Chapter 7 Controlling Information Systems Introduction to Enterprise Risk Management and Internal Control TRUE FALSE 1 Organizational governance is a process by which organizations select objectives establish processes to achieve objectives and monitor performance 2 Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives ANS T or goals ANS F control ANS T ANS T ANS F ANS F ANS T ANS T ANS F 3 Management is legally responsible for establishing and maintaining an adequate system of internal 4 A major reason management must exercise control over an organization s business processes is to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations 5 Expected gross risk is a function of the initial expected gross risk reduced risk exposure due to controls and cost of controls 6 Under the Sarbanes Oxley Act of 2002 the section on Auditor Independence establishes an independent board to oversee public company audits 7 Under the Sarbanes Oxley Act of 2002 the section on Corporate Responsibility requires a company s CEO and CFO to certify quarterly and annual reports 8 Under the Sarbanes Oxley Act of 2002 the section on Enhanced Financial Disclosures requires each annual report filed with the SEC to include an internal control report 9 Under the Sarbanes Oxley Act of 2002 the section on Corporate Tax Returns Section 1001 conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer 10 The Sarbanes Oxley Act of 2002 establishes legal responsibility for management to prevent fraud and other irregularities 11 Risks are those events that could have a negative impact on organization objectives 12 Opportunities are events that could have a positive impact on organization objectives 13 Risk assessment is the entity s identification and analysis of relevant risks to achievement of its objectives forming a basis for determining how the risks should be managed 14 The control environment reflects the organization s general awareness and commitment to the importance of control throughout the organization 15 External directives are the policies and procedures that help ensure that management directives are 16 Establishing a viable internal control system is the responsibility of management 17 Monitoring is a process that assesses the quality of internal control performance over time 18 The external environment is a system of integrated elements people structures processes and procedures acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals 19 The control environment refers to an organization s general awareness of and commitment to the importance of control throughout the organization 20 A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain 21 PCAOB Auditing Standard No 2 requires that auditors evaluate all controls specifically intended to address risks of fraud ANS T ANS T ANS T ANS T ANS T carried out ANS F ANS T ANS T ANS F ANS T ANS T 22 According to the 2006 Report to the Nation on Occupational Fraud and Abuse frauds are more likely to be detected by audits or internal controls than through tips 23 A computer crime technique called worm involves the systematic theft of very small amounts from a number of bank or other financial accounts 24 A computer abuse technique called a back door involves a programmer s inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of the program 25 A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program which when activated causes a disaster such as shutting down a system or destroying data 26 A salami is program code that can attach itself to other programs i e infect those programs that can reproduce itself and that operates to alter the programs or to destroy data 27 Ethical behavior and management integrity are products of the corporate culture 28 The control matrix is a computer virus that takes control of the computer s operating system for 29 The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose s for which it was intended 30 Ensuring the security of resources is the control goal that seeks to provide protection against loss destruction disclosure copying sale or other misuse of an organization s resources 31 The control goal of ensuring input materiality strives to prevent fictitious items from entering an ANS T ANS F ANS F ANS T ANS T ANS F ANS T ANS F ANS T malicious purposes ANS F information system ANS F 32 An invalid item is an object or event that is not authorized never occurred or is otherwise not genuine 33 The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system 34 Business process control plans relate to those controls particular to a specific process or subsystem such as billing or cash receipts or to a particular technology used to process data 35 A sale to a customer is entered into the system properly but the event does not accurately update the customer s outstanding balance This type of processing error would be classified as a user error 36 A batch of business events is accurately entered into a business event data but the computer operator fails to use the data to update master data This type of processing error would be classified as an operational error 37 A corrective control plan is designed to discover problems that have occurred ANS T ANS T ANS T ANS F ANS T ANS F 1 A process by which organizations select objectives establish processes to achieve objectives and MULTIPLE CHOICE enterprise risk management internal control monitor performance is a b c organizational governance d risk assessment ANS C 2 A process effected by an entity s board of directors management and other personnel applied in strategy setting and across the enterprise designed to identify potential events that may effect the entity and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives enterprise risk management a b internal control c organizational governance d risk assessment ANS A 3 A manager of a manufacturing plant alters production reports to provide the corporate office with an inflated perception