Wednesday, July 1, 2026

CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance


CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance


*1. COSO 2013 – 5 Components + 17 Principles*


*Case 1: Control Environment*  

_Stem_: XYZ Co’s CEO sets aggressive sales targets and publicly rewards staff who “do whatever it takes” to meet quotas. The CFO overrides journal entries at quarter-end to avoid missing targets. Which COSO component is MOST deficient?  

A. Risk Assessment  

B. Control Environment  

C. Monitoring Activities  

D. Information & Communication  

*Answer: 


*Case 2: Inherent Limitations*  

_Stem_: ABC Co implemented segregation of duties for cash receipts. However, the AR clerk and cashier colluded to steal customer payments and cover it with fake credit memos. This scheme was not detected for 8 months. This represents which inherent limitation of internal control?  

A. Cost vs benefit  

B. Human error  

C. Collusion  

D. Management override  

*Answer:


*Case 3: Benefits vs Limitations*  

_Stem_: After implementing COSO framework, Controller claims “Our new controls will eliminate all fraud risk”. The CAE should respond that internal control can only provide:  

A. Absolute assurance  

B. Reasonable assurance  

C. Complete assurance  

D. Guaranteed prevention  

*Answer: 


*2. COBIT 2019 – IT Governance*


*Case 4: COBIT Domains*  

_Stem_: IT Manager implements automated access reviews every 90 days to remove terminated employee IDs from the ERP. This control aligns with which COBIT 2019 governance objective?  

A. DSS05 – Manage Security Services  

B. APO13 – Manage Security  

C. BAI09 – Manage Assets  

D. MEA03 – Manage Compliance  

*Answer: 


*Case 5: COBIT vs COSO*  

_Stem_: Board asks if COBIT 2019 replaces COSO 2013 for overall internal control. Best response:  

A. Yes, COBIT is newer and more comprehensive  

B. No, COBIT is IT governance; COSO is enterprise-wide internal control  

C. Yes, but only for public companies  

D. No, COSO is only for financial reporting  

*Answer: 


*3. SOX Requirements – Section 302 & 404*


*Case 6: SOX 302 Certification*  

_Stem_: CEO and CFO of a U.S. public company review the 10-K. The CFO knows of a material weakness in inventory controls but signs anyway because “it will be fixed next quarter”. This violates:  

A. SOX Section 404  

B. SOX Section 302  

C. FCPA accounting provisions  

D. COSO Principle 15  

*Answer:


*Case 7: SOX 404 Internal Control Report*  

_Stem_: External auditor tests controls and finds a “material weakness” in revenue. Management’s 404 report must:  

A. State controls are effective despite weakness  

B. Conclude internal control over financial reporting is NOT effective  

C. Omit the weakness if under $5M impact  

D. Be signed by audit committee only  

*Answer: 


*4. FCPA – Foreign Corrupt Practices Act*


*Case 8: FCPA Books & Records*  

_Stem_: US Co’s Brazil subsidiary pays $50,000 to a customs official to expedite goods. Local books record it as “consulting fees”. Which FCPA provision is violated?  

A. Anti-bribery only  

B. Accounting provisions only  

C. Both anti-bribery and accounting provisions  

D. Neither, if under $100,000  


*Answer: 


*Case 9: FCPA Internal Controls*  

_Stem_: Which FCPA requirement BEST aligns with COSO?  

A. Prohibition of bribes to foreign officials  

B. Requirement to maintain accurate books and system of internal accounting controls  

C. Disclosure of payments in 10-K  

D. 5-year statute of limitations  

*Answer:

*5. Governance – Board vs Management Roles*


*Case 10: Governance Structure*  

_Stem_: The audit committee of a public company approves the internal audit plan and hires the CAE. The CEO directs the CAE to cancel an audit of executive travel expenses. Which governance principle is violated?  

A. Management’s responsibility for risk management  

B. Board oversight independence  

C. Internal audit’s organizational independence per IIA Std 1110  

D. SOX 301 audit committee responsibility  


*Answer:


*Case 11: Three Lines Model*  

_Stem_: In the Three Lines Model, who owns risk and controls for the sales process?  

A. Internal Audit – 3rd line  

B. Compliance – 2nd line  

C. Sales Department – 1st line  

D. Board of Directors  


*Answer: 


*6. Data Analytics + Tech Controls – 2024 Syllabus*


*Case 12: ITGC vs Application Control*  

_Stem_: ERP automatically blocks invoice posting if PO quantity is exceeded. A programmer changes the code without testing and tolerance is now 500%. This is a failure of:  

A. Application control  

B. IT General Control – Change Management  

C. Preventive control  

D. Detective control  

*Answer: 


*Case 13: Data Analytics Benefit*  

_Stem_: Internal audit uses data analytics to test 100% of journal entries for keywords “reverse”, “accrual”, “adjust” posted on weekends. This provides what benefit over sampling?  

