Anda di halaman 1dari 24

Controlling Information Systems: Introduction to Internal Controls

129

Chapter 7Controlling Information Systems: Introduction to Internal Control


TRUE/FALSE
1. Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives
(or goals).
ANS: F
2. Management is legally responsible for establishing and maintaining an adequate system of internal
control
ANS: T
3. The exposure of unacceptable accounting is often caused by managers using misleading information
or failing to acquire necessary information relative to a particular decision.
ANS: F
4. A major reason management must exercise control over an organizations business processes is to
provide reasonable assurance that the company is in compliance with applicable legal and regulatory
obligations.
ANS: T
5. The recording of events contrary to established accounting practices often caused by the incomplete or
inaccurate processing of an event is erroneous record keeping.
ANS: T
6. The inability of an organization to remain abreast of the demands of the marketplace is lack of
competitive advantage.
ANS: T
7. Business interruption can be caused by power failures.
ANS: T
8. Excessive costs may include incurring unnecessary expenses in operating the business.
ANS: T
9. Fraud and embezzlement is often caused by direct misappropriation of funds or by deliberate
communication of misinformation to management or investors.
ANS: T

130

Chapter 7

10. Under the Sarbanes Oxley Act of 2002, the section on Auditor Independence establishes an
independent board to oversee public company audits.
ANS: F
11. Under the Sarbanes Oxley Act of 2002, the section on Corporate Responsibility requires a companys
CEO and CO to certify quarterly and annual reports.
ANS: T
12. Under the Sarbanes Oxley Act of 2002, the section on Enhanced Financial Disclosures requires each
annual report filed with the SEC to include an internal control report.
ANS: T
13. Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns Section 1001, conveys a
sense of the Senate that the corporate federal income tax returns be signed by the treasurer.
ANS: F
14. Risk is the possibility that an event or action will cause an organization to fail to meet its objectives or
goals.
ANS: T
15. A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.
ANS: T
16. The Sarbanes Oxley Act of 2002 establishes legal responsibility for management to prevent fraud and
other irregularities.
ANS: T
17. The recording of events contrary to established accounting practices often caused by the incomplete or
inaccurate processing of an event is known as erroneous record keeping.
ANS: T
18. Erroneous management decisions differ from fraud in that they are a willful disregard of GAAP.
ANS: F
19. Fraud and embezzlement is the exposure that is often caused by direct misappropriation of funds or by
deliberate communication of misinformation to management or investors.
ANS: T
20. According to the Ernst and Young Fraud survey, the number one fraud worry on the minds of
executives is computer crime.
ANS: F

Controlling Information Systems: Introduction to Internal Controls

131

21. A computer crime techniques called worm involves the systematic theft of very small amounts from a
number of bank or other financial accounts.
ANS: F
22. A computer abuse technique called a trap door (or back door) involves a programmer's inserting
special code or passwords in a computer program that will allow the programmer to bypass the
security features of the program.
ANS: T
23. A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program,
which, when activated, causes a disaster such as shutting down a system or destroying data.
ANS: T
24. A salami is program code that can attach itself to other programs (i.e., "infect" those programs), that
can reproduce itself, and that operates to alter the programs or to destroy data.
ANS: F
25. Risk assessment is the entity's identification and analysis of relevant risks to achievement of its
objectives, forming a basis for determining how the risks should be managed.
ANS: T
26. The control environment sets the tone of the organization, influencing the control consciousness of its
people.
ANS: T
27. External directives are the policies and procedures that help ensure that management directives are
carried out.
ANS: F
28. Establishing a viable internal control system is the responsibility of management.
ANS: T
29. Monitoring is a process that assesses the quality of internal control performance over time.
ANS: T
30. The external environment is a system of integrated elements--people, structures, processes, and
procedures--acting together to provide reasonable assurance that an organization achieves both its
operations system and its information system goals.
ANS: F

