Wednesday, July 1, 2026

CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance


CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance


*1. COSO 2013 – 5 Components + 17 Principles*


*Case 1: Control Environment*  

_Stem_: XYZ Co’s CEO sets aggressive sales targets and publicly rewards staff who “do whatever it takes” to meet quotas. The CFO overrides journal entries at quarter-end to avoid missing targets. Which COSO component is MOST deficient?  

A. Risk Assessment  

B. Control Environment  

C. Monitoring Activities  

D. Information & Communication  

*Answer: 


*Case 2: Inherent Limitations*  

_Stem_: ABC Co implemented segregation of duties for cash receipts. However, the AR clerk and cashier colluded to steal customer payments and cover it with fake credit memos. This scheme was not detected for 8 months. This represents which inherent limitation of internal control?  

A. Cost vs benefit  

B. Human error  

C. Collusion  

D. Management override  

*Answer:


*Case 3: Benefits vs Limitations*  

_Stem_: After implementing COSO framework, Controller claims “Our new controls will eliminate all fraud risk”. The CAE should respond that internal control can only provide:  

A. Absolute assurance  

B. Reasonable assurance  

C. Complete assurance  

D. Guaranteed prevention  

*Answer: 


*2. COBIT 2019 – IT Governance*


*Case 4: COBIT Domains*  

_Stem_: IT Manager implements automated access reviews every 90 days to remove terminated employee IDs from the ERP. This control aligns with which COBIT 2019 governance objective?  

A. DSS05 – Manage Security Services  

B. APO13 – Manage Security  

C. BAI09 – Manage Assets  

D. MEA03 – Manage Compliance  

*Answer: 


*Case 5: COBIT vs COSO*  

_Stem_: Board asks if COBIT 2019 replaces COSO 2013 for overall internal control. Best response:  

A. Yes, COBIT is newer and more comprehensive  

B. No, COBIT is IT governance; COSO is enterprise-wide internal control  

C. Yes, but only for public companies  

D. No, COSO is only for financial reporting  

*Answer: 


*3. SOX Requirements – Section 302 & 404*


*Case 6: SOX 302 Certification*  

_Stem_: CEO and CFO of a U.S. public company review the 10-K. The CFO knows of a material weakness in inventory controls but signs anyway because “it will be fixed next quarter”. This violates:  

A. SOX Section 404  

B. SOX Section 302  

C. FCPA accounting provisions  

D. COSO Principle 15  

*Answer:


*Case 7: SOX 404 Internal Control Report*  

_Stem_: External auditor tests controls and finds a “material weakness” in revenue. Management’s 404 report must:  

A. State controls are effective despite weakness  

B. Conclude internal control over financial reporting is NOT effective  

C. Omit the weakness if under $5M impact  

D. Be signed by audit committee only  

*Answer: 


*4. FCPA – Foreign Corrupt Practices Act*


*Case 8: FCPA Books & Records*  

_Stem_: US Co’s Brazil subsidiary pays $50,000 to a customs official to expedite goods. Local books record it as “consulting fees”. Which FCPA provision is violated?  

A. Anti-bribery only  

B. Accounting provisions only  

C. Both anti-bribery and accounting provisions  

D. Neither, if under $100,000  


*Answer: 


*Case 9: FCPA Internal Controls*  

_Stem_: Which FCPA requirement BEST aligns with COSO?  

A. Prohibition of bribes to foreign officials  

B. Requirement to maintain accurate books and system of internal accounting controls  

C. Disclosure of payments in 10-K  

D. 5-year statute of limitations  

*Answer:

*5. Governance – Board vs Management Roles*


*Case 10: Governance Structure*  

_Stem_: The audit committee of a public company approves the internal audit plan and hires the CAE. The CEO directs the CAE to cancel an audit of executive travel expenses. Which governance principle is violated?  

A. Management’s responsibility for risk management  

B. Board oversight independence  

C. Internal audit’s organizational independence per IIA Std 1110  

D. SOX 301 audit committee responsibility  


*Answer:


*Case 11: Three Lines Model*  

_Stem_: In the Three Lines Model, who owns risk and controls for the sales process?  

