- Preventive Controls: Designed to stop errors or fraud before they occur (e.g., segregation of duties, authorization limits, password protections).
- Detective Controls: Designed to identify errors or fraud after they have occurred (e.g., bank reconciliations, physical inventory checks, audits).
- Corrective Controls: Implemented to fix issues discovered by detective controls (e.g., correcting data entry errors, updating policies).
- Administrative/Management Controls: Focused on operational efficiency and compliance (e.g., training programs, performance evaluations).
- Control Environment: The tone at the top.
- Risk Assessment: Identifying risks to objectives.
- Control Activities: Policies/procedures (segregation of duties).
- Information and Communication: Systems that facilitate controls.
- Monitoring: Ongoing evaluations of the system.
- Human Judgment & Error: Mistakes in decision-making, fatigue, or misunderstanding of instructions.
- Management Override: High-level personnel may bypass controls for, or, to mask fraud.
- Collusion: Two or more employees work together to bypass segregation of duties.
- Cost vs. Benefit: The cost of implementing a control might outweigh its benefits.
- Obsolescence: Systems may not adapt quickly enough to new, changing business risks.
INTERNAL CONTROL – ULTRA IMPORTANT REVISION NOTES
(US CMA Part 1 & Part 2)
1️⃣ Meaning & Definition of Internal Control
Internal Control = a process designed and implemented by Board, Management & Employees to provide reasonable assurance regarding:
- Effectiveness & efficiency of operations
- Reliability of financial reporting
- Compliance with laws & regulations
👉 KEY WORD: Process, not event | Reasonable, not absolute
📌 Exam Trap: Internal control does NOT guarantee prevention of fraud or errors.
2️⃣ Objectives of Internal Control
- Safeguard assets
- Ensure accurate & reliable records
- Promote operational efficiency
- Ensure compliance
- Prevent & detect fraud/errors
3️⃣ Types of Internal Control
(A) Based on Nature
- Administrative controls – policies, authorizations
- Accounting controls – safeguarding assets, accurate records
(B) Based on Timing
- Preventive controls → stop errors (authorizations, segregation)
- Detective controls → find errors (reconciliation, audits)
- Corrective controls → fix errors (backup restoration, adjustments)
📌 Best Practice: Strong preventive controls ↓ need for detective controls
4️⃣ Requisites of Good Internal Control System
- Proper segregation of duties
- Authorization & approval procedures
- Adequate documentation
- Physical & logical access controls
- Independent checks
- Competent personnel
- Rotation of duties & mandatory leave
5️⃣ Inherent Limitations of Internal Control (VERY EXAMINABLE)
Internal control cannot eliminate risk because of:
- Human error
- Management override
- Collusion
- Cost > benefit constraint
- Changing environment
- Poor judgment
📌 MCQ Clue: Any option claiming absolute assurance = ❌
6️⃣ Effective Internal Control System – Characteristics
- Integrated with operations
- Continuous monitoring
- Risk-based approach
- Clear accountability
- Supported by governance
- Technology enabled
7️⃣ Internal Control Process Flow
Objectives → Risk Identification → Control Design → Implementation → Monitoring → Improvement
8️⃣ Risk Owner (Frequently Tested Concept)
- Person accountable for managing a specific risk
- Usually process owner, not auditor
- Responsible for:
- Identifying risk
- Implementing controls
- Reporting failures
📌 Trap: Internal auditor is NOT risk owner
9️⃣ Governance & Internal Control
Governance ensures:
- Ethical behavior
- Accountability
- Transparency
- Oversight
Key Governance Players:
- Board of Directors
- Audit Committee
- Senior Management
- Internal Audit
🔟 Role of Board of Directors
- Ultimate responsibility for IC
- Set tone at the top
- Approve risk appetite
- Oversee financial reporting
- Ensure independence of auditors
📌 Board does NOT design controls – management does
1️⃣1️⃣ Role of Audit Committee (HOT EXAM AREA)
- Independent directors
- Oversees:
- Financial reporting
- Internal control effectiveness
- Internal & external auditors
- Reviews whistleblower complaints