132

Chapter 7

31. The control environment refers to an organization's general awareness of and commitment to the
importance of control throughout the organization.
ANS: T
32. The control goal called efficiency of operations strives to assure that a given operations system is
fulfilling the purpose(s) for which it was intended.
ANS: F
33. Ensuring the security of resources is the control goal that seeks to provide protection against loss,
destruction, disclosure, copying, sale, or other misuse of an organization's resources.
ANS: T
34. The control goal of ensuring input materiality strives to prevent fictitious items from entering an
information system.
ANS: F
35. An invalid item is an object or event that is not authorized, never occurred, or is otherwise not
genuine.
ANS: T
36. The control goal of input accuracy is concerned with the correctness of the transaction data that are
entered into a system.
ANS: T
37. Business process control plans relate to those controls particular to a specific process or subsystem,
such as billing or cash receipts, or to a particular technology used to process data.
ANS: T
38. A sale to a customer is entered into the system properly, but the event does not accurately update the
customer's outstanding balance. This type of processing error would be classified as a user error.
ANS: F
39. A batch of business events is accurately entered into a business event data, but the computer operator
fails to use the data to update master data. This type of processing error would be classified as an
operational error.
ANS: T
40. A corrective control plan is designed to discover problems that have occurred.
ANS: F

Controlling Information Systems: Introduction to Internal Controls

133

MULTIPLE CHOICE
1. A manager of a manufacturing plant alters production reports to provide the corporate office with an
inflated perception of the plant's cost effectiveness in an effort to keep the inefficient plant from being
closed. This action would be classified as a(n):
a. Risk
b. Hazard
c. Fraud
d. Exposure
ANS: C
2. Events or situations that subject an organization to the possibility of harm, loss, or danger cause:
a. risks
b. fraud
c. controls
d. embezzlement
ANS: A
3. Who is legally responsible for establishing and maintaining an adequate system of internal control?
a. the board of directors
b. stakeholders
c. investors
d. management
ANS: D
4. The major reasons for exercising control of the organizations business processes include all of the
following except:
a. Provide reasonable assurance that the goals of the business are being achieved
b. To mitigate risks of fraud and other intentional and unintentional acts
c. To provide reasonable assurance that the company is in compliance with applicable legal
and regulatory obligations
d. All of the above
ANS: D
5. The recording of events contrary to established accounting practices often caused by the incomplete or
inaccurate processing of an event is:
a. Erroneous record keeping
b. Unacceptable accounting
c. Erroneous management decisions
d. Fraud and embezzlement
ANS: A
6. The establishment of accounting policies that are not GAAP or are inappropriate to the circumstances
often caused by improper interpretation or willful disregard of GAAP is:
a. Erroneous record keeping
b. Unacceptable accounting
c. Erroneous management decisions
d. Fraud and embezzlement

134

Chapter 7

ANS: B
7. This exposure is often caused by managers using misleading information or failing to acquire
necessary information relative to a particular decision:
a. Erroneous record keeping
b. Unacceptable accounting
c. Erroneous management decisions
d. Fraud and embezzlement
ANS: C
8. This exposure is often caused by direct misappropriation of funds or by deliberate communication of
misinformation to management or investors:
a. Erroneous record keeping
b. Unacceptable accounting
c. Erroneous management decisions
d. Fraud and embezzlement
ANS: D
9. Various penalties that may be brought by judicial or regulatory authorities is (are):
a. Statutory sanctions
b. Excessive costs
c. Loss or destruction of resources
d. Competitive disadvantage
ANS: A
10. The inability of an organization to remain abreast of the demands of the marketplace is (are):
a. Statutory sanctions
b. Excessive costs
c. Loss or destruction of resources
d. Competitive disadvantage
ANS: D
11. The section of Sarbanes Oxley that establishes an independent board to oversee public company audits
is:
a. Title I Public Company Accounting Oversight Board
b. Title II Auditor Independence
c. Title III Corporate Responsibility
d. Title IV Enhanced Financial Disclosures
ANS: A
12. The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging
in certain non-audit services is:
a. Title I Public Company Accounting Oversight Board
b. Title II Auditor Independence
c. Title III Corporate Responsibility
d. Title IV Enhanced Financial Disclosures
ANS: B