A. Lower cost  

B. Complete population coverage + anomaly detection  

C. Elimination of all fraud  

D. Compliance with SOX 404  

 

*Answer:


*7. How to Attack Case-Based IC Qs – 2024 Method*


1. *Find the control word*: “segregation”, “override”, “collusion”, “access”, “certify” → tags the topic

2. *Map to framework*: COSO 5 components, COBIT domains, SOX 302/404, FCPA provisions

3. *COSO default*: If Q mentions “tone”, “ethics”, “board” → Control Environment  

   If “risk ID”, “fraud risk” → Risk Assessment  

   If “policies”, “approvals” → Control Activities  

   If “reports”, “ERP” → Info & Communication  

   If “audits”, “reviews” → Monitoring

4. *Eliminate absolutes*: “Eliminates all risk” “Guarantees prevention” = always wrong

5. *SOX/FCPA rule*: SOX = US public co only. FCPA = any US co or issuer, anywhere


---


*8. High-Yield Terms to Know for Cases*


*COSO*: Control environment, risk appetite, inherent risk, residual risk, preventive vs detective, material weakness, significant deficiency  

*COBIT*: DSS05, APO13, BAI09, MEA, ITGC, application control, change management  

*SOX*: 302 certification, 404 management report + auditor attestation, 301 audit committee, 806 whistleblower  

*FCPA*: Anti-bribery, books & records, internal accounting controls, facilitating payments exception  

*Governance*: Three Lines Model, fiduciary duty, ERM, tone at the top


Section B...

*Q1. COSO Control Environment*

_Case_: CEO frequently overrides the credit approval policy to land large sales before quarter-end. The CFO adjusts the allowance for doubtful accounts to keep net income on target. Which COSO principle is MOST violated?  

A. Risk Assessment – Principle 7: Identifies risks  

B. Control Environment – Principle 1: Commitment to integrity  

C. Control Activities – Principle 10: Selects controls  

D. Monitoring – Principle 16: Conducts evaluations  


*Answer:


---


*Q2. COSO Risk Assessment*

_Case_: ABC Co expanded to Brazil without assessing local bribery laws or currency controls. Six months later they paid $200K in fines for FCPA violations. Which COSO component failed FIRST?  

A. Control Activities  

B. Risk Assessment  

C. Information & Communication  

D. Monitoring Activities  


*Answer:


---


*Q3. COSO Control Activities – Segregation of Duties*

_Case_: The AP clerk can add vendors, approve invoices, and print checks. To mitigate fraud, which SOD is MOST critical to separate?  

A. Vendor setup from invoice approval  

B. Invoice approval from check printing  

C. Check printing from bank reconciliation  

D. All three must be separate per COSO  


*Answer:


---


*Q4. COSO Monitoring Activities*

_Case_: Internal audit performs an inventory count annually but mgmt never reviews variances or follows up. Inventory shrinkage increased 300%. This is a failure of:  

A. Control Activities  

B. Monitoring Activities  

C. Risk Assessment  

D. Control Environment  


*Answer:


---


*Q5. Inherent Limitations – Collusion*

_Case_: Warehouse manager and shipping clerk collude to ship goods to a fake customer and write off as “damaged”. Physical counts match book. Which limitation made this possible?  

A. Management override  

B. Cost vs benefit  

C. Collusion  

D. Human error  


*Answer: 


---


*Q6. COBIT 2019 – DSS05*

_Case_: IT disabled password expiration for executives “for convenience”. A terminated VP’s account was used to alter sales data 90 days post-termination. This violates which COBIT objective?  

A. APO13 – Manage Security  

B. DSS05 – Manage Security Services  

C. BAI09 – Manage Assets  

D. MEA03 – Manage Compliance  


*Answer:.


---


*Q7. COBIT – ITGC vs Application*

_Case_: ERP has a 3-way match control: PO-GR-Invoice. IT migrates to cloud and the control stops working, but no one tests it post-migration. This is:  

A. Application control failure only  

B. ITGC change management failure  

C. COSO monitoring failure  

D. SOX 404 scope exclusion  


*Answer: 


---


*Q8. SOX 302 – Certification*

_Case_: CFO signs 10-Q but internal audit just reported a material weakness in revenue recognition not yet disclosed. CFO says “We’ll fix it before 10-K”. SOX 302 requires:  

A. Disclosure of weakness in 10-Q now  

B. Can delay until 10-K if remediation planned  

C. Only CEO must disclose, not CFO  

D. Disclosure only if auditor agrees  


*Answer: 


---


*Q9. SOX 404 – Material Weakness*

_Case_: External auditor concludes controls over financial reporting are ineffective due to material weakness. Management believes financials are fairly stated. Management’s 404 report should:  

A. State controls are effective because statements are right  

B. State controls are NOT effective due to material weakness  

C. Not issue a report if they disagree with auditor  

D. Issue report with “except for” qualification  


*Answer: 


---


*Q10. FCPA – Accounting Provisions*

_Case_: US Co hides $1M bribe to foreign minister by debiting “Marketing Expense” and crediting Cash. This violates FCPA because:  

A. Bribe exceeds $10,000 threshold  

B. Books must accurately reflect transactions  

C. Foreign minister is not “foreign official”  

D. Only SEC registrants need accurate books  


*Answer: 


---


*Q11. FCPA – Internal Controls*

_Case_: Subsidiary in Asia has no approval matrix; sales reps can authorize $500K discounts verbally. Which FCPA requirement is MOST at risk?  

