1. Which of the following is NOT a requirement in management’s report on the effectiveness of internal controls over financial reporting?
a. A statement of management’s responsibility for establishing and maintaining adequate internal control user satisfaction.
b. A statement that the organization’s internal auditors have issued an attestation report on management’s assessment of the company’s internal controls.
c. A statement identifying the framework management uses to conduct its assessment of internal controls.
d. An explicit written conclusion as to the effectiveness of internal control over financial reporting.
2. Which of the following is NOT an implication of Section 302 of SOX?
a. Auditors must determine whether changes in internal control have materially affected, or are likely to materially affect, internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their organization’s internal controls over financial reporting.
d. Management must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter.
3. Which of the following statements is true?
a. Both the SEC and the PCAOB require the use of the COSO framework.
b. Both the SEC and the PCAOB require the COBIT framework.
c. The SEC recommends COBIT, and the PCAOB recommends COSO.
d. Any framework can be used that encompass all of COSO’s general themes.
e. Both c and d are true.
4. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards
5. Which of the following disaster recovery techniques may be least optimal in the case of a widespread natural disaster?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally beneficial