Controlling Information Systems: Introduction to Internal Controls

135

13. The section of Sarbanes Oxley that requires a companys CEO and CFO to certify quarterly and annual
reports is :
a. Title I Public Company Accounting Oversight Board
b. Title II Auditor Independence
c. Title III Corporate Responsibility
d. Title IV Enhanced Financial Disclosures
ANS: C
14. The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an
internal control report is:
a. Title I Public Company Accounting Oversight Board
b. Title II Auditor Independence
c. Title III Corporate Responsibility
d. Title IV Enhanced Financial Disclosures
ANS: D
15. The section of Sarbanes Oxley that requires financial analysts to properly disclose any investments
they might hold with the companies they recommend:
a. Title V Analysis of Conflicts of Interests
b. Title VIII Corporate Criminal Fraud Accountability
c. Title IX White Collar Crime Enhancements
d. Title XI Corporate Fraud and Accountability
ANS: A
16. The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and
or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal
investigation and offers legal protection to whistle blowers is:
a. Title V Analysis of Conflicts of Interests
b. Title VIII Corporate Criminal Fraud Accountability
c. Title IX White Collar Crime Enhancements
d. Title XI Corporate Fraud and Accountability
ANS: B
17. The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to
$5,000,000 and up to 20 years imprisonment if they certify false or misleading financial statements
with the SEC is:
a. Title V Analysis of Conflicts of Interests
b. Title VIII Corporate Criminal Fraud Accountability
c. Title IX White Collar Crime Enhancements
d. Title XI Corporate Fraud and Accountability
ANS: C
18. The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to
individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the
documents integrity or availability for use in an official proceeding, or to otherwise obstruct,
influence or impede any official proceeding is:
a. Title V Analysis of Conflicts of Interests

136

Chapter 7

b. Title VIII Corporate Criminal Fraud Accountability


c. Title IX White Collar Crime Enhancements
d. Title XI Corporate Fraud and Accountability
ANS: D
19. According to the Ernst and Young Fraud survey, the number one fraud worry on the minds of
executives is:
a. Personal financial pressure
b. Computer crime
c. Asset misappropriation
d. Internal control
ANS: C
20. A computer abuse technique called a __________ involves inserting unauthorized code in a program,
which, when activated, causes a disaster, such as shutting the system down or destroying files.
a. salami
b. trap door
c. logic bomb
d. Trojan horse
ANS: C
21. A computer abuse technique called a __________ involves a program that replicates itself on disks, in
memory, or across networks.
a. Worm
b. trap door
c. logic bomb
d. Trojan horse
ANS: A
22. A computer abuse technique called a __________ involves program that can attach itself to other
programs thereby infecting those programs.
a. Worm
b. Virus
c. logic bomb
d. Trojan horse
ANS: B
23. In its 1999 report, the COSO Report on Fraudulent Financial Reporting that studied over 200 cases of
fraudulent financial reporting from 1987 to 1997:
a. The companies looked at were all large companies
b. Some of the companies were at or near loss positions
c. The CEOs were not involved in most cases
d. Companies tended to understate assets and understate revenues
ANS: B

Controlling Information Systems: Introduction to Internal Controls

137

24. Which of the following statements regarding internal controls systems is false?
a. Effective internal control systems provide absolute assurance against the occurrence of
material frauds and embezzlements.
b. Internal control systems depend largely on the competency and honesty of people.
c. Because internal control systems have a cost, management should evaluate the cost/benefit
of each control plan.
d. The development of an internal control system is the responsibility of management.
ANS: A
25. Elements of a control environment might include the following except:
a. organization values and norms
b. management philosophy and operating style
c. means of communications
d. reward systems
ANS: C
26. ____________ sets the tone of the organization, influencing the control consciousness of its people.
a. Control environment
b. Risk assessment
c. Control activities
d. Monitoring
ANS: A
27. ____________ are the policies and procedures that help ensure that management directives are carried
out.
a. Control environment
b. Risk assessment
c. Control activities
d. Monitoring
ANS: C
28. ____________ is a process that assesses the quality of internal control performance over time.
a. Control environment
b. Risk assessment
c. Control activities
d. Monitoring
ANS: D
29. A measure of success in meeting a set of established goals is called system:
a. Effectiveness
b. Monitoring
c. Efficiency
d. control goals
ANS: A