A. Anti-bribery provision  

B. System of internal accounting controls  

C. Quarterly certification  

D. Whistleblower provision  


*Answer:


---


*Q12. Governance – Three Lines*

_Case_: Compliance department reports to CFO and is told to “go easy” on sales audits before IPO. Under Three Lines Model, which line is compromised?  

A. 1st Line – Sales owns risk  

B. 2nd Line – Compliance independence  

C. 3rd Line – Internal Audit  

D. Board oversight  


*Answer:


---


*Q13. ERM – Risk Appetite vs Tolerance*

_Case_: Board sets “zero tolerance for FCPA violations” but mgmt accepts $2M in high-risk agent commissions without due diligence to meet sales targets. This shows:  

A. Risk appetite exceeded  

B. Risk tolerance exceeded  

C. Both appetite and tolerance breached  

D. COSO Principle 6 failure only  


*Answer: 


---


*Q14. Data Analytics + Internal Control*

_Case_: Company uses RPA bot to post AP invoices. Bot has no exception report and was coded to accept duplicate invoice numbers. Month-end close had $3M duplicate payments. This is primarily a failure of:  

A. COSO Control Activities – Principle 10: Selects controls  

B. COSO Information & Communication – Principle 13: Quality info  

C. IT Application Control – Input/edit checks  

D. COBIT MEA03 – Monitor compliance  


*Answer:


---


*Q15. Benefits of Internal Control*

_Case_: After COSO implementation, controller tells board “We now have zero risk of financial misstatement”. CAE should clarify that internal control provides:  

A. Elimination of inherent risk  

B. Reasonable assurance, not absolute  

C. Guarantee against collusion  

D. Compliance with SOX 404 only  


*Answer: 


---


*How to Use These for Exam Prep*


1. *For each Q you miss*: Write “Rule tested” + “Why I picked wrong” + “Trap type”  

2. *Trap types*: Absolute words, SOX vs FCPA mix-up, COSO component confusion, ITGC vs App control  

3. *2024-2025 focus*: Expect 3-4 cases on data analytics, RPA, cyber, ESG controls in Section E/F  

www.gmsisuccess.in


Saturday, June 27, 2026

Answer..MCQs on AIS + Transaction Cycles* – 2024 New Syllabus Sections E + D. Covers source/turnaround docs, revenue, procurement, payroll cycles



Section A...

15 CMA Part 1 MCQs on AIS + Transaction Cycles* – 2024 New Syllabus Sections E + D. Covers source/turnaround docs, revenue, procurement, payroll cycles 

*Topic: Source & Turnaround Documents + AIS Deliverables*


*Q1. Source Documents*  

Which document is the _source document_ for recording a credit sale in the AIS?  

A. Customer monthly statement  

B. Sales invoice  

C. Cash receipts journal  

D. Accounts receivable aging report  


*Answer: B. Sales invoice*  

*Explanation*: Source docs initiate a transaction. Sales invoice triggers AR + Revenue entry. Statement is a turnaround doc. Aging is a report/deliverable.


---


*Q2. Turnaround Documents*  

Which is a _turnaround document_ in the revenue cycle?  

A. Purchase order  

B. Remittance advice attached to customer statement  

C. Receiving report  

D. Vendor invoice  


*Answer: B. Remittance advice attached to customer statement*  

*Explanation*: Turnaround = computer output sent out, then returned with data added. Customer tears off remittance advice + sends with payment for cash app.


---


*Q3. AIS Deliverables*  

Which is an _AIS deliverable_ used by management, not a source document?  

A. Time card  

B. Budget vs actual variance report  

C. Shipping document  

D. Check request  


*Answer: B. Budget vs actual variance report*  

*Explanation*: Deliverables = outputs/reports. A, C, D are inputs/source docs. Variance report supports Section B Performance Management.


---


*Topic: Revenue Cycle – Stages, Docs, Responsibility, Controls*


*Q4. Revenue Cycle Sequence*  

The correct order of revenue cycle activities is:  

A. Billing → Shipping → Sales Order → Cash Collection  

B. Sales Order → Shipping → Billing → Cash Collection  

C. Cash Collection → Sales Order → Shipping → Billing  

D. Shipping → Sales Order → Cash Collection → Billing  


*Answer: B. Sales Order → Shipping → Billing → Cash Collection*  

*Explanation*: 1. Customer order entry, 2. Approve credit/release goods, 3. Ship, 4. Invoice, 5. Collect. Billing after shipping ensures goods sent before invoicing.


---


*Q5. Revenue Cycle Documents + Department*  

Which document is prepared by the _Shipping Department_ in the revenue cycle?  

A. Sales order  

B. Bill of lading / Packing slip  

C. Sales invoice  

D. Remittance advice  


*Answer: B. Bill of lading / Packing slip*  

*Explanation*: Shipping prepares BOL + packing slip. Sales Dept = sales order. Billing Dept = invoice. Customer = remittance advice.