- Ensures auditor independence
📌 Audit Committee ≠ Management
1️⃣2️⃣ COSO Framework (CORE FOR CMA)
COSO = Internal Control – Integrated Framework
5 Components
- Control Environment
- Risk Assessment
- Control Activities
- Information & Communication
- Monitoring Activities
17 Principles (conceptual, not memorization heavy)
📌 Most tested component: Control Environment & Risk Assessment
1️⃣3️⃣ Risk Assessment (Deep Focus Area)
- Identify & analyze risks
- Consider:
- Inherent risk
- Residual risk
- Risk responses:
- Avoid
- Reduce
- Transfer
- Accept
📌 Dynamic process, not one-time
1️⃣4️⃣ COBIT & COSO – How They Support Each Other
| COSO | COBIT |
|---|---|
| Overall internal control | IT governance & control |
| Enterprise-wide | IT focused |
| Strategic framework | Detailed control objectives |
📌 Exam Line: COBIT complements COSO for IT controls
1️⃣5️⃣ Preventive, Detective & Corrective Controls
Examples:
- Preventive: Segregation, authorization
- Detective: Reconciliations, audits
- Corrective: Data restoration, reprocessing
📌 Best IC system uses all three
1️⃣6️⃣ Compensating (Complementary) Controls
Used when ideal control not feasible Example:
- No segregation → strong supervisory review
📌 Common MCQ: Compensating ≠ replacement
1️⃣7️⃣ Failure of Internal Control – Reasons
- Poor design
- Weak implementation
- Lack of monitoring
- Override by management
- Inadequate training
- System changes
1️⃣8️⃣ Components of Control System
(A) Input Controls
- Authorization
- Edit checks
- Validation checks
- Batch controls
(B) Processing Controls
- Run-to-run totals
- Reasonableness checks
- Error logs
(C) Output Controls
- Distribution controls
- Review of reports
- Reconciliation with source data
1️⃣9️⃣ Application Controls vs General Controls
Application Controls
- Specific to individual systems
- Input, processing, output controls
General Controls
- Affect overall IT environment
- Access controls
- Change management
- Backup & recovery
- IT governance
📌 General controls must be strong for application controls to be effective
2️⃣0️⃣ Accounting Information System (AIS) & Internal Control
AIS helps:
- Capture transactions accurately
- Process data consistently
- Generate reliable reports
- Enforce controls automatically
AIS + IC Ensures:
- Data integrity
- Audit trail
- Timely reporting
- Compliance
📌 Automation improves control but does NOT eliminate risk
🔥 2-Minute EXAM ELIMINATION LOGIC
✔ Look for “reasonable assurance”
❌ Eliminate “absolute assurance”
✔ Management designs controls
❌ Auditors are not responsible for IC
✔ Preventive > Detective
❌ Collusion can defeat IC
🎯 HOW CMA EXAM TESTS THIS TOPIC
- Conceptual MCQs (definitions & roles)
- Case-based questions (control failure)
- COSO component identification
- IT & AIS control linkage
- Governance vs Management responsibility
www.gmsisuccess.in
1️⃣ Control Environment vs Control Activities – Core Difference
| Basis | Control Environment | Control Activities |
|---|---|---|
| Meaning | Overall tone, culture & attitude of the organization | Specific policies & procedures to ensure directives are carried out |
| Nature | Intangible / qualitative | Tangible / operational |
| Focus | “How seriously management takes control” | “What controls are actually performed” |
| Level | Organization-wide | Process / transaction level |
| Responsibility | Board, Top management, Audit committee | Managers, employees |
| Timing | Foundational – exists before other controls | Executed daily |
| COSO component | 1st component | 3rd component |
| Impact | Influences effectiveness of all controls | Directly prevents/detects errors & fraud |
📌 One-line exam logic
Control Environment = Mindset
Control Activities = Mechanism
2️⃣ Control Environment – Explained with Example
🔹 What it includes
- Integrity & ethical values
- Management philosophy
- Organizational structure
- Assignment of authority & responsibility
- HR policies
- Role of Board & Audit Committee
🔹 Practical Example
Company A
- Strong code of ethics
- Zero tolerance for fraud
- Independent audit committee
- Clear reporting lines
➡️ This creates a strong control environment, even before any procedures are applied.