138

Chapter 7

30. As a result of an inadequate design, a production process yields an abnormally high amount of raw
material scrapped. Which control goal is being violated?
a. ensure effectiveness of operations
b. ensure efficient employment of resources
c. ensure security of resources
d. ensure input accuracy
ANS: B
31. Establishing a viable internal control system is primarily the responsibility of:
a. The external auditors
b. Management
c. The programmers
d. Government authorities
ANS: B
32. The information system control goal which relates to preventing fictitious events from being recorded
is termed:
a. ensure input validity
b. ensure input accuracy
c. ensure input completeness
d. ensure effectiveness of operations
ANS: A
33. A business event which is not properly authorized is an example of:
a. an invalid item
b. an inaccurate item
c. an incomplete item
d. an unusual item
ANS: A
34. Achieving which control goal requires that all valid objects or events are captured and entered into a
system's database?
a. input validity
b. update accuracy
c. input completeness
d. update completeness
ANS: C
35. Failing to record a customer's order for the purchase of inventory violates the information system
control goal of:
a. ensure input accuracy
b. ensure input completeness
c. ensure input validity
d. ensure input accuracy and input validity
ANS: B

Controlling Information Systems: Introduction to Internal Controls

139

36. Discrepancies between data items recorded by a system and the underlying economic events or objects
they represent are a violation of the information system control goal of:
a. ensure input validity
b. ensure input completeness
c. ensure input accuracy
d. ensure input accuracy and input validity
ANS: C
37. Assuring that the accounts receivable master data reflects all cash collections recorded in the cash
receipts event data addresses the control goal of:
a. ensure input accuracy
b. ensure input completeness
c. ensure update accuracy
d. ensure update completeness
ANS: D
38. Assuring that cash collections recorded in the cash receipts event data are credited to the right
customer in the accounts receivable master data addresses the control goal of:
a. ensure input accuracy
b. ensure input completeness
c. ensure update accuracy
d. ensure update completeness
ANS: C
39. Which of the following is a control goal for the information system for the applicable master data?
a. input validity
b. update accuracy
c. input accuracy
d. input completeness
ANS: B
40. Why is there usually no control goal called update validity?
a. Update completeness achieves update validity.
b. Input validity guarantees update validity.
c. Update accuracy guarantees update validity.
d. Input accuracy achieves update validity.
ANS: B
41. A programming error causes the sale of an inventory item to be added to the quantity on hand attribute
in the inventory master data. Which control goal was not achieved?
a. ensure update completeness
b. ensure input accuracy
c. ensure update accuracy
d. ensure input completeness
ANS: C

140

Chapter 7

42. Information processing procedures and policies that assist in accomplishing control goals are known
collectively as:
a. control plans
b. control systems
c. control objectives
d. control outcomes
ANS: A
43. ______________________ relate to those controls particular to a specific process or subsystem, such
as billing or cash receipts, or to a particular technology used to process data:
a. Control procedures
b. Information processing procedures
c. Business process control plans
d. Operations system control plans
ANS: C
44. Control plans that relate to a multitude of goals and applications are called:
a. business process control plans
b. internal control systems
c. pervasive control plans
d. management control systems
ANS: C
45. A control plan requires that a manager sign his/her approval of timecards for employees in that
department. This control plan is an example of:
a. a systems control
b. the control environment
c. a pervasive control plan
d. a business process control plan
ANS: D
46. Controls that stop problems from occurring are called:
a. preventive controls
b. detective controls
c. corrective controls
d. programmed controls
ANS: A
47. A control that involves reprocessing transactions that are rejected during initial processing is an
example of:
a. preventive controls
b. detective controls
c. corrective controls
d. programmed controls
ANS: C