---


*Q6. Internal Control Weakness – Revenue*  

The same person approves credit, ships goods, and records sales. This violates:  

A. COSO Monitoring  

B. Segregation of Duties  

C. IT General Controls  

D. Data Governance  


*Answer: B. Segregation of Duties*  

*Explanation*: Authorization, Custody, Recording must be separate. Risk = fictitious sales + theft. Compensating control = independent review.


---


*Topic: Expenditure/Procurement Cycle – Stages, Docs, Controls*


*Q7. Procurement Cycle Sequence*  

Correct sequence for the expenditure cycle:  

A. Invoice approval → Purchase requisition → PO → Receiving → Payment  

B. Purchase requisition → PO → Receiving → Invoice approval → Payment  

C. PO → Purchase requisition → Payment → Receiving → Invoice approval  

D. Receiving → PO → Purchase requisition → Payment → Invoice approval  


*Answer: B. Purchase requisition → PO → Receiving → Invoice approval → Payment*  

*Explanation*: 1. Request, 2. Order, 3. Receive goods, 4. Match docs + approve, 5. Pay. Prevents payment for goods not received.


---


*Q8. Procurement Documents + Responsibility*  

Which document is prepared by the _Receiving Department_?  

A. Purchase requisition  

B. Purchase order  

C. Receiving report  

D. Vendor invoice  


*Answer: C. Receiving report*  

*Explanation*: Receiving counts/inspects goods + creates receiving report. Purchasing = PO. User dept = requisition. Vendor = invoice.


---


*Q9. Internal Control Weakness – Procurement*  

If AP clerk can add new vendors AND process payments, the _primary_ risk is:  

A. Duplicate payments  

B. Fictitious vendor fraud  

C. Inventory obsolescence  

D. Understatement of liabilities  


*Answer: B. Fictitious vendor fraud*  

*Explanation*: SOD violation – Authorization + Recording. Clerk creates fake vendor + pays self. Preventive control = vendor master maintenance by separate person + approval.


---


*Q10. Three-Way Match*  

The “three-way match” in AP prevents which risk?  

A. Payroll fraud  

B. Payment for goods not ordered or not received  

C. Overstated depreciation  

D. Underapplied FOH  


*Answer: B. Payment for goods not ordered or not received*  

*Explanation*: Match PO + Receiving Report + Vendor Invoice. Detective + preventive control. Ensures quantity, price, goods received.


---


*Topic: Payroll Cycle – Stages, Docs, Controls*


*Q11. Payroll Cycle Documents*  

Which is the _source document_ for payroll processing?  

A. Payroll register  

B. Time card / Clock data  

C. Payroll tax return  

D. Labor distribution report  


*Answer: B. Time card / Clock data*  

*Explanation*: Time cards capture hours worked = input. Payroll register + labor distribution = outputs. Tax return = compliance output.


---


*Q12. Payroll Department Responsibility*  

Which department should _authorize_ overtime hours?  

A. Payroll Department  

B. HR Department  

C. Employee’s Supervisor/Dept Manager  

D. Treasury Department  


*Answer: C. Employee’s Supervisor/Dept Manager*  

*Explanation*: Authorization = operating dept. Payroll = recording. HR = custody of personnel files. Treasury = custody of cash. SOD required.


---


*Q13. Payroll Control Weakness*  

The Payroll clerk can add employees, change pay rates, and distribute checks. This creates risk of:  

A. Duplicate vendor payments  

B. Ghost employee fraud  

C. Inventory shrinkage  

D. Sales cutoff errors  


*Answer: B. Ghost employee fraud*  

*Explanation*: SOD violation – Authorization + Custody + Recording. Preventive = HR adds employees, Supervisor approves rates, Payroll processes, Treasury distributes.


---


*Topic: Mixed Cycles + AIS Concepts*


*Q14. AIS Input-Process-Output*  

In an AIS, the chart of accounts is part of:  

A. Input  

B. Process  

C. Storage  

D. Output  


*Answer: C. Storage*  

*Explanation*: Chart of Accounts = master file stored in AIS. Input = source docs. Process = posting rules. Output = financial statements.


---


*Q15. Control Activity for All Cycles*  

Which control activity applies to _revenue, procurement, and payroll_ cycles?  

A. Requiring purchase requisitions for all orders  

B. Segregation of duties between authorization, custody, recording  

C. Matching shipping docs to invoices  

D. Approving overtime hours  


*Answer: B. Segregation of duties between authorization, custody, recording*  

*Explanation*: SOD is a universal COSO Control Activity. A, C, D are cycle-specific. IMA tests SOD in every cycle scenario.


---


*High-Yield Exam Notes for Cycles – 2024 Syllabus*

**Cycle** **Key Docs** **Key SOD Issue** **#1 Control**

**Revenue** Sales order, BOL, Invoice, Remittance Credit + Shipping + AR recording Sales order approval + credit check

**Procurement** Req, PO, Receiving Report, Invoice Vendor master + AP payment 3-way match + SOD

**Payroll** Time card, Payroll register Add employee + process + distribute pay HR/Payroll/Treasury SOD + supervisor approval

*IMA Trap*: Turnaround doc = computer output returned. Source doc = original input. Deliverable = report.  

