Hi, Please have a look at my question. Thank you so much.

Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) Q5 1. During this course we have identified and discussed six models of Internal Control, what are they (list them): 1. 2. 3. 4. 5. 6. 2. Any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization is referred to as a __________ or an event. 3. Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following seven control objectives are achieved: 1. 2. 3. 4. 5. 6. 7. 4. Internal controls perform three important functions; what are they and what do they do, PROVIDE A DESCRIPTION OF WHAT THESE DO. 1. 1 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 2. 3. 5. Internal controls are often segregated into two categories, what are those two categories; BE DESCRIPTIVE. 1. 2. 6. SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. TRUE / FALSE 7. What is the PCAOB? 8. Under SOX external auditors must report specific information to the company's audit committee, such as critical accounting policies and practices, alternative GAAP treatments, and auditormanagement disagreements. Audit 2 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) partners must be rotated periodically. SOX prohibits auditors from Performing certain nonaudit services such as bookkeeping, information systems design and implementation, internal audit outsourcing services, management functions, and human resource services. Any permissible nonaudit services have to be preapproved by the board of directors and periodically disclosed to investors. Audit firms cannot provide services to publicly held companies if top management was previously employed by the auditing firm and worked on the company's audit in the preceding I2 months. TRUE / FALSE 9. Under SOX audit committee members must be on the company's board of directors and be independent of the company. One member of the audit committee must be a financial expert. The audit committee hires, compensates, and oversees the auditors, who report directly to them. TRUE / FALSE 10. Section 404 of SOX requires publicly held companies to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an adequate internal control structure and appropriate control procedures. The report must also contain management's assessment of the company's internal controls and attest to their accuracy, including notations of significant defects or material noncompliance found during their internal control tests. SOX also specifies that a company's auditor must attest to, as well as report on, management's internal control assessment. Each audit report must describe the scope of the auditor's internal control tests. After SOX was passed, the SEC mandated that management must base its evaluation on a recognized control framework. The most likely framework is formulated by COSO. The SEC required the disclosure of any and all material internal control weaknesses. Management must conclude that a company does not have effective internal controls over financial reporting if there are any material weaknesses. TRUE / FALSE 11. What is ISACA? (I DON'T WANT A DEFINITION OF COBIT HERE) 3 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 12. What is COBIT? (I already know it is the Control Objectives for Information and related Technology but what is it?) 13. What is COSO? (Be descriptive here. I am really looking for, at least, the answers to these questions: Who, what, when, where, why, was anything accomplished) 14. LIST and briefly DESCRIBE the five interrelated components of COSO. 15. Nine years after COSO issued the internal control integrated framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. The result was an enhanced corporate governance document called Enterprise Risk Management Integrated Framework (ERM). ERM expands on the elements of the internal control integrated framework and provides an all encompassing focus on the broader subject of enterprise risk management. The intent is to achieve all the 4 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) goals of the control framework and help the organization to: 1. 2. 3. 4. 16. The (COSO) Internal Control Integrated Framework has been widely adopted as the principal way to evaluate internal controls, as required by the SarbanesOxley law. However, it has too narrow a focus. Examining controls without first examining the purposes and risks of business processes provides little context for evaluating the results, making it hard to know which control systems are most important, whether they adequately deal with risk, and whether important control systems are missing. Focusing on controls first also has an inherent bias toward past problems and concerns. Longstanding internal control systems often have multiple layers of controls to protect against items that are no longer risks or are no longer important. COSO recognized this and developed the more comprehensive ERM framework, which takes a riskbased, rather than a controlsbased, approach to the organization that is oriented toward the future and constant change. ERM incorporates, rather than replaces, COSO's internal control framework and is more comprehensive than its predecessor. ERM contains three additional elements: setting objectives; Identifying positive and negative events that may affect the company's ability lo implement its strategy and achieve its objectives; and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. Another key change is that the ERM model recognizes that risk, in addition to being controlled, can be: 1. 2. 3. 4. 5. 5 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 17. The fourth and fifth components of COSO's ERM model are risk assessment and risk response. COSO indicates that there are two types of risk. The risk that exists before management takes any steps to control the likelihood or impact of a risk is __________ risk. The risk that remains after management implements internal controls, or some other response to risk, is __________ risk. Companies should assess __________ risk, develop a response, and then assess __________ risk. 18. The value of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it. What is Expected Loss? (I want to know how to calculate expected loss) 19. The cost of conducting and compiling the end of the month inventory is $20,000 and the risk of an inventory error is 12 percent without a validation procedure and 2 percent with the validation procedures. The expected total to retake and compile the inventory without a validation procedure is $1,200 and with the validation procedure is only $300. The cost of the validation procedure is $650. What is the net expected benefit of validation procedure? A) $600 B) $450 C) $350 D) $250 20. Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities. A) event B) activity C) process D) system 21. One way to monitor risk and detect fraud and errors is to conduct periodic external and internal audits, as well as special network security audits. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue but also significantly deters computer crime and reduces errors. Auditors should regularly test system controls and periodically 6 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) browse system usage files looking for suspicious activities. Internal auditing involves reviewing the reliability and integrity of financial and operating information and providing an appraisal of internal control effectiveness. It also involves assessing employee compliance with management policies and procedures and applicable laws and regulations as well as evaluating the efficiency and effectiveness of management. For example, internal audits can detect excess overtime, underused assets, obsolete inventory, padded travel expense reimbursements, excessively loose budgets and quotas, poorly justified capital expenditures, and production bottlenecks. Objectivity and effectiveness require that the internal audit function be organizationally independent of accounting and operating functions. Where /or to whom should internal audit report? 22. The eighth component of COSO's ERM model is monitoring company performance. Monitoring can be accomplished with a series of ongoing events or by separate evaluations. The book discusses about ten key methods of monitoring performance, what are they? 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 23. COBIT framework includes 34 generic IT processes that must be properly managed and controlled in order to produce information that satisfies the seven COBIT criteria necessary to achieving an organization's business and 7 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) governance objectives. Those processes are grouped into four basic management activities, which COBIT refers to as domains, what are they (BE DESCRIPTIVE): 1) 2) 3) 4) 24. COBIT specifies 210 detailed control objectives for effectively managing an organization's information resources. It also describes specific ____________ for assessing the effectiveness of those controls and suggests metrics that management can use to evaluate performance. This comprehensiveness is one of the strengths of COBIT and explains its growing international acceptance as a framework for managing and controlling information systems. 25. Oftentimes, however, financial statement auditors may only be concerned with a subset of the issues covered by COBIT. For example, the SarbanesOxley (SOX) Act specifically addresses the issue of systems reliability as it pertains to the accuracy of an organization's financial statements. The Trust Services Framework developed jointly by the AICPA and the Canadian Institute of Chartered Accountants focuses specifically on five aspects of information systems controls and governance that most directly pertain to systems reliability, they are (BE DESCRIPTIVE): 1) 2) 8 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 3) 4) 5) Choose \"is\" or \"is not\" 26. The Trust Services framework is / is not a substitute for COBIT because it addresses a subset of the issues covered by COBIT. 27. In an Accounting Information System controls can be divided into preventative, detective, and corrective controls; name and briefly DESCRIBE seven (7) preventive controls, four (4) detective controls, and three (3) corrective controls. Use (a) separate sheet(s) of paper for your answer. 28. COBIT control objective DS 5.5 stresses the need to periodically test the effectiveness of existing security procedures. One way to do this is to perform ____________, which use automated tools designed to identify whether a given system possesses any wellknown vulnerabilities. In addition, there exist a number of information security Web sites such as the Center for Information Security (http://www.cisecurity.org), that provide benchmarks for security best practices and tools that can be used to measure how well a given system conforms to those benchmarks. ____________ provides a more rigorous way to test the effectiveness of an organization's information security. A ____________ is an authorized attempt by either an internal audit team or an external securityconsulting firm to break into the organization's information system. Several of the largest accounting firms have more than 1,000 computer risk management specialists, and more than half of their chargeable hours are spent on security matters. Large financial organizations, such as the Federal Reserve Bank of New York, have internal staff whose fulltime job is to test the organization's information system for 9 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) weaknesses. These teams try everything possible to compromise a company's system. To get into offices to locate passwords or access computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also use sexy decoys to distract guards, climb through roof hatches, and drop through ceiling panels. Some outside consultants claim that they can get into 90% or more of the companies they attack by using such techniques! 29. Key controls to protect confidentiality and privacy while information is in storage, during transmission, at disposal, and overall include: 1) In storage: ____________________ 2) During transmission: ____________________ 3) At disposal: ____________________ 4) Overall: ____________________ 30. Confidential information should be encrypted both while it is stored and whenever transmitted to trusted parties. The internet provides an inexpensive way to transmit information to others. Doing so does not protect the confidentiality of sensitive information, however, because it is easy to intercept information sent over the Internet. Encryption solves this problem. Encrypting information before sending it over the Internet creates what is called a ____________________, so named because it provides the functionality of a privately owned network, while using the Internet. Using __________ software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys. __________ also include controls to authenticate the parties exchanging information and to create an audit trail of he exchange. Thus, __________ satisfy COBIT control objective DS 5.11, which specifies controls over the electronic exchange of sensitive information. The cost of the __________ software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network. It is also much cheaper and easier to reconfigure __________ to include new sites than it is to add or remove the corresponding physical connections in a privately owned network. 10 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 31. The loss of system availability can cause significant financial losses, especially if the system affected is essential to ecommerce. Consequently, COBIT section DS 4 addresses the important issue of ensuring that systems and information are available for use whenever needed in order to perform business processes. It is impossible to entirely eliminate the risk of all these threats. Therefore, the primary objective is to ____________________ by ____________________. Preventive controls, however, are not sufficient. Organizations also need to ________________________________________ to enable them to quickly resume normal operations after such an event. Key controls related to these two availability objectives are: Objective Threats/Risks Applicable Controls 1 2 Set your answers up in the format above regarding the two availability objectives. 