Controlling Information Systems: Introduction to Internal Controls

141

48. The programmed verification of a customer number is a ______________ control.


a. preventive
b. detective
c. corrective
d. application
ANS: A
49. Which of the following business scandals involved special purpose entities to hide billions of dollars
in corporate liability?
a. Enron
b. WorldCom
c. Adelphia Communications
d. Tyco
ANS: A
COMPLETION
1. ________________ is the possibility that an event or action will cause an organization to fail to meet
its objectives or goals.
ANS: Risk
2. A(n) ____________________ is caused by events or situations which subject an organization to the
possibility of some type of harm, danger, or loss.
ANS: exposure
3. ____________________ is a deliberate act or untruth intended to obtain unfair or unlawful gain.
ANS: Fraud
4. The ________________________________________ Act establishes legal responsibility for
management to prevent fraud and other irregularities.
ANS: Foreign Corrupt Practices
5. The recording of events contrary to established accounting practices often caused by the incomplete or
inaccurate processing of an event is known as _____________________.
ANS: erroneous record keeping
6. The establishment of accounting policies that are not GAAP or are inappropriate to the circumstances
often caused by improper interpretation or willful disregard of GAAP is
ANS: unacceptable accounting
7. The exposure often caused by managers using misleading information or failing to acquire necessary
information relative to a particular decision is ______________________.
ANS: erroneous management decisions

142

Chapter 7

8. _______________ is the exposure is often caused by direct misappropriation of funds or by deliberate


communication of misinformation to management or investors.
ANS: Fraud and embezzlement
9. Various penalties that may be brought by judicial or regulatory authorities is (are)
ANS: statutory sanctions
10. The inability of an organization to remain abreast of the demands of the marketplace is (are)
_________________.
ANS: competitive disadvantage
11. The section of Sarbanes Oxley that establishes an independent board to oversee public company audits
is _________________.
ANS: Public Company Accounting Oversight Board or Title I
12. The section of Sarbanes Oxley that prohibits a CPA firm that audits a public company from engaging
in certain non-audit services is _______________________.
ANS: Auditor Independence or Title II
13. The section of Sarbanes Oxley that requires a companys CEO and CFO to certify quarterly and annual
reports is ___________________.
ANS: Corporate Responsibility or Title III
14. The section of Sarbanes Oxley that requires each annual report filed with the SEC to include an
internal control report is _____________________.
ANS: Enhanced Financial Disclosures or Title IV
15. The section of Sarbanes Oxley that requires financial analysts to properly disclose in research reports
any conflicts of interest they might hold with the companies they recommend is
___________________.
ANS: Analysis of Conflicts of Interests or Title V
16. The section of Sarbanes Oxley that makes it a felony to knowingly destroy, alter, or create records and
or documents with the intent to impede, obstruct, or influence an ongoing or contemplated federal
investigation and offers legal protection to whistle blowers is _____________________.
ANS: Corporate and Criminal Fraud Accountability or Title VIII
17. The section of Sarbanes Oxley that sets forth criminal penalties applicable to CEOs and CFOs of up to
$5,000,000 and up to 20 years imprisonment if they certify false or misleading financial statements
with the SEC is ____________________.
ANS: White Collar Crime Enhancements or Title IX

Controlling Information Systems: Introduction to Internal Controls

143

18. The section of Sarbanes Oxley that provides for fines and imprisonment of up to 20 years to
individuals who corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the
documents integrity or availability for use in an official proceeding, or to otherwise obstruct,
influence or impede any official proceeding is __________________________.
ANS: Corporate Fraud and Accountability or Title XI
19. According to the Ernst and Young Fraud survey, the number one fraud worry on the minds of
executives is _______________________.
ANS: asset misappropriation
20. A computer crime techniques called ____________________ involves the systematic theft of very
small amounts from a number of bank or other financial accounts.
ANS: salami
21. A computer abuse technique called a __________ involves a program that replicates itself on disks, in
memory, or across networks.
ANS: worm or virus
22. A computer abuse technique called a(n) ____________________ involves a programmer's inserting
special code or passwords in a computer program that will allow the programmer to bypass the
security features of the program.
ANS: trap door
23. A(n) ____________________ is a computer abuse technique in which unauthorized code is inserted in
a program, which, when activated, causes a disaster such as shutting down a system or destroying data.
ANS: logic bomb
24. A(n) ____________________ is program code that can attach itself to other programs (i.e., "infect"
those programs), that can reproduce itself, and that operates to alter the programs or to destroy data.
ANS: computer virus
25. ____________________ is the entity's identification and analysis of relevant risks to achievement of
its objectives, forming a basis for determining how the risks should be managed.
ANS: Risk assessment
26. The ____________ sets the tone of the organization, influencing the control consciousness of its
people.
ANS: control environment
27. ____________________ are the policies and procedures that help ensure that management directives
are carried out.
ANS: Control activities

144

Chapter 7

28. Establishing a viable internal control system is the responsibility of _________________.


ANS: management
29. ____________________ is a process that assesses the quality of internal control performance over
time.
ANS: Monitoring
30. ____________________ is a system of integrated elements--people, structures, processes, and
procedures--acting together to provide reasonable assurance that an organization achieves both its
operations system and its information system goals.
ANS: Internal control
31. The ____________________ refers to an organization's general awareness of and commitment to the
importance of control throughout the organization.
ANS: control environment
32. The control goal called ____________________ strives to assure that a given operations system is
fulfilling the purpose(s) for which it was intended.
ANS: ensure effectiveness of operations
33.

The control goal that seeks to provide protection against loss, destruction, disclosure, copying, sale,
or other misuse of an organization's resources is called ____________________.
ANS: ensure security of resources

34. The control goal of ensure input ____________________ strives to prevent fictitious items from
entering an information system.
ANS: validity
35. A(n) ____________________ item is an object or event that is not authorized, never occurred, or is
otherwise not genuine.
ANS: invalid
36. The control goal that is concerned with the correctness of the transaction data that are entered into a
system is called ensure ____________________.
ANS: input accuracy
37. A missing data field on a source document or computer screen is an example of an error that
could undermine the achievement of the control goal of ensure ____________________.
ANS: input accuracy

Controlling Information Systems: Introduction to Internal Controls

145

38. The control goal of ensure ____________________ provides assurance that all valid objects or events
which were entered into the computer are in turn reflected in their respective master data.
ANS: update completeness
39. The control goal of ensure input ____________________ requires that all valid objects or events are
captured and entered into the computer.
ANS: completeness
40. Information policies and procedures which assist in accomplishing control goals are known as
____________________.
ANS: control plans
41. ______________________ relate to those controls particular to a specific process or subsystem, such
as billing or cash receipts, or to a particular technology used to process data.
ANS: Business control plans
42. Control plans that relate to a multitude of goals and applications are called ________________.
ANS: pervasive control plans
43. A control plan requires that a manager sign his/her approval of timecards for employees in that
department. This control plan is an example of a ______________________.
ANS: business process control plan
44. A batch of business events is accurately entered into a business event data, but the computer operator
fails to use the data to update master data. This type of processing error would be classified as a(n)
__________________ error.
ANS: operational
45. Three terms used in the chapter to refer to when a control plan is exercised are
____________________, ____________________, and corrective control plans.
ANS:
preventive
detective
46. A(n) ____________________ is designed to discover problems that have occurred.
ANS: detective control plan
47. A(n) ____________________ is designed to rectify problems that have occurred.
ANS: corrective control plan

146

Chapter 7

PROBLEM
1. Below is an alphabetical list of nine common business exposures presented in Chapter 7. The second
list contains eight possible causes of exposures (there could be others).
Required:
On the blank line to the left of each numbered item, place the capital letter of the exposure that best
matches that cause. Do not use a letter more than once. You should have one letter unused.
Business Exposures
A.
B.
C.
D.
E.
F.
G.
H.
I.

Business interruption
Competitive disadvantage
Erroneous management decisions
Erroneous record keeping
Excessive costs
Fraud and embezzlement
Loss or destruction of assets
Statutory sanctions
Unacceptable accounting
POSSIBLE EXPOSURE CAUSES

Answers
_____ 1.