*SOD Rule*: If 1 person does 2 of: Authorize, Custody, Record = violation.


*Exam Tips for AIS MCQs – 2024 Syllabus*

1. *SOD = Control Activities* – if 1 person can authorize + record, it’s always SOD.

2. *RPO/RTO = Business decision* – not IT’s call. RPO = data loss tolerance.

3. *Analytics order*: Descriptive → Diagnostic → Predictive → Prescriptive.

4. *ITGC vs App*: ITGC = data center/access/change. App = edit checks in 1 system.

5. *Reasonable assurance only* – never pick “eliminates all risk”.



*Section B

: AIS Mini-Test – 15 MCQs*


*Q1. Segregation of Duties*  

During an AIS review, the auditor finds the Treasury Manager can initiate wire transfers, approve wires, and reconcile the bank account. This violates which principle?  

A. Control Environment  

B. Risk Assessment  

C. Control Activities  

D. Information & Communication  


*Answer: C. Control Activities*  

*Explanation*: SOD = Control Activities per COSO. One person with Authorization + Custody + Recording creates fraud risk. This is a preventive control failure.


---


*Q2. ERP Benefit*  

The _primary_ benefit of an ERP system for financial reporting is:  

A. Eliminates the need for internal auditors  

B. Provides a single database to reduce reconciliations and improve timeliness  

C. Guarantees absolute assurance of no misstatements  

D. Removes all IT General Controls requirements  


*Answer: B. Provides a single database to reduce reconciliations and improve timeliness*  

*Explanation*: ERP integrates modules = single source of truth. C and D are wrong – COSO gives only _reasonable_ assurance and ERP _increases_ ITGC needs.


---


*Q3. RPA vs AI*  

Which task is _best_ suited for RPA rather than AI?  

A. Predicting customer churn using historical sales patterns  

B. Classifying customer emails by sentiment  

C. Downloading invoices from email and entering them into AP  

D. Recommending optimal selling price based on demand elasticity  


*Answer: C. Downloading invoices from email and entering them into AP*  

*Explanation*: RPA = high-volume, rule-based, repetitive tasks. A, B, D require learning/judgment = AI/ML.


---


*Q4. Data Governance*  

Who should _own_ the definition of RPO and RTO for the cloud-based AIS?  

A. IT Department  

B. Cloud vendor  

C. Finance/Controller  

D. External auditor  


*Answer: C. Finance/Controller*  

*Explanation*: Per Data Governance, business data owners define recovery objectives. IT implements. RPO = how much data loss is acceptable. RTO = how fast to recover.


---


*Q5. COSO Component ID*  

Employees report they don’t know who to notify about suspected fraud because no policy exists. Which COSO component is deficient?  

A. Control Environment  

B. Risk Assessment  

C. Control Activities  

D. Information & Communication  


*Answer: D. Information & Communication*  

*Explanation*: Quality info must flow down, up, and across. Missing fraud reporting channel = Information & Communication failure.


---


*Q6. ITGC vs Application Control*  

Which is an IT General Control?  

A. Three-way match of PO, GRN, invoice before payment  

B. Program change must be tested and approved before production  

C. System prevents posting if debit ≠ credit  

D. Duplicate vendor invoice number is rejected  


*Answer: B. Program change must be tested and approved before production*  

*Explanation*: Change management = ITGC, applies to all systems. A, C, D are application controls for AP/GL.


---


*Q7. Types of Analytics*  

FP&A runs regression to forecast next quarter sales based on ad spend. This is:  

A. Descriptive analytics  

B. Diagnostic analytics  

C. Predictive analytics  

D. Prescriptive analytics  


*Answer: C. Predictive analytics*  

*Explanation*: Predictive = “what will happen”. Regression with R² forecasts. Descriptive = what happened. Diagnostic = why it happened.


---


*Q8. Data Quality Dimensions*  

An AIS accepts customer records with blank “State” fields. Which data quality dimension is violated?  

A. Timeliness  

B. Completeness  

C. Accuracy  

D. Consistency  


*Answer: B. Completeness*  

*Explanation*: Completeness = all required fields populated. Accuracy = value is correct. Blank field = incomplete.


---


*Q9. Blockchain in AIS*  

The _main_ benefit of blockchain for audit trail purposes is:  

A. It eliminates the need for bank reconciliations  

B. It provides an immutable, time-stamped ledger  

C. It guarantees financial statements are free of error  

D. It reduces the cost of RPA licenses  


*Answer: B. It provides an immutable, time-stamped ledger*  

*Explanation*: Blockchain’s key feature = cannot be altered retroactively. Improves audit evidence. Does not eliminate recs or guarantee no errors.


---


*Q10. Preventive vs Detective*  

Which control is _detective_?  

A. Password complexity requirements  

B. Segregation of duties for cash handling  

C. Monthly bank reconciliation  

D. Approval required for purchases > $10,000  


*Answer: C. Monthly bank reconciliation*  

*Explanation*: Recs find errors _after_ they occur = detective. A, B, D stop errors before = preventive.


