Internal Controls

Which component of internal control involves the tone set by management?

Segregation of duties requires separating which functions?

The COSO framework identifies how many components of internal control?

Which type of control is designed to detect errors after they occur?

An IT general control that restricts system access based on job responsibilities is called:

Enterprise Risk Management (ERM) differs from traditional risk management by:

A material weakness in internal control means:

SOX Section 404 requires management to:

Which fraud risk factor from the fraud triangle represents the ability to rationalize dishonest behavior?

A compensating control is used when:

Which COSO component focuses on identifying and analyzing relevant risks to the achievement of objectives?

Which type of internal control is designed to prevent errors or irregularities from occurring in the first place?

What is the primary purpose of internal controls?

Which of the following is an example of a preventive control?

The information and communication component of COSO requires that:

SOX Section 302 requires which of the following?

Which of the following best describes a corrective control?

The monitoring component of the COSO framework involves:

Which of the following is an example of a detective control?

The audit committee of the board of directors is primarily responsible for:

An internal audit function provides value to an organization primarily by:

Which element of the fraud triangle represents the circumstances that allow fraud to be committed?

IT general controls differ from IT application controls in that general controls:

A whistleblower program is designed to:

Which of the following is NOT one of the three categories of internal control objectives according to COSO?

Change management controls in IT are designed to ensure that:

Business continuity planning (BCP) is primarily concerned with:

The principle of least privilege in access control means:

A significant deficiency in internal control is:

Which of the following is an IT application control?

In the context of internal controls, 'authorization' refers to:

Which COSO component includes policies and procedures that help ensure management directives are carried out?

Under COSO, the control environment is often considered the foundation because it:

A disaster recovery plan (DRP) differs from a business continuity plan (BCP) in that a DRP:

The COSO framework identifies how many principles across its five components?

Which of the following is a key responsibility of the internal audit function regarding internal controls?

An inherent limitation of internal controls is that they cannot provide:

Mandatory vacation policies serve as an internal control primarily because they:

Physical controls over assets include all of the following EXCEPT:

The three elements of the fraud triangle are:

According to the COSO framework, which principle states that the organization demonstrates a commitment to attract, develop, and retain competent individuals?

A company discovers that its accounts payable clerk has been creating fictitious vendors and paying invoices to those vendors. Which control failure most directly contributed to this fraud?

Under SOX, the audit committee must include at least one member who qualifies as a:

Which of the following represents a management override of internal controls?

In the COSO ERM framework, risk appetite is defined as:

Which of the following is the strongest internal control for preventing unauthorized access to a computer system?

The COSO ERM framework was updated in 2017 and is titled:

A company implements an automated three-way match between purchase orders, receiving reports, and vendor invoices. This is an example of:

Under SOX, who is required to establish and maintain an adequate internal control structure and procedures for financial reporting?

Which of the following is an example of collusion that undermines segregation of duties?

Which of the following is a key characteristic of effective monitoring activities under COSO?

An IT application control that ensures all transactions are processed and none are duplicated is called:

In the context of COSO ERM, risk tolerance differs from risk appetite because risk tolerance:

Which of the following best describes a key indicator that the control environment may be weak?

Under COSO, Principle 8 requires the organization to consider the potential for fraud in assessing risks. This includes assessing:

A company's general ledger system automatically generates a report of all journal entries posted by users with administrative access. This is an example of:

Which of the following statements about SOX Section 404(b) is correct?

A hash total is an example of which type of control?

Which of the following is a responsibility of the audit committee under SOX?

An organization uses role-based access control (RBAC). This means:

The primary difference between a control deficiency and a material weakness is:

Which COSO principle addresses the organization's commitment to integrity and ethical values?

A company implements a policy requiring all employees to use strong passwords that must be changed every 90 days. This is an example of:

In the COSO ERM framework, which component involves identifying events that may affect the organization's ability to implement its strategy?

Which of the following scenarios represents the pressure element of the fraud triangle?