Information that is inappropriate for the decision being made

_____ 2.

Improper interpretation or disregard of FASB standards

_____ 3.

Incomplete or inaccurate processing of a business event

_____ 4.

Deliberate misinforming of management or investors

_____ 5.

A natural calamity such as a fire

_____ 6.

Lack of proper safeguards over an organization's information resources

_____ 7.

An information system that has not kept pace with changes in customer needs

_____ 8.

Improper interpretation or disregard of SEC regulations

Controlling Information Systems: Introduction to Internal Controls

147

ANS:
Possible
Exposure
Cause

Answer

1
2
3
4
5
6
7
8

C
I
D
F
A
G
B
H

(Although we believe answer A is best, E is acceptable.)

2. Below is a list of control goals followed by a list of short scenarios describing system failures (i.e.,
control goals not met) and/or instances of successful control plans (i.e., plans that helped to achieve
control goals).
Required:
On the blank line to the left of each numbered scenario, place the capital letter of the control goal that
best matches the situation described. HINT: Some letters may be used more than once. Conversely,
some letters may not apply at all.
A.
B.
C.
D.
E.
F.
G.
H.

Control Goals
Ensure effectiveness of operations.
Ensure efficient employment of resources.
Ensure security of resources.
Ensure input validity.
Ensure input accuracy.
Ensure input completeness.
Ensure update accuracy.
Ensure update completeness.
SCENARIOS

Answers
_____ 1.

A batch of documents sent by the mail room to the accounts receivable department
were lost in the intercompany mail and never recorded.

_____ 2.

A mail room clerk fabricated a phony document for a friend to make it look like
the friend had paid his account receivable balance. The phony document got
recorded.

_____ 3.

An accounts receivable clerk made a copy of the company's accounts receivable


master data and sold this customer information to a competing company.

_____ 4.

Customer checks received in the mail room are batched and sent to the cashier
several times a day so that they can be deposited as fast as possible.

148

Chapter 7

_____ 5.

A flaw in the processing logic of a computer program resulted in cash received


from customers being added to their accounts receivable balances rather than
subtracted.

_____ 6.

In a manual bookkeeping system, an accounts receivable clerk failed to post an


entire page of transactions from the cash receipts journal to the accounts receivable
subsidiary ledger.

_____ 7.

In a manual bookkeeping system, cash receipts recorded correctly in the cash


receipts journal on December 31st were inadvertently posted to customer accounts
under a date of January 1st.

_____ 8.

In keying remittance advices into his computer terminal, an accounts receivable


clerk entered a receipt of $200 as $2,000.

ANS:
Scenario
Number
1
2
3
4

Answer
F
D
C
A

Scenario
Number
5
6
7
8

Answer
G
H
G
E

3. Figure TB-7.1 depicts the "general" control model shown in Chapter 7 but with all labels removed.
Required:
Complete Figure TB-7.1 by inserting the following labels where they belong in the model:

Process Labels
Evaluate process
Observe actual state of process
Establish desired state of process
Recommend changes to process
Document actual state of process

Data Flow Labels


Recommendations
Objectives
Documentation
Observations
Evaluation

Controlling Information Systems: Introduction to Internal Controls

149

ANS:
For solution, see Figure 7.1 in Chapter 7 of the text.
4. Listed below are 13 specific fraud examples taken from some well-known fraud cases: MiniScribe,
ZZZZ Best Carpet Cleaning, Lesley Fay, and Equity Funding.
Required:
For each fraud example, enter a letter corresponding to which information control goal was initially
violated--Validity, Completeness, or Accuracy. Some examples might involve more than one violation.
NOTE: When we say initially, we mean what control goal failure led to this example, not what is the
present condition. For example, master data might contain information that is inaccurate, but it might
have been an inaccurate input that initially caused the data to be inaccurate.
Fraud Examples:
Control
Goal
Initially
Violated

Scenario
1.
2.
3.
4.
5.
6.