---


*Q11. Master Data Management MDM*  

MDM’s primary objective in an AIS is to:  

A. Speed up month-end close by automating JEs  

B. Create a single source of truth for vendors, customers, products  

C. Replace the need for COSO Internal Control  

D. Provide predictive analytics for sales  


*Answer: B. Create a single source of truth for vendors, customers, products*  

*Explanation*: MDM ensures master files are consistent across systems. Prevents duplicate vendors, wrong ship-to, etc.


---


*Q12. R² Interpretation*  

A cost regression shows R² = 0.92. This means:  

A. 92% of the costs are fixed  

B. 92% of cost variation is explained by the activity driver  

C. The regression is not reliable  

D. 8% of costs are variable  


*Answer: B. 92% of cost variation is explained by the activity driver*  

*Explanation*: R² = coefficient of determination. High R² = strong relationship. Used in cost estimation.


---


*Q13. Cloud Risk*  

The _biggest_ risk when moving AIS to SaaS is:  

A. Slower financial reporting  

B. Vendor lock-in and data security/privacy  

C. Loss of ERP functionality  

D. Inability to use RPA  


*Answer: B. Vendor lock-in and data security/privacy*  

*Explanation*: SaaS = data outside company. Key risks: vendor failure, breach, GDPR/CCPA compliance. Usually improves speed.


---


*Q14. SOX 404 & AIS*  

Under SOX 404, management must:  

A. Guarantee financial statements are 100% accurate  

B. Assess and report on effectiveness of ICFR, including IT controls  

C. Outsource internal audit to external auditors  

D. Eliminate all detective controls  


*Answer: B. Assess and report on effectiveness of ICFR, including IT controls*  

*Explanation*: SOX 404 = Mgmt tests ICFR + auditor attests. ITGCs are part of ICFR. No guarantee of 100% accuracy.


---


*Q15. Business Continuity*  

RTO = 4 hours. RPO = 1 hour. After a server crash, what does this mean?  

A. Systems must be restored within 1 hour, data loss ≤ 4 hours  

B. Systems must be restored within 4 hours, data loss ≤ 1 hour  

C. Both systems and data must be restored in 1 hour  

D. RTO/RPO only apply to cloud systems  


*Answer: B. Systems must be restored within 4 hours, data loss ≤ 1 hour*  

*Explanation*: RTO = Recovery Time Objective = downtime tolerance. RPO = Recovery Point Objective = data loss tolerance.





MCQs on AIS + Transaction Cycles* – 2024 New Syllabus Sections E + D. Covers source/turnaround docs, revenue, procurement, payroll cycles + internal control weaknesses.

 MCQs on AIS + Transaction Cycles* – 2024 New Syllabus Sections E + D. Covers source/turnaround docs, revenue, procurement, payroll cycles + internal control weaknesses.

Section A...

*Topic: Source & Turnaround Documents + AIS Deliverables*


*Q1. Source Documents*  

Which document is the _source document_ for recording a credit sale in the AIS?  

A. Customer monthly statement  

B. Sales invoice  

C. Cash receipts journal  

D. Accounts receivable aging report  


*Answer: 


---


*Q2. Turnaround Documents*  

Which is a _turnaround document_ in the revenue cycle?  

A. Purchase order  

B. Remittance advice attached to customer statement  

C. Receiving report  

D. Vendor invoice  


*Answer:


---


*Q3. AIS Deliverables*  

Which is an _AIS deliverable_ used by management, not a source document?  

A. Time card  

B. Budget vs actual variance report  

C. Shipping document  

D. Check request  


*Answer


---


*Topic: Revenue Cycle – Stages, Docs, Responsibility, Controls*


*Q4. Revenue Cycle Sequence*  

The correct order of revenue cycle activities is:  

A. Billing → Shipping → Sales Order → Cash Collection  

B. Sales Order → Shipping → Billing → Cash Collection  

C. Cash Collection → Sales Order → Shipping → Billing  

D. Shipping → Sales Order → Cash Collection → Billing  


*Answer:


---


*Q5. Revenue Cycle Documents + Department*  

Which document is prepared by the _Shipping Department_ in the revenue cycle?  

A. Sales order  

B. Bill of lading / Packing slip  

C. Sales invoice  

D. Remittance advice  


*Answer


---


*Q6. Internal Control Weakness – Revenue*  

The same person approves credit, ships goods, and records sales. This violates:  

A. COSO Monitoring  

B. Segregation of Duties  

C. IT General Controls  

D. Data Governance  


*Answer:


---


*Topic: Expenditure/Procurement Cycle – Stages, Docs, Controls*


*Q7. Procurement Cycle Sequence*  

Correct sequence for the expenditure cycle:  

A. Invoice approval → Purchase requisition → PO → Receiving → Payment  

B. Purchase requisition → PO → Receiving → Invoice approval → Payment  

C. PO → Purchase requisition → Payment → Receiving → Invoice approval  

D. Receiving → PO → Purchase requisition → Payment → Invoice approval  


*Answer:


---


*Q8. Procurement Documents + Responsibility*  

Which document is prepared by the _Receiving Department_?  