📌 Key exam trick
If the question talks about culture, ethics, tone at the top, governance → it is Control Environment.
3️⃣ Control Activities – Explained with Example
🔹 What it includes
- Authorization & approval
- Segregation of duties
- Reconciliations
- Physical controls
- IT access controls
- Supervisory reviews
🔹 Practical Example
Company B
- Purchase orders approved by manager
- Cash handling and recording done by different employees
- Bank reconciliation prepared monthly
➡️ These are control activities.
📌 Key exam trick
If the question talks about procedures, approvals, checks, reconciliations → it is Control Activities.
4️⃣ Side-by-Side Real-Life Case Example
🏭 Manufacturing Company Case
-
CEO promotes ethical behavior & transparent reporting
👉 Control Environment -
Inventory is:
- Counted monthly
- Access restricted
- Differences investigated
👉 Control Activities
🔥 Exam Insight
A company can have strong control activities but weak control environment → controls may fail due to management override.
5️⃣ Case-Based MCQs (US CMA / CA / ACCA Style)
MCQ 1 – Identification
A company has well-designed approval procedures, but senior management frequently overrides them to meet profit targets. Which component is weak?
A. Risk assessment
B. Control activities
C. Control environment
D. Information & communication
✅ Answer: C
Explanation:
Override by top management indicates weak tone at the top, i.e., control environment.
❌ Wrong option trap:
B looks tempting because procedures exist, but procedures are not the problem.
MCQ 2 – Best Option
Which of the following BEST represents a control activity?
A. Management commitment to integrity
B. Board oversight
C. Segregation of cash handling and recording
D. Ethical code of conduct
✅ Answer: C
Elimination logic:
- A, B, D → Control Environment
- Only C is an operational control
MCQ 3 – Case Based
An organization has:
- Strong ethical culture
- Clear authority structure
- No bank reconciliations
- Same employee handles cash & recording
Which statement is MOST appropriate?
A. Control environment and control activities are strong
B. Control environment strong; control activities weak
C. Control environment weak; control activities strong
D. Both are weak
✅ Answer: B
📌 Exam gold point:
Strong culture cannot substitute for missing control activities.
MCQ 4 – Look Correct but Wrong
Which of the following is NOT a control activity?
A. Management review of performance reports
B. Authorization of transactions
C. Commitment to competence
D. Physical safeguards over assets
✅ Answer: C
⚠️ Trap:
“Commitment” sounds like action but belongs to Control Environment (HR policy).
6️⃣ Ultra-Short Exam Ready Summary (Write & Score)
Control Environment sets the tone of the organization by influencing control consciousness, while Control Activities are specific actions and procedures designed to ensure management directives are carried out.
www.gmsisuccess.in
🔥 MCQ SET: Control Environment vs Control Activities (25 Questions)
MCQ 1
Which of the following BEST describes the control environment?
A. Specific procedures designed to prevent errors
B. Policies ensuring proper authorization
C. Overall attitude, awareness, and actions of management
D. Periodic reconciliation of accounts
✅ Answer: C
MCQ 2
A company has strong segregation of duties, but senior management pressures employees to bypass controls to meet targets. Which component is MOST weak?
A. Control activities
B. Risk assessment
C. Control environment
D. Monitoring
✅ Answer: C
MCQ 3
Which of the following is an example of a control activity?
A. Code of ethical conduct
B. Independent audit committee
C. Management philosophy
D. Monthly bank reconciliation
✅ Answer: D
MCQ 4
“Tone at the top” primarily affects which COSO component?
A. Risk assessment
B. Control activities
C. Information & communication
D. Control environment
✅ Answer: D
MCQ 5
A company emphasizes ethical behavior but has no formal approval process for purchases. Which statement is CORRECT?
A. Strong control environment, weak control activities
B. Weak control environment, strong control activities
C. Both strong
D. Both weak
✅ Answer: A
MCQ 6
Which of the following is LEAST likely to be a control activity?
A. Authorization of credit sales
B. Physical safeguards over inventory
C. Segregation of duties
D. Management commitment to competence
✅ Answer: D
MCQ 7
An organization has detailed procedures, but employees ignore them because management does not enforce discipline. This BEST illustrates:
A. Inherent limitations
B. Weak control activities
C. Weak control environment
D. Poor risk assessment
✅ Answer: C
MCQ 8
Which statement BEST differentiates control activities from the control environment?
