PRELIM – Governance & Internal Control The requirement that purchases be made from suppliers on

an approved vendor list is an example of a Preventive

Checking odd balances in the documents and in the financial control
statement accounts is an example of what type of control?
Detective I.  The governance function is the primary responsibility of the
internal audit activity.
What is the primary purpose of effective internal control in an II. The organization should employ a process for identifying,
organization? assessing and managing risk.
Achievement of certain organizational goals True; False

This COSO component include a range of actions as diverse as Which of the following is not typically one of
approvals, authorizations, verifications, reconciliations, etc management’s concerns in designing an effective internal
Control activities control structure? Obtaining the best internal control
system possible.
According to the COSO report, the correct sequence is
Objectives, risks, actions Proper segregation of duties reduces the opportunities in
which a person could both
An adequate system of internal control is most likely to Perpetuate errors and irregularities and conceal them.
detect an irregularity perpetrated by a
Single employee Giving limited computer access to employees is an example
of what type of control?
Which of the following is not one of the differences Preventive and detective
between a CEO and a Chairman of the Board?
The Chairman implements the decisions of the board, while Which of the following components of internal control
the CEO proposes plans, budgets and strategies would encompass the routine controls over business
processes and transactions?
Corporate management has a role in the maintenance of Control activities
internal control.  In fact, management sometimes is a
control.  Which of the following involves managerial This type of control ensures that there is clear direction and
functions as a control device? drive towards achieving the stated objectives Directive
Supervision of employees.
The primary responsibility for establishing and maintaining
In a small company that employs inadequate number of internal controls rests with the.
employees to permit proper division of responsibilities, Management
effective internal control can be strengthened by
Direct participation by the owner of the business in the All of the following are primary objectives of the overall
record keeping activities of the business. management process except:
Improving the effectiveness of risk management, control
Inherent limitations in an internal control structure must be and governance processes
considered in evaluating its effectiveness in preventing or
detecting errors and irregularities. Inherent limitations do Internal control is a function of management, and effective
not include control is based upon the concept of charge and discharge
Incompatible functions performed by the same person of responsibility and duty.  Which of the following is one of
the overriding principles of internal control? Responsibility
An act of two or more employees to misstate record is for the performance of each duty must be fixed.
called. Collusion
Which of the following is a directive control?
A well-designed system of internal control that is Requiring all members of the internal auditing department
functioning effectively is most likely to detect an to be CIAs.
irregularity arising from. The fraudulent action of an
individual employee. This pertains to the cost of measuring, observing and
controlling the behavior of management
Proper segregation of functional responsibilities in an Monitoring cost
effective structure of internal control calls for separation of
the functions of Which of the following is a preventive type of control?
Authorization, recording and custody Unique usernames requiring passwords are assigned to
each employee
A manager has an interest in receiving benefits from his or The relative roles, rights, and accountability of such
her position as a manager. This is a scenario of the agency stakeholder groups as owners, board members, managers,
conflict under: employees, and others.
Moral hazard
The concept of control should be viewed as. Accomplishing
According to the COSO report, which of the following is the an objective.
most important component of internal control? Control
environment. True or False

The purpose of control is to ensure that the goals of a firm Physical access restrictions can be applied to buildings and
are being achieved. warehouses. T

Which of the following is not a proper role of corporate The control framework needs to be in place to promote the
board of directors? Guarantor right control environment. T

The board of directors should (choose the incorrect one): Physical access restrictions can be applied to buildings and
Make business decisions for the company warehouses. T

Which of the following is not considered an external The organization should employ a process for identifying,
stakeholder? Shareholders assessing and managing risk. T

Corporate directors, management, external auditors and In terms of time horizon, shareholders tend to be more
internal auditors all play important roles in creating a concerned of the short term financial prospects than long
proper control environment.  Top management is primarily term ones. F
responsible for
Establishing a proper environment and specifying an overall Seminars, trainings and orientations for employees are
internal control structure examples of a corrective control. F

The major issue embedded in the structure of modern Costs of monitoring pertain to costs that might be incurred
corporations that has contributed to the corporate to provide incentives to managers to act in the best
governance problem has been interests of the shareholders. F
The separation of ownership from control.
Since external auditors are parties outside an organization,
Which of the following best identifies the reason that the external audit process cannot be reviewed by the audit
effective corporate governance is important? committee. F
The separation of ownership from management
The board should be composed of non-executive directors
Internal control structure objectives are to be accomplished only so as to represent the interests of the shareholders in
with reasonable assurance. The concept of reasonable a professional and responsible manner. F
assurance recognizes that
Employee carelessness can weaken an internal control Controls are needed if they guard against unacceptable
structure. risks to the business. F

Which of the following is not a component in the COSO A principle of good corporate governance is that a
framework for internal control? substantial number of the directors of a company should be
Segregation of duties independent. T

The following relates to internal control. Which of the In the agency concept, the owners of an organization act as
following is incorrect? the principal whereas the directors acts as the agent. T
The internal control system is confined to those matters
which relate directly to the functions of the accounting The audit committee can have an involvement in the
system appointment of internal auditors. T

This committee is tasked monitor financial reporting. Audit Operational controls are concerned with making sure that
committee an entity complies with all the requirements of relevant
legislation and regulations. F
Corporate governance is concerned with
Corporate governance is concerned with running the
business operations of a company. F
Internal controls are there to mitigate unacceptable levels The board, not dominated by a sole powerful CEO and
of risk. T Chairman is a good corporate governance practice. T

Monitoring controls assesses the quality of the system’s The governance function is the primary responsibility of the
performance over time. T internal audit activity. F

Shareholders provide capital to management and the Lenders and regulators are considered internal
management in turn provides transparent reporting to the stakeholders of an entity. F
shareholders. T
An internal control system helps ensure compliance with
The internal audit activity and the audit committee are one applicable laws and regulations and also with external
and the same body. F reporting requirements. F

Internal auditors are duty bound to ensure that the control The main driver for corporate governance is based on the
processes are carefully implemented. F agency concept. T

Preparation of bank reconciliation statements is an Risk Assessment includes a range of actions as diverse as
example of a detective control. T approvals, authorizations, verifications, reconciliations, etc.
F
Authorization and approval controls are controls over
spending decisions and decisions to enter into transactions. An internal control framework provides a road map
T regarding the control environment. T

Monitoring controls pertain to the “tone at the top” of an ________________________________________

entity. F
MIDTERM – Risk Management & Assurance Engagement
The control environment is the foundation for effective
internal control, providing discipline and structure. T
The risk universe is the list of all risks that could possible
The senior management formulates a corporate strategy to affect an entity. T
achieve set objectives. F
Assurance risk can be completely eliminated since a
Communication systems involve providing an practitioner can provide reasonable assurance, which is
understanding of individual roles and responsibilities considered a high level of assurance. F
pertaining to internal control over financial reporting. T
In a financial audit, the auditee asserts that the financial
To emphasize independence, the board may comprise non- statements are fairly presented. T
executive directors. T
If an audit procedure is too costly to perform, an auditor
When talking about agency conflicts, management seems may decide not to perform it provided that there are
to be more of a risk-taker as compared to the shareholders available alternative procedures that can be performed and
of an entity. F still satisfy the audit objective. T

The board should be properly accountable to its Residual risk is the risk left after initial mitigants are being
shareholders, and should be open and transparent with applied. T
investors generally. T
A subject matter, to be appropriate, should be identifiable,
Customers and suppliers of a company are considered part measurable and verifiable. T
of the stakeholders group. T
After the risk management cycle is done, the risks that have
Difficulty in achieving staff collusion is inversely related to been identified, assessed and addressed can be completely
the number of persons involved. F removed from the risk register to make room for new risks.
F
Preventive controls are more cost effective as compared to
detective controls. T The responsible party and intended user should be from
different entities. F
Monitoring is done to ensure that controls continue in
operation. T The risk management process is a cycle, therefore, after the
risk review stage, the risk identification stage starts again. T
Risk registers are only used during the risk review stage of If a company’s significant risks are identified and assessed,
the risk management process. F this can be an indication that the risk management
processes are effective. T
Audit is an example of an assertion-based assurance
engagement. T In discerning whether to invest in an entity’s publicly
traded equity instrument, one may encounter speculative
Risk management is a key responsibility of the board of risk. T
directors. T
Government auditors usually conduct operational audits. F
In an assurance engagement, the person or persons either
as individuals or representatives of an entity, responsible In a consulting engagement, there are only two parties
for the subject matter is the intended user. F involved. T

Risks are not reduced significantly by diversifying into Control risk is the susceptibility of the subject matter
different activities where the risks are similar. T information to a material misstatement assuming no
related controls exist. F
In general, evidences obtained from outside sources other
than the audit client are more reliable than those obtained An independent CPA who is an external auditor can also
internally from the audit client. T perform functions done by an internal auditor. T

Auditing proceeds by means of an ordered and structured Risk management is a dynamic process for taking all
series of steps. T reasonable steps to find out and deal with risks that impact
the company’s objectives. T
There are no available actions for risks with low likelihood
and low impact to the organization. F The PAS/PFRS is the only suitable criteria to be used in a
financial statement audit. F
The auditor should conduct an audit in accordance with the
Philippine Accounting Standards. F Laws, regulations and contracts are the established criteria
used in a compliance audit. T
Both the impact and likelihood of risks are assessed during
the identification stage of the risk management process. F Interest rate risk is an example of a market risk Interest
rate risk is an example of a market risk T
Internal auditing is a systematic process of objectively
obtaining and evaluating evidence regarding assertions The cash basis of accounting could be used as a suitable
about economic actions and events to ascertain the degree criteria. T
of correspondence between these assertions and
established criteria and communicating the results to Attestation services are a type of assurance service. T
interested users. F
Entering into a joint venture agreement is an example of
Tax planning and consulting services can be classified under the risk sharing strategy. T
attestation services. F

Risks are only assessed according to their impact on the

company’s objectives. F

The financial/external auditor usually recommends or

suggests on how to improve operations. F

In the risk identification stage, only risks with high impact

and likelihood are identified and recorded. F

All audits are assurance services. T

Credit risk is the risk that the company will be unable to

make payments to settle liabilities when payment is due. F

Business risk is also called strategic risk. T

A proper segregation of duties requires A mining company measures its reserves and provides
an individual recording a transaction not compare the the practitioner with a written report about it. The report is
accounting record of the asset with the asset itself not available to the intended users yet. Instead, it will
Which of the following best identifies the reason that be communicated to them through the practitioner’s
effective corporate governance is important? report. This is best described as a(n) Direct reporting
engagement
The separation of ownership from management
A practitioner who is not independent is not allowed to
Which of the following is not considered an internal
perform the following services, except Agreed upon
stakeholder? Lenders
procedures
What is the most cost-effective type of internal control? Which of the following statements concerning the intended
Preventive control user of a professional accountant’s report is incorrect? The
intended user should never be established by
According to the Anglo Saxon practice, the board of agreement between the practitioner and the responsible
directors represent the Shareholders party or those engaging or employing the practitioner.
In a small company that employs inadequate number of The independent auditor lends credibility to client’s
employees to permit proper division of responsibilities, financial statements by: Attaching an auditor’s opinion to
effective internal control can be strengthened by the client’s financial statements.
Direct participation by the owner of the business in the The purchase of insurance is a common form of Risk
record keeping activities of the business. transfer.