A. Purchase requisition  

B. Purchase order  

C. Receiving report  

D. Vendor invoice  


*Answer: 


---


*Q9. Internal Control Weakness – Procurement*  

If AP clerk can add new vendors AND process payments, the _primary_ risk is:  

A. Duplicate payments  

B. Fictitious vendor fraud  

C. Inventory obsolescence  

D. Understatement of liabilities  


*Answer: 


---


*Q10. Three-Way Match*  

The “three-way match” in AP prevents which risk?  

A. Payroll fraud  

B. Payment for goods not ordered or not received  

C. Overstated depreciation  

D. Underapplied FOH  


*Answer:


---


*Topic: Payroll Cycle – Stages, Docs, Controls*


*Q11. Payroll Cycle Documents*  

Which is the _source document_ for payroll processing?  

A. Payroll register  

B. Time card / Clock data  

C. Payroll tax return  

D. Labor distribution report  


*Answer


---


*Q12. Payroll Department Responsibility*  

Which department should _authorize_ overtime hours?  

A. Payroll Department  

B. HR Department  

C. Employee’s Supervisor/Dept Manager  

D. Treasury Department  


*Answer:


---


*Q13. Payroll Control Weakness*  

The Payroll clerk can add employees, change pay rates, and distribute checks. This creates risk of:  

A. Duplicate vendor payments  

B. Ghost employee fraud  

C. Inventory shrinkage  

D. Sales cutoff errors  


*Answer: 


---


*Topic: Mixed Cycles + AIS Concepts*


*Q14. AIS Input-Process-Output*  

In an AIS, the chart of accounts is part of:  

A. Input  

B. Process  

C. Storage  

D. Output  


*Answer:


---


*Q15. Control Activity for All Cycles*  

Which control activity applies to _revenue, procurement, and payroll_ cycles?  

A. Requiring purchase requisitions for all orders  

B. Segregation of duties between authorization, custody, recording  

C. Matching shipping docs to invoices  

D. Approving overtime hours  


*Answer: 


---


*High-Yield Exam Notes for Cycles – 2024 Syllabus*

**Cycle** **Key Docs** **Key SOD Issue** **#1 Control**

**Revenue** Sales order, BOL, Invoice, Remittance Credit + Shipping + AR recording Sales order approval + credit check

**Procurement** Req, PO, Receiving Report, Invoice Vendor master + AP payment 3-way match + SOD

**Payroll** Time card, Payroll register Add employee + process + distribute pay HR/Payroll/Treasury SOD + supervisor approval

*IMA Trap*: Turnaround doc = computer output returned. Source doc = original input. Deliverable = report.  

*SOD Rule*: If 1 person does 2 of: Authorize, Custody, Record = violation.


Section B....

MCQ 1: ERP & Segregation of Duties*

Apex Mfg is implementing SAP. During UAT, internal audit notes that users with “AP clerk” access can also post journal entries to the GL. The IT manager says segregation of duties will be fixed after go-live.


Which COSO internal control component is _most_ deficient?

A. Risk Assessment

B. Control Environment

C. Control Activities

D. Monitoring


*Answer


---


*MCQ 2: RPA & Data Quality*

Beta Corp uses RPA bots to auto-post bank fees from downloaded statements. Last month, duplicate rows in the bank file caused $50,000 duplicate fees to post. No exception report was reviewed.


Which 2 data quality dimensions were _most likely_ violated?

A. Accuracy and Validity

B. Timeliness and Completeness

C. Consistency and Accessibility

D. Uniqueness and Integrity


*Answer:


---


*MCQ 3: Cloud AIS & Data Governance*

Gamma Retail’s SaaS AIS had no defined RPO/RTO. After a ransomware attack, recovery took 5 days and 2 days of sales data was lost. The Controller stated “IT owns the cloud.”


This scenario _best_ illustrates a failure in:

A. IT General Controls – Change Management

B. Data Governance – Ownership and Data Life Cycle

C. Application Controls – Input Validation

D. COSO Monitoring – Separate Evaluations


*Answer


---


*MCQ 4: BI Dashboard & Analytics Type*

Delta Co’s Power BI dashboard shows “actual vs budget” sales. FP&A discovers actuals use cash-basis while budget is accrual-basis, causing misleading FOH variances.


The dashboard provides which type of analytics, and what is missing?

A. Predictive; missing regression analysis

B. Descriptive; missing diagnostic analysis

C. Diagnostic; missing prescriptive analysis

D. Prescriptive; missing descriptive analysis


*Answer


---


*MCQ 5: ITGC vs Application Control*

Which of the following is an example of an _IT General Control_ rather than an application control?

A. System rejects invoice if amount is negative

B. Quarterly review of user access rights to the GL module

C. Batch total of payroll hours must match detail records

D. Field format check for valid date in sales entry screen


*Answer: 


---


*MCQ 6: RPA vs AI*

Which statement _correctly_ differentiates RPA from AI in an AIS context?

