Chapter 7—Controlling Information Systems: Introduction to Enterprise Risk Management and Internal ControlTRUE/FALSE1. Organizational governance is a process by which organizations select objectives, establish processes toachieve objectives, and monitor performance.ANS: T2. Fraud is the possibility that an event or action will cause an organization to fail to meet its objectives (or goals).ANS: F3. Management is legally responsible for establishing and maintaining an adequate system of internal controlANS: T4. A major reason management must exercise control over an organization’s business processes is to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.ANS: T5. Expected gross risk is a function of the initial expected gross risk, reduced risk exposure due to controls, and cost of controls.ANS: F6. Under the Sarbanes Oxley Act of 2002, the section on Auditor Independence establishes an independent board to oversee public company audits.ANS: F7. Under the Sarbanes Oxley Act of 2002, the section on Corporate Responsibility requires a company’s CEO and CFO to certify quarterly and annual reports.ANS: T8. Under the Sarbanes Oxley Act of 2002, the section on Enhanced Financial Disclosures requires each annual report filed with the SEC to include an internal control report.ANS: T9. Under the Sarbanes Oxley Act of 2002, the section on Corporate Tax Returns Section 1001, conveys a sense of the Senate that the corporate federal income tax returns be signed by the treasurer.ANS: F10. The Sarbanes Oxley Act of 2002 establishes legal responsibility for management to prevent fraud and other irregularities.ANS: T11. Risks are those events that could have a negative impact on organization objectives.ANS: T12. Opportunities are events that could have a positive impact on organization objectives.ANS: T13. Risk assessment is the entity's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.ANS: T14. The control environment reflects the organization’s general awareness and commitment to the importance of control throughout the organization.ANS: T15. External directives are the policies and procedures that help ensure that management directives are carried out.ANS: F16. Establishing a viable internal control system is the responsibility of management.ANS: T17. Monitoring is a process that assesses the quality of internal control performance over time.ANS: T18. The external environment is a system of integrated elements--people, structures, processes, and procedures--acting together to provide reasonable assurance that an organization achieves both its operations system and its information system goals.ANS: F19. The control environment refers to an organization's general awareness of and commitment to the importance of control throughout the organization.ANS: T20. A fraud is a deliberate act or untruth intended to obtain unfair or unlawful gain.ANS: T21. PCAOB Auditing Standard No. 2 requires that auditors evaluate all controls specifically intended to address risks of fraud.ANS: T22. According to the 2006 Report to the Nation on Occupational Fraud and Abuse, frauds are more likely to be detected by audits or internal controls than through tips.ANS: F23. A computer crime technique called worm involves the systematic theft of very small amounts from a number of bank or other financial accounts.ANS: F24. A computer abuse technique called a back door involves a programmer's inserting special code or passwords in a computer program that will allow the programmer to bypass the security features of theprogram.ANS: T25. A logic bomb is a computer abuse technique in which unauthorized code is inserted in a program, which, when activated, causes a disaster such as shutting down a system or destroying data.ANS: T26. A salami is program code that can attach itself to other programs (i.e., "infect" those programs), that can reproduce itself, and that operates to alter the programs or to destroy data.ANS: F27. Ethical behavior and management integrity are products of the corporate culture.ANS: T28. The control matrix is a computer virus that takes control of the computer’s operating system for malicious purposes.ANS: F29. The control goal called efficiency of operations strives to assure that a given operations system is fulfilling the purpose(s) for which it was intended.ANS: F30. Ensuring the security of resources is the control goal that seeks to provide protection against loss, destruction, disclosure, copying, sale, or other misuse of an organization's resources.ANS: T31. The control goal of ensuring input materiality strives to prevent fictitious items from entering an information system.ANS: F32. An invalid item is an object or event that is not authorized, never occurred, or is otherwise not genuine.ANS: T33. The control goal of input accuracy is concerned with the correctness of the transaction data that are entered into a system.ANS: T34. Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process data.ANS: T35. A sale to a customer is entered into the system properly, but the event does not accurately update the customer's outstanding balance. This type of processing error would be classified as a user error.ANS: F36. A batch of business events is accurately entered into a business event data, but the computer operator fails to use the data to update master data. This type of processing error would be classified as an operational error.ANS: T37. A corrective control plan is designed to discover problems that have occurred.ANS: FMULTIPLE CHOICE1. A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance isa. enterprise risk managementb. internal controlc. organizational governanced. risk assessmentANS: C2. A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives:a. enterprise risk managementb. internal controlc. organizational governanced. risk assessmentANS: A3. A manager of a