A. Control activities are preventive; environment is detective
B. Control activities are operational; environment is cultural
C. Control activities are strategic; environment is tactical
D. Control activities are informal; environment is formal
✅ Answer: B
MCQ 9
Which of the following belongs to the control environment?
A. IT access controls
B. Approval limits
C. Human resource policies
D. Inventory counts
✅ Answer: C
MCQ 10
A company requires dual signatures on cheques. This is an example of:
A. Risk assessment
B. Control environment
C. Control activity
D. Monitoring
✅ Answer: C
MCQ 11 (Case Based)
Despite having ethical guidelines and a strong board, the same employee records cash receipts and deposits cash. What does this indicate?
A. Strong control environment but weak control activities
B. Weak control environment but strong control activities
C. Both strong
D. Inherent limitation only
✅ Answer: A
MCQ 12
Which COSO component provides the foundation for all other components?
A. Monitoring
B. Control activities
C. Control environment
D. Risk assessment
✅ Answer: C
MCQ 13
Which of the following is a preventive control activity?
A. Internal audit review
B. Bank reconciliation
C. Segregation of duties
D. Exception report
✅ Answer: C
MCQ 14
Management override of controls primarily undermines:
A. Control activities
B. Control environment
C. Monitoring
D. Information systems
✅ Answer: B
MCQ 15
Which of the following would MOST likely strengthen the control environment?
A. Increasing number of reconciliations
B. Installing CCTV cameras
C. Establishing an independent audit committee
D. Introducing approval stamps
✅ Answer: C
MCQ 16 (Look Correct but Wrong)
Which of the following appears to be a control activity but is actually part of the control environment?
A. Supervision of employees
B. Commitment to integrity and ethical values
C. Review of exception reports
D. Authorization of transactions
✅ Answer: B
MCQ 17
Control activities are designed primarily to:
A. Set ethical standards
B. Identify organizational risks
C. Ensure management directives are carried out
D. Establish governance structure
✅ Answer: C
MCQ 18
Which of the following is NOT a characteristic of control activities?
A. Transaction-level focus
B. Cultural influence
C. Preventive or detective nature
D. Policy and procedure based
✅ Answer: B
MCQ 19
A weak control environment may result in:
A. Elimination of inherent limitations
B. Stronger risk assessment
C. Failure of otherwise well-designed control activities
D. Automatic fraud detection
✅ Answer: C
MCQ 20
Which of the following pairs is CORRECT?
A. Control environment – Authorization procedures
B. Control activities – Ethical culture
C. Control environment – Governance oversight
D. Control activities – Management philosophy
✅ Answer: C
MCQ 21 (Case Based)
The board is independent, ethical training is mandatory, but purchase orders are not reviewed. Identify the weakness.
A. Control environment
B. Control activities
C. Risk assessment
D. Monitoring
✅ Answer: B
MCQ 22
Which statement is TRUE?
A. Strong control activities guarantee fraud prevention
B. Control environment eliminates management override
C. Control activities operate at transaction level
D. Control environment is a subset of control activities
✅ Answer: C
MCQ 23
Which is an example of detective control activity?
A. Pre-approval of expenses
B. Bank reconciliation
C. Segregation of duties
D. Physical access restriction
✅ Answer: B
MCQ 24
Which COSO component addresses integrity, ethics, and competence?
A. Control activities
B. Risk assessment
C. Monitoring
D. Control environment
✅ Answer: D
MCQ 25 (Exam Trap)
A company has strong internal controls on paper, but fraud still occurs due to collusion. This BEST reflects:
A. Weak control activities
B. Weak control environment
C. Inherent limitations of internal control
D. Poor information system
✅ Answer: C
🎯 How Examiners Trap You (Quick Tips)
- Ethics / tone / culture → Control Environment
- Approval / segregation / reconciliation → Control Activities
- Override / collusion → Inherent limitations
- “On paper but not in practice” → Environment problem
🔥 50 ULTRA-TRICKY CASE-BASED MCQs
INTERNAL CONTROL | COSO | GOVERNANCE | AIS | IT CONTROLS
Q1
A company states that its internal control system ensures all fraud will be prevented.