A. Internal Audit – 3rd line  

B. Compliance – 2nd line  

C. Sales Department – 1st line  

D. Board of Directors  


*Answer: 


*6. Data Analytics + Tech Controls – 2024 Syllabus*


*Case 12: ITGC vs Application Control*  

_Stem_: ERP automatically blocks invoice posting if PO quantity is exceeded. A programmer changes the code without testing and tolerance is now 500%. This is a failure of:  

A. Application control  

B. IT General Control – Change Management  

C. Preventive control  

D. Detective control  

*Answer: 


*Case 13: Data Analytics Benefit*  

_Stem_: Internal audit uses data analytics to test 100% of journal entries for keywords “reverse”, “accrual”, “adjust” posted on weekends. This provides what benefit over sampling?  

A. Lower cost  

B. Complete population coverage + anomaly detection  

C. Elimination of all fraud  

D. Compliance with SOX 404  

 

*Answer:


*7. How to Attack Case-Based IC Qs – 2024 Method*


1. *Find the control word*: “segregation”, “override”, “collusion”, “access”, “certify” → tags the topic

2. *Map to framework*: COSO 5 components, COBIT domains, SOX 302/404, FCPA provisions

3. *COSO default*: If Q mentions “tone”, “ethics”, “board” → Control Environment  

   If “risk ID”, “fraud risk” → Risk Assessment  

   If “policies”, “approvals” → Control Activities  

   If “reports”, “ERP” → Info & Communication  

   If “audits”, “reviews” → Monitoring

4. *Eliminate absolutes*: “Eliminates all risk” “Guarantees prevention” = always wrong

5. *SOX/FCPA rule*: SOX = US public co only. FCPA = any US co or issuer, anywhere


---


*8. High-Yield Terms to Know for Cases*


*COSO*: Control environment, risk appetite, inherent risk, residual risk, preventive vs detective, material weakness, significant deficiency  

*COBIT*: DSS05, APO13, BAI09, MEA, ITGC, application control, change management  

*SOX*: 302 certification, 404 management report + auditor attestation, 301 audit committee, 806 whistleblower  

*FCPA*: Anti-bribery, books & records, internal accounting controls, facilitating payments exception  

*Governance*: Three Lines Model, fiduciary duty, ERM, tone at the top


Section B...

*Q1. COSO Control Environment*

_Case_: CEO frequently overrides the credit approval policy to land large sales before quarter-end. The CFO adjusts the allowance for doubtful accounts to keep net income on target. Which COSO principle is MOST violated?  

A. Risk Assessment – Principle 7: Identifies risks  

B. Control Environment – Principle 1: Commitment to integrity  

C. Control Activities – Principle 10: Selects controls  

D. Monitoring – Principle 16: Conducts evaluations  


*Answer:


---


*Q2. COSO Risk Assessment*

_Case_: ABC Co expanded to Brazil without assessing local bribery laws or currency controls. Six months later they paid $200K in fines for FCPA violations. Which COSO component failed FIRST?  

A. Control Activities  

B. Risk Assessment  

C. Information & Communication  

D. Monitoring Activities  


*Answer:


---


*Q3. COSO Control Activities – Segregation of Duties*

_Case_: The AP clerk can add vendors, approve invoices, and print checks. To mitigate fraud, which SOD is MOST critical to separate?  

A. Vendor setup from invoice approval  

B. Invoice approval from check printing  

C. Check printing from bank reconciliation  

D. All three must be separate per COSO  


*Answer:


---


*Q4. COSO Monitoring Activities*

_Case_: Internal audit performs an inventory count annually but mgmt never reviews variances or follows up. Inventory shrinkage increased 300%. This is a failure of:  

A. Control Activities  

B. Monitoring Activities  

C. Risk Assessment  

D. Control Environment  


*Answer:


---


*Q5. Inherent Limitations – Collusion*

_Case_: Warehouse manager and shipping clerk collude to ship goods to a fake customer and write off as “damaged”. Physical counts match book. Which limitation made this possible?  

A. Management override  

B. Cost vs benefit  

C. Collusion  

D. Human error  


*Answer: 


---


*Q6. COBIT 2019 – DSS05*

_Case_: IT disabled password expiration for executives “for convenience”. A terminated VP’s account was used to alter sales data 90 days post-termination. This violates which COBIT objective?  

A. APO13 – Manage Security  

B. DSS05 – Manage Security Services  

C. BAI09 – Manage Assets  

D. MEA03 – Manage Compliance  


*Answer:.


---


*Q7. COBIT – ITGC vs Application*

_Case_: ERP has a 3-way match control: PO-GR-Invoice. IT migrates to cloud and the control stops working, but no one tests it post-migration. This is:  

A. Application control failure only  

B. ITGC change management failure  

C. COSO monitoring failure  

D. SOX 404 scope exclusion  


*Answer: 


---


*Q8. SOX 302 – Certification*

_Case_: CFO signs 10-Q but internal audit just reported a material weakness in revenue recognition not yet disclosed. CFO says “We’ll fix it before 10-K”. SOX 302 requires:  

A. Disclosure of weakness in 10-Q now  

B. Can delay until 10-K if remediation planned  

C. Only CEO must disclose, not CFO  

D. Disclosure only if auditor agrees  


*Answer: 


---


*Q9. SOX 404 – Material Weakness*

_Case_: External auditor concludes controls over financial reporting are ineffective due to material weakness. Management believes financials are fairly stated. Management’s 404 report should:  

A. State controls are effective because statements are right  

B. State controls are NOT effective due to material weakness  

C. Not issue a report if they disagree with auditor  

D. Issue report with “except for” qualification  


*Answer: 


---


*Q10. FCPA – Accounting Provisions*

_Case_: US Co hides $1M bribe to foreign minister by debiting “Marketing Expense” and crediting Cash. This violates FCPA because:  

A. Bribe exceeds $10,000 threshold  

B. Books must accurately reflect transactions  

C. Foreign minister is not “foreign official”  

D. Only SEC registrants need accurate books  


*Answer: 


---


*Q11. FCPA – Internal Controls*

_Case_: Subsidiary in Asia has no approval matrix; sales reps can authorize $500K discounts verbally. Which FCPA requirement is MOST at risk?  

A. Anti-bribery provision  

B. System of internal accounting controls  

C. Quarterly certification  

D. Whistleblower provision  


*Answer:


---


*Q12. Governance – Three Lines*

_Case_: Compliance department reports to CFO and is told to “go easy” on sales audits before IPO. Under Three Lines Model, which line is compromised?  

A. 1st Line – Sales owns risk  

B. 2nd Line – Compliance independence  

C. 3rd Line – Internal Audit  

D. Board oversight  


*Answer:


---


*Q13. ERM – Risk Appetite vs Tolerance*

_Case_: Board sets “zero tolerance for FCPA violations” but mgmt accepts $2M in high-risk agent commissions without due diligence to meet sales targets. This shows:  

A. Risk appetite exceeded  

B. Risk tolerance exceeded  

C. Both appetite and tolerance breached  

D. COSO Principle 6 failure only  


*Answer: 


---


*Q14. Data Analytics + Internal Control*

_Case_: Company uses RPA bot to post AP invoices. Bot has no exception report and was coded to accept duplicate invoice numbers. Month-end close had $3M duplicate payments. This is primarily a failure of:  

A. COSO Control Activities – Principle 10: Selects controls  

B. COSO Information & Communication – Principle 13: Quality info  

C. IT Application Control – Input/edit checks  

D. COBIT MEA03 – Monitor compliance  


*Answer:


---


*Q15. Benefits of Internal Control*

_Case_: After COSO implementation, controller tells board “We now have zero risk of financial misstatement”. CAE should clarify that internal control provides:  

A. Elimination of inherent risk  

B. Reasonable assurance, not absolute  

C. Guarantee against collusion  

D. Compliance with SOX 404 only  


*Answer: 


---


*How to Use These for Exam Prep*


1. *For each Q you miss*: Write “Rule tested” + “Why I picked wrong” + “Trap type”  

2. *Trap types*: Absolute words, SOX vs FCPA mix-up, COSO component confusion, ITGC vs App control  

3. *2024-2025 focus*: Expect 3-4 cases on data analytics, RPA, cyber, ESG controls in Section E/F  

www.gmsisuccess.in


No comments:

Post a Comment