Which of the following statements best describes

A company requires regular monitoring of actual results
assurance services? Independent professional services that
versus budgets and forecasts to determine company
are intended to enhance the credibility of information to
performance. In addition, it requires members of
meet the needs of an intended user.
management to identify, investigate, and report on
instances of customer complaints. These are examples of Risk Management includes all of the following processes
Detective controls except Risk Avoidance
The primary responsibility for establishing and Risk transfer is most likely ideal for a risk with a Low
maintaining internal controls rests with the management. expected frequency and a high potential severity.
When considering an internal control, an auditor should be
aware of the concept of reasonable assurance, which The best statement of the responsibility of the auditor
recognizes that, The costs of an entity’s internal control with respect to audited financial statements is; The
should not exceed the benefits expected to be derived auditor’s responsibility is confined to his expression
of opinion about the audited financial statements.
Which of the following is a detective type of control?
Inventory counts and surprise cash counts This is the level of risk that the company is still willing
to accept or tolerate. Risk appetite
Which of the following most likely would not be considered
Risk is defined as Uncertainty concerning loss.
as inherent limitation of the potential effectiveness of as
entity’s internal control? Incompatible duties.
The practitioner believes that the risk of material
An entity’s ongoing monitoring activities often include misstatement is high and has thus decided to set the
Reviewing the purchasing function acceptable detection risk as low. In such case, The
practitioner will choose a lower amount of materiality.
Which of the following is not typically one of
When compiling the financial statements of a nonpublic
management’s concerns in designing an effective internal
entity, an accountant should Understand the accounting
control structure? Obtaining the best internal control
principles and practices of the entity’s industry
system possible
Auditing is based on the assumption that financial data
The overall attitude and awareness of an entity’s board
and statements are Verifiable.
of directors concerning the importance of internal control
usually is reflected in its Control environment. A review engagement differs in scope as compared to an
audit due to: The quantity and type of evidence obtained
This pertains to the costs of arrangements that help align
Which of the following best describes the attest process?
the interests of the shareholders and managers. Bonding
Gathering sufficient evidence about specific and
cost
known assertions.
Which of the following is an illustration of detection risk? Which statement is incorrect regarding assurance
The auditor's test sample for the inventory count engagement risk? All components of the engagement risk
is insufficient to extrapolate out to the entire inventory model will be significant for all assurance engagements.

In-an assertion based engagement, is responsible for the The Security and Exchange Commission (SEC) engages
subject matter information, and may be responsible for the Felicity Sims to perform an assurance engagement
subject matter? Responsible party  regarding a report about Xunnies’ sustainability practices
that the SEC has prepared and is to distribute to intended
Aling Manong purchased a desktop computer for the
users. In this case, Felicity Sims engagement is best
administrative use of his construction company. Using the
described as a(n) Attestation
risk map with the x-axis as the probability of frequency of
the risk materializing and y axis as the impact/size of When managing risk you will only be expected to counter
potential loss, which of the following is the best depiction risks which your business may reasonably be expected to
of the mix of the probability and impact/size of a risk of face while providing its services. However, management of
loss of data due to technical glitch? Low probability – High risk involves a process of steps to be taken in order. This
impact order is: Identification, analysis, treatment, monitoring and
review
Which of the following is responsible for the fairness
of representations made in financial statements? The Regarding risk management, “high” and “low” loss
client's management. frequency and severity are Defined differently for different
firms. 
An example of risk mitigation is Using proven technology in
the development of a product to lessen the probability that It means an engagement It means an engagement in which
the product will not work the practitioner expresses a conclusion designed to
enhance the degree of confidence of the intended users
When should a risk be avoided? When the risk event is other than the responsible party: Assurance Engagement
unacceptable -- generally one with a very high probability
of occurrence and high impact

Which statement is incorrect regarding an engagement to

perform agreed-upon procedures? The report on factual
findings is expressed in the form of negative assurance.
Which of the following best describes “high level of
assurance”? It refers to the professional accountant having
obtained sufficient appropriate evidence to conclude that the
subject matter conforms in all material respects with
identified suitable criteria.

Risk mitigation involves all but which of the following

Identification of project risks

Suppose a project has many hazards that could easily injure

one or more persons and there is no method of avoiding
the potential for damages. The project manager should
consider __________ as a means of deflecting the risk.
buying insurance for personal bodily injury
A risk response which involves eliminating a threat is called
Avoidance

The risk that the financial reports are materially incorrect

before the audit performed is called Risk of material
misstatement
In addressing the risk of unauthorized access to the cash
vault, passwords and keys are strictly given to two
personnel only. This is an example of addressing risks by
Implementing controls
The auditor communicates the results of his or her work
through the medium of the Audit report