Which COSO principle is being misunderstood?
A. Control Environment
B. Risk Assessment
C. Reasonable assurance
D. Monitoring
✅ Answer: C
Explanation:
Internal control provides reasonable, not absolute assurance. Fraud can still occur due to collusion or override.
Q2
A senior manager bypasses approval limits to authorize payments.
This illustrates which inherent limitation?
A. Human error
B. Cost-benefit constraint
C. Management override
D. Poor monitoring
✅ Answer: C
Q3
An internal auditor is assigned responsibility for mitigating cybersecurity risk.
This violates which principle?
A. Risk ownership
B. Independence
C. Segregation of duties
D. Monitoring
✅ Answer: A
📌 Risk owner = Management, not Internal Audit
Q4
Segregation of duties is not feasible due to staff shortage. Management increases supervisory review.
This is an example of:
A. Preventive control
B. Detective control
C. Compensating control
D. Corrective control
✅ Answer: C
Q5
Which control is MOST effective in preventing duplicate payments?
A. Bank reconciliation
B. Independent audit
C. Authorization before payment
D. Post-payment review
✅ Answer: C
📌 Preventive > Detective
Q6
A system logs all failed login attempts and alerts IT.
This is a:
A. Preventive control
B. Detective control
C. Corrective control
D. Governance control
✅ Answer: B
Q7
Which party has ultimate responsibility for internal control effectiveness?
A. Internal auditor
B. Audit committee
C. Board of Directors
D. External auditor
✅ Answer: C
Q8
An audit committee is reviewing whistleblower complaints.
This activity relates to:
A. Risk assessment
B. Control activities
C. Governance oversight
D. Application control
✅ Answer: C
Q9
A company uses run-to-run totals to ensure data completeness.
This is a:
A. Input control
B. Processing control
C. Output control
D. General IT control
✅ Answer: B
Q10
Access to accounting software is restricted using passwords.
This is:
A. Application control
B. Output control
C. General control
D. Detective control
✅ Answer: C
Q11
Which COSO component sets ethical tone?
A. Monitoring
B. Risk Assessment
C. Control Environment
D. Control Activities
✅ Answer: C
Q12
A company identifies foreign exchange risk due to overseas sales.
Which COSO component?
A. Information & Communication
B. Risk Assessment
C. Monitoring
D. Control Activities
✅ Answer: B
Q13
An automated system rejects invalid customer codes.
This is:
A. Preventive application control
B. Detective general control
C. Corrective control
D. Output control
✅ Answer: A
Q14
If general IT controls are weak, application controls are:
A. Strengthened
B. Unaffected
C. Less reliable
D. Automatically overridden
✅ Answer: C
📌 Classic CMA favorite
Q15
Which situation BEST indicates control failure?
A. Error detected by reconciliation
B. Fraud detected by audit
C. Management override undetected
D. Corrective action taken
✅ Answer: C
Q16
AIS improves internal control primarily by:
A. Eliminating human involvement
B. Increasing automation & audit trails
C. Replacing management judgment
D. Ensuring absolute accuracy
✅ Answer: B
Q17
Which control ensures reports go only to authorized users?
A. Input validation
B. Output distribution control
C. Processing check
D. Access authorization
✅ Answer: B
Q18
Which risk response accepts residual risk?
A. Risk avoidance
B. Risk reduction
C. Risk transfer
D. Risk acceptance
✅ Answer: D
Q19
COBIT primarily focuses on:
A. Financial reporting controls
B. Enterprise governance
C. IT governance & controls
D. Ethical standards
✅ Answer: C
Q20
COSO and COBIT relationship is BEST described as:
A. Competing frameworks
B. COBIT replaces COSO
C. COBIT complements COSO
D. COSO is IT-specific
✅ Answer: C
Q21
Which control BEST detects unauthorized changes in programs?
A. Input validation
B. Version control
C. Change management
D. Access control
✅ Answer: C
Q22
Mandatory employee vacation helps prevent:
A. Human error
B. Collusion
C. Long-term fraud concealment
D. System failure
✅ Answer: C
Q23
A reconciliation identifies an error after posting.