MiniScribe: Sales were inflated by shipping disk drives that were not
ordered by customers.
MiniScribe: Sales of goods were recorded prior to the passing of title.
MiniScribe: Some sales returns were never recorded.
MiniScribe: Defective disk drives were included in inventory.
MiniScribe: Auditors' workpapers were altered to inflate inventory
values.
ZZZZ Best Carpet Cleaning: Phony receivable/sales documents were

150

Chapter 7

7.
8.
9.
10.
11.
12.
13.

created to overstate sales.


ZZZZ Best Carpet Cleaning: Payments were recorded to fictitious
vendors.
Lesley Fay Cos.: Inventory was overstated, thereby understating cost
of goods sold.
Lesley Fay: Markdown allowances to retailers were understated or
omitted.
Lesley Fay: Suppliers' invoices were not recorded.
Lesley Fay: Revenues and profits were inflated by recording sales
entries for several days after a quarter had ended.
Equity Funding: 63,000 bogus insurance policies were created and
recorded.
Other: A bank teller stole $1.5 million by pocketing customer deposits.
He covered his theft by accessing an unsecured computer terminal and
transferring funds from dormant bank accounts into the accounts of
customers from whom he had received deposits.

ANS:
Scenario
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

Control Goal
Initially Violated
V
A or V
C
V
V or A
V
V
V or A
A or C
C
A or V
V
V

5. The CFO of Exeter Corporation is very uncomfortable with its current risk exposure relate to the
possibility of business disruptions. Specifically, Exeter is heavily involved with e-Business and its
internal information systems are tightly interlinked with its key customers systems. The CFO has
estimated that every hour of system downtime will cost the company about $5,000 in sales. The CFO
and CIO have further estimated that if the system were to fail, the average downtime would be about 2
hours per incident. The have anticipated (assume with 100% annual probability) that Exeter will likely
experience 10 downtime incidents in a given year due to internal computer system problems, and
another 10 incidents per year due to external problems; specifically system failures with the Internet
service provider (ISP). Currently, Exeter pays an annualized cost of $25,000 for redundant computer
and communication systems, and another $25,000 for Internet service provider (ISP) support just to
keep total expected number of incidents to 20 per year.

Controlling Information Systems: Introduction to Internal Controls

151

Required:
a. Given the information provided thus far, how much ($) is the companys current expected
gross risk?
b. A further preventative control would be to purchase and maintain more redundant computers
and communication lines where possible, at an annualized cost of $30,000, which would
reduce the expected number of downtimes per year to 5 per year due to internal computer
system problems. What would the dollar amount of Exeters current residual expected risk at
this point?
ANS:
a.
$5,000 X 2 hours = $10,000 per incident. $10,000 per incident X 20 incidents X 100% probability =
$200,000 for expected gross risk.
b.
Expected gross risk $200,000 (5 less internal incidents X $10,000) = $150,000 plus add the cost of
the additional computers and communication lines of $30,000 = $180,000 residual expected risk.
6. Matching section on Sarbanes Oxley
1. _____

Section makes it a felony to knowingly destroy, alter, or create records and/or


documents with the intent to impede, obstruct, or influence and ongoing or
contemplated federal investigation and provides protection for whistle blowers.

2. _____

Section prohibits a CPA firm that audits a public company to engage in certain nonaudit services with the same client.

3. _____

Corporate federal income tax returns should be signed by the CEO.

4. _____

Section requires each annual report filed with the SEC to include an internal control
report.

5. _____

Section that requires the companys CEO and CFO to certify quarterly and annual
report.

6. _____

Section requires financial analysts to properly disclose in research reports any


conflicts of interest they might hold with the companies they recommend.

7. _____

Section establishes an independent board to oversee public company audits.

8. _____

Section authorizes the General Accounting Office (GAO) to study the consolidation of
public accounting firms since 1989 and offer solutions to any recognized problems.

a. Public Company Accounting Oversight Board


b. Auditor Independence
c. Corporate Responsibility
d. Enhanced Financial Disclosures
e. Analysts Conflicts of Interest
f. Studies and Reports
g. Corporate and Criminal Fraud Accountability

152

Chapter 7

h. Corporate Tax Returns


ANS:
1. g
2. b
3. h
4. d
5. c
6. e
7. a
8. f