An edit check that validates whether a date entered falls within an acceptable range is an example of:

Which of the following would most likely be considered a material weakness in internal controls?

The SOX requirement for management to disclose significant changes in internal controls on a quarterly basis falls under:

A recovery point objective (RPO) in disaster recovery planning defines:

Under COSO, Principle 16 relates to the organization performing ongoing and/or separate evaluations. This principle falls under which component?

Which type of audit evidence would be most effective in detecting management override of controls?

The COSO framework states that the board of directors should exercise oversight of internal controls that is:

In the context of internal controls, a 'walkthrough' is best described as:

SOX Section 806 provides protections for:

A control self-assessment (CSA) differs from traditional internal auditing because CSA:

Which of the following best describes the relationship between risk assessment and control activities in the COSO framework?

A recovery time objective (RTO) in disaster recovery planning defines:

Data encryption is best classified as which type of control?

According to the IIA Standards, the internal audit function should report to:

Which of the following is a COSO principle related to the information and communication component?

A company has a deficiency where the CFO can both initiate and approve wire transfers without any additional authorization. The external auditor determines this could result in a $5 million misstatement, and the company's overall materiality threshold is $3 million. How should this deficiency be classified?

A company implements the COSO ERM framework and establishes risk appetite statements. During a strategic planning session, management identifies a potential acquisition that falls outside the stated risk appetite. According to COSO ERM, management should:

A publicly traded company discovers a material weakness in its internal control over financial reporting after the annual report has been filed. Under SOX, the company is required to:

In evaluating the effectiveness of an entity-level control, an auditor would be LEAST likely to consider:

An organization implements a Governance, Risk, and Compliance (GRC) system. Which of the following best describes the primary benefit of integrating these three functions?

A company uses a shared service center for accounts payable processing across 15 subsidiaries. The external auditor is evaluating the internal controls at the shared service center. Under which auditing standard would the auditor most likely report on the shared service center's controls?

During a fraud risk assessment, an internal auditor identifies that the company's revenue recognition process involves significant manual adjustments at quarter-end with limited oversight. Which of the following responses is most appropriate?

Under the COSO framework, which of the following best illustrates the concept of a pervasive control versus a discrete control?

A financial institution implements a three-lines-of-defense model. Which of the following correctly describes the second line of defense?

A company's SOX 404 testing reveals that a key control over financial reporting was not operating effectively for three of the twelve months in the reporting period. The auditor should most likely:

A multinational company operates in multiple jurisdictions with varying data privacy regulations (GDPR, CCPA, etc.). From an internal control perspective, the company should:

In evaluating the design effectiveness of a control, the auditor is primarily assessing whether:

A company's IT department implements a change management process that requires all changes to production systems to go through development, testing, and approval stages. However, the IT director can deploy emergency changes without following this process. What is the most appropriate compensating control?

Under the PCAOB's Auditing Standard No. 2201 (AS 2201), an integrated audit of internal control over financial reporting requires the auditor to:

A pharmaceutical company has a zero-tolerance risk appetite for regulatory compliance failures. When conducting a COSO ERM risk assessment, which approach is most appropriate for this risk category?

During an assessment of the anti-fraud program, an internal auditor finds that the company has a whistleblower hotline but discovers that 40% of reported tips are never investigated. Which COSO principle is most directly violated?

A company uses a centralized ERP system with role-based access. An internal audit review discovers that 25 users in the purchasing department have been assigned a 'super user' role that grants access to all modules including accounts payable, general ledger, and HR. What is the most significant risk this presents?

An organization is implementing continuous auditing and continuous monitoring (CA/CM). Which of the following correctly distinguishes these two concepts?

Under SOX, what are the potential criminal penalties for a CEO or CFO who willfully certifies a financial statement knowing it does not comply with SOX requirements?

A company is assessing its internal controls and identifies that several key controls rely on spreadsheets maintained by individual employees. From a control effectiveness perspective, the primary concern is: