes for monitoring and evaluating an organization's information system. TRUE / FALSE 14. One of basic functions of an Accounting Information System is to provide information useful for decisionmaking. TRUE / FALSE 15. The five fundamental principles that contribute to the overall objective of systems reliability: 1. __________Security procedures restricts access to authorized users only. 2. __________By restricting access, the confidentiality of sensitive organizational information is protected. 3. __________Also, by restricting access, the privacy of personal identifying information collected from customers is protected. 4. __________Security procedures provide for processing integrity by preventing submission of unauthorized or fictitious transactions as well as preventing unauthorized changes to stored data or programs. 5. __________Security procedures provide protection against a variety of attacks, including viruses and worms, thereby ensuring that the system is available when needed. Page 5 of 10 16. The Trust Services Framework developed jointly by the AICPA and the Canadian Institute of Chartered Accountants focuses specifically on five aspects of information systems controls and governance that most directly pertain to systems reliability, they are: I. __________ access to the system and its data is controlled and restricted to legitimate users. 2. __________ sensitive organizational information (e.g., marketing plans. trade secrets, etc.) is protected from unauthorized disclosure. 3. __________ personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements. 4. __________ data is processed accurately, completely, in a timely manner, and only with proper authorization. 5. __________ the system and its information is available to meet operational and contractual obligations. TRUE / FALSE 17. What are the Three Fundamental Information Security Concepts? 1. _____________________________________________ 2. _____________________________________________ 3. _____________________________________________ 18. The Trust Services framework identifies four essential criteria for successfully implementing each of the five principles that contribute to systems reliability: 1. ___________________________________ 2. ___________________________________ 3. ___________________________________ 4. ___________________________________ 19. What is the TimeBased Model of Security? 20. There are two basic types of encryption systems. Symmetric encryption systems use the same key both to encrypt and to decrypt. DES and AES are examples of symmetric encryption systems. Asymmetric encryption systems use two keys. One key, called the public key, is widely Page 6 of 10 distributed and available to everyone; the other, called the private key, is kept secret and known only to the owner of that pair of keys. Either the public or private key can be used to encrypt, but only the other key can decrypt the ciphertext. TRUE / FALSE 21. Two forms of preventive controls are? 22. Confidentiality: Reliable systems protect confidential information from unauthorized disclosure. Types of information that need to be protected would include; business plans, pricing strategies, client and customer lists, and legal documents. Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information. It is easy to intercept information sent over the Internet. TRUE / FALSE 23. It is important to control access to system outputs. Useful control procedures for doing to include the following: 1. Do not allow visitors to roam through buildings without supervision, to prevent them from seeing sensitive information on workstation displays or picking up and reading printed reports. 2. Require employees to log out of any applications prior to leaving their workstation unattended. 3. Restrict access to rooms housing printers and fax machines. 4. Code reports to reflect the importance of the information contained therein, and train employees to not leave reports containing sensitive information in plain view on their desktops when they are not physically present. TRUE / FALSE 24. The Trust Services Framework privacy principle is closely related to the confidentiality principle, differing primarily in that it focuses on protecting personal information about customers rather than organizational data. TRUE / FALSE 25. What are the two basic mechanisms for protecting consumers' personal information? Page 7 of 10 26. Symmetric Encryption Systems use the same key both to encrypt and to decrypt. TRUE / FALSE 27. Asymmetric Encryption Systems use two keys. One key, called the public key, is widely distributed and available to everyone. The other key, called the private key, is kept secret and known only to the owner of that pair of keys. TRUE / FALSE 28. What is a digital signature? 29. Asymmetric encryption and hashing are used to create digital signatures. A digital signature is information encrypted with the creator's private key. This encrypted information can only be decrypted using the corresponding public key. Using a hash of the original plaintext to create a digital signature not only is efficient but also provides a means for establishing that the message decrypted by the recipient is exactly the same as the message created by the sender. TRUE / FALSE 30. What is a digital certificate? 31. The following source data controls regulate the integrity of input: 1. Forms Design. Source documents and other forms should be designed to help ensure that errors and omissions are minimized. Prenumbered Forms. Prenumbering forms improves control by making it possible to verify that none is missing. Turnaround Documents. A turnaround document is a record of company data sent to an external party and then returned by the external party to the system as input. 2. Cancellation and Storage of Documents. Documents that have been entered into the system should be cancelled so they cannot be inadvertently or fraudulently reentered into Page 8 of 10 the system. Paper documents should be defaced, for example, by stamping them \"paid.\" Electronic documents can be similarly \"cancelled\" by setting a flag field to indicate that the document has already been processed. 3. Authorization and Segregation of Duties. Source documents should be prepared only by authorized personnel acting within their authority. 4. Visual Scanning. Source documents should be scanned for reasonableness and propriety before being entered into the system. TRUE / FALSE 32. Controls are also needed to ensure that data is processed correctly, they are: 1. Data Matching. In certain cases, two or more items of data must be matched before an action can take place. For example, the system should verify that information on the vendor invoice matches that on both the purchase order and the receiving report before paying a vendor. 2. File Labels. File labels need to be checked to ensure that the correct and most current files are being updated. Two important types of internal labels are header and trailer records. The header record is located at the beginning of each file and contains the file name, expiration date, and other identification data. The trailer record is located at the end of the file and contains the batch totals calculated during input. 3. Recalculation of Batch Totals. Batch totals can be recomputed as each transaction record is processed and compared to the values in the trailer record. If financial or total discrepancy is evenly divisible by 9, the likely cause is a transposition error, in which two adjacent digits were inadvertently reversed (e.g., 46 instead of 64) 4. CrossFooting and ZeroBalance Test. Often totals can be calculated in multiple ways. For example, in spreadsheets a grand total can often be computed either by summing a column of row totals or by summing a row of column totals. These two methods should produce the same result. A crossfooting balance test compares the results produced by each method to verify accuracy. For example, the totals for all debit columns are equal to the totals for all credit columns. A zerobalance test applies the same logic to control accounts. For example, adding the balance for all customers in an accounts receivable subsidiary ledger and comparing to the balance in the accounts receivable general control account should be the same; the difference should be zero. Page 9 of 10 5. WriteProtection Mechanisms. These protect against the accidental writing over or erasing of data files stored on magnetic media. 6. Database Processing Integrity Procedures. Database systems use database administrators, data dictionaries, and concurrent update controls to ensure processing integrity. The administrator establishes and enforces procedures for accessing and updating the database. The data dictionary ensures that data items are defined and used consistently. Concurrent update controls protect records from errors that occur when two or more users attempt to update the same record simultaneously. This is accomplished by locking out one user until the system has finished processing the update entered by the other. TRUE /FALSE 33. Online processing data entry controls include: 1. Prompting, in which the system requests each input data item and waits for an acceptable response. This ensures that all necessary data are entered (i.e., an online completeness check). 2. Preformatting, in which the system displays a document with highlighted blank spaces and waits for the data to be entered. 3. ClosedLoop Verification checks the accuracy of input data by using it to retrieve and display other related information. 4. Creation of a transaction log that includes a detailed record of all transaction data; a unique transaction identifier; the date and time of entry; terminal, transmission line, and operator identification; and the sequence in which the transaction was entered. Error messages should indicate when an error has occurred, which items are in error, and what the operator should do to correct it. TRUE / FALSE Page 10 of 10