A. RPA uses machine learning to improve decision making over time

B. AI is best for high-volume, rule-based, repetitive tasks

C. RPA follows programmed rules and does not learn from data

D. AI cannot be used for financial statement preparation


*Answer:


---


*Exam Tips for AIS MCQs – 2024 Syllabus*

1. *SOD = Control Activities* – if 1 person can authorize + record, it’s always SOD.

2. *RPO/RTO = Business decision* – not IT’s call. RPO = data loss tolerance.

3. *Analytics order*: Descriptive → Diagnostic → Predictive → Prescriptive.

4. *ITGC vs App*: ITGC = data center/access/change. App = edit checks in 1 system.

5. *Reasonable assurance only* – never pick “eliminates all risk”.


---


*Section E: AIS Mini-Test – 15 MCQs*


*Q1. Segregation of Duties*  

During an AIS review, the auditor finds the Treasury Manager can initiate wire transfers, approve wires, and reconcile the bank account. This violates which principle?  

A. Control Environment  

B. Risk Assessment  

C. Control Activities  

D. Information & Communication  


*Answer:


---


*Q2. ERP Benefit*  

The _primary_ benefit of an ERP system for financial reporting is:  

A. Eliminates the need for internal auditors  

B. Provides a single database to reduce reconciliations and improve timeliness  

C. Guarantees absolute assurance of no misstatements  

D. Removes all IT General Controls requirements  


*Answe


---


*Q3. RPA vs AI*  

Which task is _best_ suited for RPA rather than AI?  

A. Predicting customer churn using historical sales patterns  

B. Classifying customer emails by sentiment  

C. Downloading invoices from email and entering them into AP  

D. Recommending optimal selling price based on demand elasticity  


*Answer:


---


*Q4. Data Governance*  

Who should _own_ the definition of RPO and RTO for the cloud-based AIS?  

A. IT Department  

B. Cloud vendor  

C. Finance/Controller  

D. External auditor  


*Answer:


---


*Q5. COSO Component ID*  

Employees report they don’t know who to notify about suspected fraud because no policy exists. Which COSO component is deficient?  

A. Control Environment  

B. Risk Assessment  

C. Control Activities  

D. Information & Communication  


*Answer


---


*Q6. ITGC vs Application Control*  

Which is an IT General Control?  

A. Three-way match of PO, GRN, invoice before payment  

B. Program change must be tested and approved before production  

C. System prevents posting if debit ≠ credit  

D. Duplicate vendor invoice number is rejected  


*Answer:


---


*Q7. Types of Analytics*  

FP&A runs regression to forecast next quarter sales based on ad spend. This is:  

A. Descriptive analytics  

B. Diagnostic analytics  

C. Predictive analytics  

D. Prescriptive analytics  


*Answer: 


---


*Q8. Data Quality Dimensions*  

An AIS accepts customer records with blank “State” fields. Which data quality dimension is violated?  

A. Timeliness  

B. Completeness  

C. Accuracy  

D. Consistency  


*Answer:


---


*Q9. Blockchain in AIS*  

The _main_ benefit of blockchain for audit trail purposes is:  

A. It eliminates the need for bank reconciliations  

B. It provides an immutable, time-stamped ledger  

C. It guarantees financial statements are free of error  

D. It reduces the cost of RPA licenses  


*Answer:


---


*Q10. Preventive vs Detective*  

Which control is _detective_?  

A. Password complexity requirements  

B. Segregation of duties for cash handling  

C. Monthly bank reconciliation  

D. Approval required for purchases > $10,000  


*Answer:


---


*Q11. Master Data Management MDM*  

MDM’s primary objective in an AIS is to:  

A. Speed up month-end close by automating JEs  

B. Create a single source of truth for vendors, customers, products  

C. Replace the need for COSO Internal Control  

D. Provide predictive analytics for sales  


*Answer:


---


*Q12. R² Interpretation*  

A cost regression shows R² = 0.92. This means:  

A. 92% of the costs are fixed  

B. 92% of cost variation is explained by the activity driver  

C. The regression is not reliable  

D. 8% of costs are variable  


*Answer


---


*Q13. Cloud Risk*  

The _biggest_ risk when moving AIS to SaaS is:  

A. Slower financial reporting  

B. Vendor lock-in and data security/privacy  

C. Loss of ERP functionality  

D. Inability to use RPA  


*Answer: 


---


*Q14. SOX 404 & AIS*  

Under SOX 404, management must:  

A. Guarantee financial statements are 100% accurate  

B. Assess and report on effectiveness of ICFR, including IT controls  

C. Outsource internal audit to external auditors  

D. Eliminate all detective controls  


*Answer


---


*Q15. Business Continuity*  

RTO = 4 hours. RPO = 1 hour. After a server crash, what does this mean?  

A. Systems must be restored within 1 hour, data loss ≤ 4 hours  

B. Systems must be restored within 4 hours, data loss ≤ 1 hour  

C. Both systems and data must be restored in 1 hour  

D. RTO/RPO only apply to cloud systems  


*Answer:.


---