1.

The Sarbanes-Oxley Act of 2002 increased management's responsibility for accurate financial
reporting. Which of the following is not a requirement of Section 404 of the Sarbanes-Oxley Act?

A. Document management's assessment of the effectiveness of the internal control

structure and procedures.
B. Document management's responsibility for establishing adequate internal control
policies.
C. Document management's responsibility to refuse to accept contracts or business
through the payment of bribes.
D. Document management's responsibility for maintaining adequate internal control
policies.

2. Which board of directors committee is charged with overseeing the financial reporting process?

A. The audit committee

B. The compensation committee
C. The financial committee
D. The governance committee

3. Under the Sarbanes-Oxley Act of 2002, companies are now required to implement anti-fraud
programs and controls that they evaluate on an annual basis as part of their integrated audit. A common
component of such anti-fraud programs and controls is the effective design and implementation of
codes of ethics and conduct. Which one of the following is not a characteristic of the operating
effectiveness of a code of conduct?

A. The existence of a plan to communicate the code of conduct to all (or covered)
employees of the company.
B. Audit committee involvement and oversight of non-compliance with the company's
code of conduct.
C. Lack of employee training in the company's code of conduct upon hiring and periodically
thereafter.
D. The existence of an appropriate "hot-line" or whistle blowing line to report any
violations with the company's code of conduct.

4. Which statement is not a requirement of PCAOB Auditing Standard No. 5?

A. Requires auditors to follow a rules-based approach to determine the extent of audit

testing.
B. Requires auditors to follow a risk-based approach to the development of auditing
procedures.
C. Requires the auditors to follow prescribed approaches to perform the audit.
D. Requires auditors to scale the audit to the size of the organization.

5. Inherent risk and control risk differ from detection risk in that they:

A. Arise from the misapplication of auditing procedures.

B. May be assessed in only quantitative terms.
C. Exist independently of the financial statement audit.
 D. Can be changed at the auditor's discretion.

6. The most important distinction between auditing standards (AS) issued by the PCAOB and statements
on auditing standards (SAS) issued by the ASB is:

A. Non-issuers are not permitted to be audited under AS issued by PCAOB, but issuers are
permitted to be audited under SAS issued by ASB.
B. AS issued by the PCAOB apply only to issuers.
C. All SAS issued by the ASB also apply to audits of issuers, but not all AS issued by the
PCAOB are applicable to non-issuers.
D. There are now only minor differences between AS and SAS.

7. Internal control over entity cash receipts is not weakened when an employee who initially receives all
customer mail also:

A. Records credits to individual accounts receivable.

B. Prepares bank deposit slips for all mail receipts.
C. Prepares all journal entries for cash receipts.
D. Maintains a petty cash fund.

8. The safeguarding of inventory most likely includes:

A. Comparison of the information contained on the purchase requisitions, purchase orders,

receiving reports, and vendor invoices.
B. Analytical procedures for raw materials, work-in-process, and finished goods that
identify unusual transactions, theft, and obsolescence.
C. Application of established overhead rates based on direct labor hours or direct labor
costs.
D. Periodic reconciliation of detailed inventory records with the actual inventory on hand
by taking a physical count.

9. Which one of the following methods, for the distribution of employees' paychecks, would provide the
best internal control for the organization?

* Source: Retired ICMA CMA Exam Questions.

A. Distribution of paychecks directly to each employee by a representative of the Human

Resource department.
B. Direct deposit in each employee's personal bank account.
C. Delivery of the paychecks to each department supervisor, who in turn would distribute
paychecks directly to the employees in his/her department.
D. Distribution of paychecks directly to each employee by the payroll manager.

10. It is important for the independent auditor to consider the competence of the audit client's
employees because their competence bears directly on the:

A. Achievement of the objectives of the system of internal control.

B. Cost/benefit relationship of the system of internal control.
 C. Comparison of stated employee responsibility and accountability with what has been
achieved.
D. Timing of the tests to be performed.

11. During an audit, an auditor assesses the adequacy of internal controls. An auditor considers what to
audit and the extent of substantive testing based upon the auditor's assessment of:

A. control risk.
B. preventive controls.
C. corrective controls.
D. detective controls.

12. In planning an audit, the auditor considers audit risk. Audit risk is the:

A. risk that the auditor may unknowingly fail to appropriately modify his opinion on
financial statements that are materially misstated.
B. risk that a material error in an account will not be prevented or detected on a timely
basis by the client's internal control system.
C. risk that the auditor's procedures for verifying account balances will not detect a
material error when in fact such error exists.
D. susceptibility of an account balance to material error assuming the client does not have
any related internal control.

13. The Internal Control Integrated Framework from 1992 comprises five mutually-reinforcing
components including control activities. Control activities include all of the following except:

a. adequate separation of duties.

b. risk management.
c. independent verifications.
d. adequate documentation and records.

14. Management philosophy and operating style would most likely have a significant influence on the
entity's control environment when:

A. Management is dominated by one individual.

B. Accurate management job descriptions delineate specific duties.
C. The audit committee actively oversees the financial reporting process.
D. The internal auditor reports directly to management.

15. The Internal Control Integrated Framework from 1992 comprises five mutually-reinforcing
components. An organization's ongoing management activities, evaluations, and internal audits are a
part of:

a. monitoring.
b. information and communication.
c. control environment.
d. risk assessment.
16. The Internal Control Integrated Framework from 1992 comprises five mutually-reinforcing
components. An organization's ongoing management activities, evaluations, and internal audits are a
part of:

A. monitoring.
B. information and communication.
C. control environment.
D. risk assessment.

17. A critical aspect of a disaster recovery plan is to be able to regain operational capability as soon as
possible. In order to accomplish this, an organization can have an arrangement with its computer
hardware vendor to have a fully operational facility available that is configured to the user's specific
needs. This is best known as a(n):

A. hot site.
B. uninterruptible power system.
C. parallel system.
D. cold site.

18. Many organizations participating in e-commerce have serious concerns about security, therefore a
new subdiscipline, internet assurance services, has evolved. Its main objective is to:

A. provide assurances that web sites are reliable and transaction security is reasonable.
B. insure against fraud and hackers by charging a fee per transmitted transaction.
C. provide assurance that electronic data transmissions reach their destinations and on
time.
D. provide value to data being transmitted by making it secure.

19. Alex is an unhappy employee, and he writes a line of code into the company's software system that
will erase every tenth transaction entered into the system. Which of the following is this called?

A. Trojan horse.
B. Virus.
C. Revenge line.
D. Saboteur.

20. Which of the following situations would most likely provide the best way to secure data integrity for
a personal computer environment?

A. Provide personal computers to all users

B. Trained, proficient user group
C. All computers linked to a secured local area network (LAN)
D. Adequate program documentation