32. Organizations constantly modify their information systems to reflect new business practices and to take advantage of advances in information technology. Controls are needed to ensure that such changes do not negatively affect systems reliability. It is also necessary to modify existing controls related to the principles of security, confidentiality, privacy, processing integrity, and availability to maintain their effectiveness after implementing changes to the underlying technology and operating procedures. For example, change management controls need to ensure that modifications to the organizational structure and the adoption of new software for performing business activities maintain adequate segregation of duties. Important change management controls include the following (briefly). (Use a separate sheet as needed for this answer): 11 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 33. According to the Institute of Internal Auditors (IIA), the purpose of an internal audit is to evaluate the adequacy and effectiveness of a company's internal control system and determine the extent to which assigned responsibilities are actually carried out. The IIA's five audit scope standards outline the internal auditor's responsibilities: 1) 2) 3) 4) 5) 34. Complete the \"overview of the audit process\": Audit Planning Collection of Audit Evidence 12 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) Evaluation of Audit Evidence Communication of Audit Results 35. Most audit effort is spent collecting evidence. The most commonly used methods of collecting audit evidence are: 1) 2) 3) 4) 5) 6) 7) 8) 9) 13 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 36. Many audit tests and procedures cannot feasibly be performed on the entire set of activities, records, assets, or documents under review. They are often performed on a ____________. 37. Materiality and reasonable assurance are important when deciding how much audit work is necessary and when evaluating evidence. Because errors are bound to exist in any system, auditors focus on detecting and reporting those that have a significant impact on management's interpretation of the audit findings. Determining materiality, what is and is not important in a given set of circumstances, is primarily a matter of judgment. Materiality is generally more important to enteral audits, when the overall emphasis is on the fairness of financial statement presentation, than to internal audits, when the focus is on determining adherence to management's policies. What is \"materiality\"? 38. The auditor seeks reasonable assurance in the information or process audited. Because it is prohibitively expensive to seek complete assurance, the auditor must be willing to accept some risk that the audit conclusion is incorrect. It is important to realize that when inherent or control risk is high, the auditor must obtain greater assurance to offset the greater uncertainty and risks. What is \"reasonable assurance\"? 39. The riskbased approach to auditing provides auditors with a clear understanding of the fraud and errors that can occur and the related risks and exposures. This under standing provides a sound basis for developing recommendations to management on how the AIS control system should be improved. The riskbased audit approach, provides a logical framework for carrying out an audit; what is the riskbased approach: 1) 2) 14 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 3) 4) 40. The purpose of an information systems audit is to review and evaluate the internal controls that protect the system. When performing an information systems audit, auditors should ascertain that the following objectives are met: 1) 2) 3) 4) 5) 6) 41. In an audit of overall computer security what control procedures that should be present? 1) 2) 3) 4) 5) 6) 7) 8) 15 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 9) 10) 11) 42. In an audit of program development what control procedures should be present? 1) 2) 3) 4) 5) 6) 7) 43. In an audit of program modifications what control procedures should be present? 1) 2) 3) 4) 5) 6) 7) 8) 16 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 44. Additional techniques to detect unauthorized program changes. The __________ technique uses a verified copy of the source code. On a surprise basis, the auditor uses the program to __________ data and compare that output with the company's output. Discrepancies in the two sets of output are investigated to ascertain their cause. __________ simulation is similar except that the auditor writes a program instead of saving a varied copy of the source code. The auditor's results are compared with the company's results, and any differences are investigated. 45. In an audit of computer processing what control procedures should be present? 1) 2) 3) 4) 5) 6) 7) 8) 9) 46. In an audit of source data what controls should be present? 1) 2) 3) 4) 5) 17 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) 6) 7) 8) 9) 10) 47. In an audit of data files storage what controls should be present? 1) 2) 3) 4) 5) 6) 7) 8) 48. Computer programs, called computer audit software (CAS) or generalized audit software (GAS), have been written especially for auditors. CAS is a computer program that, based on the auditor's specifications, generates programs that perform the audit functions. CAS is ideally suited for examination of large data files to identify records needing further audit scrutiny. IDENTIFY and briefly DISCUSS eight (8) functions of CAS. 49. The techniques and procedures used in operational audits of AIS are similar to audits of information systems and financial statements. The basic difference is that the scope of the information systems audit is confined to internal controls, whereas the scope of the financial statement audit is limited to systems output. In contrast, the scope of the operational audit of AIS is much broader, 18 of 19 Please type your answers where appropriate; also you may develop and use an answer sheet (include your name and question number) encompassing all aspects of information systems management. In addition, operational audit objectives include evaluating such factors as effectiveness, efficiency, and goal achievement. The first step in an operational audit is audit planning, during which the scope and objectives of the audit are established, a preliminary review of the system is performed, and a tentative audit program is prepared. Evidence collection includes the following activities: 1) 2) 3) 4) 5) 6) 50. To be a good operational auditor experience in ____________ is more important than experience in __________. 19 of 19