This is:
A. Preventive
B. Detective
C. Corrective
D. Compensating
✅ Answer: B
Q24
Correcting the error after detection is:
A. Preventive
B. Detective
C. Corrective
D. Governance
✅ Answer: C
Q25
Which control ensures data entered is reasonable?
A. Limit check
B. Batch total
C. Hash total
D. Run-to-run total
✅ Answer: A
Q26
Which control BEST prevents collusion?
A. Segregation alone
B. Independent oversight
C. Automation
D. Authorization
✅ Answer: B
📌 Collusion defeats basic controls
Q27
Who designs internal controls?
A. Internal auditor
B. Board
C. Management
D. Audit committee
✅ Answer: C
Q28
Monitoring activities include:
A. Authorization
B. Reconciliations
C. Ongoing evaluations
D. Risk identification
✅ Answer: C
Q29
A weak control environment MOST likely results in:
A. Efficient processing
B. Ethical compliance
C. Increased fraud risk
D. Strong monitoring
✅ Answer: C
Q30
Which is NOT an inherent limitation?
A. Human judgment
B. Collusion
C. Cost-benefit
D. Auditor independence
✅ Answer: D
Q31
Audit committee independence improves:
A. Control design
B. Operational efficiency
C. Financial reporting oversight
D. Risk ownership
✅ Answer: C
Q32
Which is an output control?
A. Check digit
B. Authorization
C. Report reconciliation
D. Access restriction
✅ Answer: C
Q33
An edit check rejects alphabetic characters in numeric fields.
This is:
A. Output control
B. Processing control
C. Input control
D. General control
✅ Answer: C
Q34
A company backs up data daily.
This is:
A. Preventive
B. Detective
C. Corrective
D. Monitoring
✅ Answer: C
📌 Backup helps recovery
Q35
Which control addresses compliance with laws?
A. Control Environment
B. Risk Assessment
C. Governance
D. Monitoring
✅ Answer: C
Q36
Which party evaluates internal control independently?
A. Management
B. Internal audit
C. Board
D. Risk owner
✅ Answer: B
Q37
Residual risk exists when:
A. No controls exist
B. Controls eliminate all risk
C. Controls reduce but do not eliminate risk
D. Risk is transferred
✅ Answer: C
Q38
An automated approval workflow reduces:
A. Human judgment
B. Inherent risk
C. Control risk
D. Detection risk
✅ Answer: C
Q39
Which control ensures data completeness?
A. Hash totals
B. Authorization
C. Password control
D. Review reports
✅ Answer: A
Q40
Which COSO component links information flow?
A. Monitoring
B. Control Activities
C. Information & Communication
D. Control Environment
✅ Answer: C
Q41
A failure to update controls after system change is a:
A. Design failure
B. Implementation failure
C. Monitoring failure
D. Inherent limitation
✅ Answer: C
Q42
Which situation MOST threatens internal control?
A. Human error
B. Collusion
C. Automated processing
D. Independent review
✅ Answer: B
Q43
Which control is MOST cost-effective?
A. Detective
B. Preventive
C. Corrective
D. Monitoring
✅ Answer: B
Q44
AIS contributes MOST to:
A. Ethical behavior
B. Audit opinion
C. Reliable reporting
D. Risk ownership
✅ Answer: C
Q45
Which is NOT a general IT control?
A. Backup & recovery
B. Change management
C. Edit checks
D. Access controls
✅ Answer: C
Q46
An error found during external audit indicates:
A. Effective control
B. Control failure
C. Reasonable assurance
D. Governance success
✅ Answer: B
Q47
Which COSO component addresses fraud risk?
A. Control Environment
B. Risk Assessment
C. Monitoring
D. Information
✅ Answer: B
Q48
Which party ensures “tone at the top”?
A. Internal auditor
B. Audit committee
C. Management & Board
D. External auditor
✅ Answer: C
Q49
Which control ensures only valid programs run?
A. Input validation
B. Access control
C. Program change control
D. Output control
✅ Answer: C
Q50
Strong internal control system ensures:
A. Absolute fraud prevention
B. Zero errors
C. Reasonable assurance
D. Auditor responsibility
✅ Answer: C
🎯 EXAM STRATEGY TIP
Excellent choice 👍
This is exactly how toppers crack CMA MCQs. Below is a powerful WRONG-OPTION ELIMINATION LOGIC for Internal Control, COSO, Governance & AIS — use this when you’re stuck between options.
🔥 WRONG OPTION ELIMINATION LOGIC
Internal Control | COSO | AIS | Governance (US CMA Part 1 & 2)
1️⃣ ABSOLUTE WORDS = ❌ (FIRST ELIMINATION)
Immediately eliminate options containing:
- Always
- Completely
- Guarantees
- Eliminates all risk
- Ensures zero fraud
- Provides absolute assurance
📌 Correct CMA language = Reasonable assurance
2️⃣ WRONG RESPONSIBILITY = ❌
Eliminate options that assign responsibility incorrectly.
| Topic | Correct | Eliminate |
|---|---|---|
| Design of IC | Management | Internal / External Auditor |
| Ultimate oversight | Board | Management only |
| Risk ownership | Process owner | Internal audit |
| Monitoring | Internal audit | Operations |
📌 If auditor = owner/designer → ❌
3️⃣ PREVENTIVE vs DETECTIVE CONFUSION = ❌
If question asks BEST prevention, eliminate:
- Reconciliations
- Audits
- Reviews after the fact
✔ Choose:
- Authorization
- Segregation
- Validation checks
📌 Preventive > Detective > Corrective
4️⃣ COSO COMPONENT MISFIT = ❌
When matching examples to COSO components:
Control Environment
✔ Ethics, integrity, tone at top
❌ Reconciliations, approvals
Risk Assessment
✔ Identify & analyze risks
❌ Monitor controls
Control Activities
✔ Authorizations, segregation
❌ Culture, ethics
Information & Communication
✔ Data flow, reporting
❌ Control testing
Monitoring
✔ Ongoing evaluations
❌ Initial risk identification
5️⃣ GENERAL vs APPLICATION CONTROL TRAP
If general IT controls are weak:
❌ “Application controls are effective anyway”
❌ “No impact on systems”
✔ Correct logic:
Application controls become unreliable
6️⃣ COLLUSION LOGIC (HIGH-YIELD)
When collusion is mentioned:
❌ Segregation alone prevents fraud
❌ Automation eliminates fraud
✔ Best answers involve:
- Independent oversight
- Strong governance
- Audit committee involvement
7️⃣ COMPENSATING CONTROL TRAP
Eliminate options saying:
❌ “Compensating control replaces segregation”
✔ Correct:
Compensating control reduces risk, does NOT replace ideal control
8️⃣ AIS & AUTOMATION TRAPS
Eliminate options that say:
❌ Automation removes need for control
❌ Computers eliminate human error
❌ IT guarantees accuracy
✔ Correct:
Technology enhances, not eliminates risk
9️⃣ CONTROL FAILURE LOGIC
If error/fraud is not detected timely:
✔ Control failure exists
❌ Reasonable assurance achieved
❌ Effective monitoring
📌 Detection after external audit = 🚨
🔟 AUDIT COMMITTEE vs MANAGEMENT CONFUSION
Eliminate options where:
❌ Audit committee manages daily controls
❌ Board designs controls
✔ Correct:
- Management → design & operate
- Audit Committee → oversight
- Board → ultimate responsibility
1️⃣1️⃣ INPUT–PROCESS–OUTPUT CONFUSION
Input Controls
✔ Validation, edit checks
❌ Reconciliations
Processing Controls
✔ Run-to-run totals
❌ Authorization
Output Controls
✔ Report review, distribution
❌ Data entry checks
1️⃣2️⃣ RISK RESPONSE ELIMINATION
If risk still exists after controls:
✔ Residual risk
❌ Inherent risk eliminated
❌ Risk avoided completely
1️⃣3️⃣ GOVERNANCE LANGUAGE FILTER
Eliminate options lacking:
- Oversight
- Accountability
- Transparency
- Ethics
✔ Governance ≠ operations
1️⃣4️⃣ INHERENT LIMITATION FILTER
Valid inherent limitations:
✔ Collusion
✔ Management override
✔ Cost-benefit
❌ Auditor incompetence
❌ Lack of framework
1️⃣5️⃣ FINAL 10-SECOND RULE (EXAM DAY)
If confused, choose the option that:
✔ Sounds balanced
✔ Mentions reasonable assurance
✔ Assigns responsibility correctly
✔ Prefers preventive control
✔ Aligns with COSO logic
🧠 HOW TOPPERS USE THIS
- Strike 2 wrong options immediately
- Apply responsibility check
- Check preventive vs detective
- Read remaining 2 slowly
Excellent 😈
These are the most dangerous CMA questions — options that sound perfect, use right words, but are WRONG. Below are 15 “LOOKS-CORRECT-BUT-WRONG” MCQs from Internal Control, COSO, Governance & AIS with why your brain falls for it.
⚠️ LOOKS-CORRECT-BUT-WRONG MCQs
US CMA Part 1 & Part 2 – Internal Control
MCQ 1
Internal control is effective if it ensures all material misstatements are prevented.
A. True
B. False
❌ Looks correct because: “material” + “prevented”
✅ Answer: B
🔍 Why wrong:
IC provides reasonable assurance, not guaranteed prevention.
MCQ 2
Strong segregation of duties eliminates fraud risk.
A. True
B. False
❌ Trap: “Strong” sounds convincing
✅ Answer: B
🔍 Why wrong:
Collusion & management override still exist.
MCQ 3
Because internal auditors evaluate controls, they are responsible for ensuring controls are effective.
A. True
B. False
❌ Trap: Evaluation ≠ responsibility
✅ Answer: B
MCQ 4
If a control detects an error quickly, the control is considered effective.
A. True
B. False
❌ Trap: Speed ≠ prevention
✅ Answer: B
🔍 Detective ≠ effective prevention
MCQ 5
Automation of accounting processes removes human error.
A. True
B. False
❌ Trap: Technology bias
✅ Answer: B
MCQ 6
The audit committee is responsible for designing and implementing internal controls.
A. True
B. False
❌ Trap: Governance authority
✅ Answer: B
MCQ 7
If errors are discovered during the external audit, the internal control system is still effective because errors were detected.
A. True
B. False
❌ Trap: Detection logic
✅ Answer: B
🔍 Late detection = control failure
MCQ 8
Compensating controls can fully replace segregation of duties.
A. True
B. False
❌ Trap: “Compensating” word
✅ Answer: B
MCQ 9
Residual risk exists only when controls are weak.
A. True
B. False
❌ Trap: Logical sounding
✅ Answer: B
🔍 Residual risk exists even with strong controls
MCQ 10
General IT controls are less important when application controls are strong.
A. True
B. False
❌ Trap: Practical thinking
✅ Answer: B
📌 Weak general controls undermine everything
MCQ 11
A strong control environment ensures ethical behavior by all employees.
A. True
B. False
❌ Trap: “Tone at the top” exaggeration
✅ Answer: B
MCQ 12
If management accepts a risk, it means no control is required.
A. True
B. False
❌ Trap: Risk acceptance misunderstanding
✅ Answer: B
MCQ 13
Monitoring activities focus primarily on identifying new risks.
A. True
B. False
❌ Trap: COSO component mix
✅ Answer: B
📌 Risk identification = Risk Assessment
MCQ 14
Input controls alone are sufficient to ensure accurate processing.
A. True
B. False
❌ Trap: Partial truth
✅ Answer: B
MCQ 15
Because AIS generates audit trails, internal auditors do not need to test controls extensively.
A. True
B. False
❌ Trap: AIS overconfidence
✅ Answer: B
🧠 COMMON PATTERNS IN “LOOK-RIGHT-BUT-WRONG” OPTIONS
Watch out for:
- Absolute promises
- Authority confusion (auditor/board)
- Technology overconfidence
- Late detection = “effective”
- One control solving everything
🚀 HOW TO BEAT THESE IN EXAM
When an option feels too comfortable, ask:
1️⃣ Does it claim perfection? ❌
2️⃣ Does it shift responsibility? ❌
3️⃣ Does it ignore residual risk? ❌
www.gmsisuccess.in
No comments:
Post a Comment