CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance Questions and Ans
_2024-2025 Syllabus – Section E: Internal Controls
*1. COSO 2013 – 5 Components + 17 Principles*
*Case 1: Control Environment*
_Stem_: XYZ Co’s CEO sets aggressive sales targets and
publicly rewards staff who “do whatever it takes” to meet quotas. The CFO
overrides journal entries at quarter-end to avoid missing targets. Which COSO
component is MOST deficient?
A. Risk Assessment
B. Control Environment
C. Monitoring Activities
D. Information & Communication
*Interpret*: “Tone at top” + management override = Control
Environment Principle 1: Integrity & Ethical Values
*Answer: B*
*Case 2: Inherent Limitations*
_Stem_: ABC Co implemented segregation of duties for cash
receipts. However, the AR clerk and cashier colluded to steal customer payments
and cover it with fake credit memos. This scheme was not detected for 8 months.
This represents which inherent limitation of internal control?
A. Cost vs benefit
B. Human error
C. Collusion
D. Management override
*Interpret*: Two employees working together to defeat SOD =
Collusion beats controls
*Answer: C*
*Case 3: Benefits vs Limitations*
_Stem_: After implementing COSO framework, Controller claims
“Our new controls will eliminate all fraud risk”. The CAE should respond that
internal control can only provide:
A. Absolute assurance
B. Reasonable assurance
C. Complete assurance
D. Guaranteed prevention
*Interpret*: COSO states “reasonable assurance” only due to
collusion, override, cost/benefit
*Answer: B*
---
*2. COBIT 2019 – IT Governance*
*Case 4: COBIT Domains*
_Stem_: IT Manager implements automated access reviews every
90 days to remove terminated employee IDs from the ERP. This control aligns
with which COBIT 2019 governance objective?
A. DSS05 – Manage Security Services
B. APO13 – Manage Security
C. BAI09 – Manage Assets
D. MEA03 – Manage Compliance
*Interpret*: Managing user access = DSS05: Manage Security
Services, Principle: Logical access
*Answer: A*
*Case 5: COBIT vs COSO*
_Stem_: Board asks if COBIT 2019 replaces COSO 2013 for
overall internal control. Best response:
A. Yes, COBIT is newer and more comprehensive
B. No, COBIT is IT governance; COSO is enterprise-wide
internal control
C. Yes, but only for public companies
D. No, COSO is only for financial reporting
*Interpret*: COBIT = IT. COSO = entity-wide. Complementary,
not replacement
*Answer: B*
---
*3. SOX Requirements – Section 302 & 404*
*Case 6: SOX 302 Certification*
_Stem_: CEO and CFO of a U.S. public company review the
10-K. The CFO knows of a material weakness in inventory controls but signs
anyway because “it will be fixed next quarter”. This violates:
A. SOX Section 404
B. SOX Section 302
C. FCPA accounting provisions
D. COSO Principle 15
*Interpret*: 302 = CEO/CFO certify reports + disclose
deficiencies. Knowingly signing false = 302 violation
*Answer: B*
*Case 7: SOX 404 Internal Control Report*
_Stem_: External auditor tests controls and finds a
“material weakness” in revenue. Management’s 404 report must:
A. State controls are effective despite weakness
B. Conclude internal control over financial reporting is NOT
effective
C. Omit the weakness if under $5M impact
D. Be signed by audit committee only
*Interpret*: Material weakness = adverse opinion. No
materiality threshold for control deficiency
*Answer: B*
---
*4. FCPA – Foreign Corrupt Practices Act*
*Case 8: FCPA Books & Records*
_Stem_: US Co’s Brazil subsidiary pays $50,000 to a customs
official to expedite goods. Local books record it as “consulting fees”. Which
FCPA provision is violated?
A. Anti-bribery only
B. Accounting provisions only
C. Both anti-bribery and accounting provisions
D. Neither, if under $100,000
*Interpret*: Bribe = anti-bribery. False “consulting” =
books & records violation. No $ limit
*Answer: C*
*Case 9: FCPA Internal Controls*
_Stem_: Which FCPA requirement BEST aligns with COSO?
A. Prohibition of bribes to foreign officials
B. Requirement to maintain accurate books and system of
internal accounting controls
C. Disclosure of payments in 10-K
D. 5-year statute of limitations
*Interpret*: FCPA accounting provisions = accurate books +
internal controls = COSO objective
*Answer: B*
---
*5. Governance – Board vs Management Roles*
*Case 10: Governance Structure*
_Stem_: The audit committee of a public company approves the
internal audit plan and hires the CAE. The CEO directs the CAE to cancel an
audit of executive travel expenses. Which governance principle is
violated?
A. Management’s responsibility for risk management
B. Board oversight independence
C. Internal audit’s organizational independence per IIA Std
1110
D. SOX 301 audit committee responsibility
*Interpret*: CAE should report functionally to board/AC. CEO
directing cancels independence
*Answer: C*
*Case 11: Three Lines Model*
_Stem_: In the Three Lines Model, who owns risk and controls
for the sales process?
A. Internal Audit – 3rd line
B. Compliance – 2nd line
C. Sales Department – 1st line
D. Board of Directors
*Interpret*: 1st line = operational mgmt owns risk. 2nd =
oversight. 3rd = independent assurance
*Answer: C*
---
*6. Data Analytics + Tech Controls – 2024 Syllabus*
*Case 12: ITGC vs Application Control*
_Stem_: ERP automatically blocks invoice posting if PO
quantity is exceeded. A programmer changes the code without testing and
tolerance is now 500%. This is a failure of:
A. Application control
B. IT General Control – Change Management
C. Preventive control
D. Detective control
*Interpret*: Unauthorized code change = ITGC weakness. App
control itself was bypassed due to ITGC fail
*Answer: B*
*Case 13: Data Analytics Benefit*
_Stem_: Internal audit uses data analytics to test 100% of
journal entries for keywords “reverse”, “accrual”, “adjust” posted on weekends.
This provides what benefit over sampling?
A. Lower cost
B. Complete population coverage + anomaly detection
C. Elimination of all fraud
D. Compliance with SOX 404
*Interpret*: Data analytics = 100% test vs sample. Finds
anomalies, not guarantee
*Answer: B*
---
*7. How to Attack Case-Based IC Qs – 2024 Method*
1. *Find the control word*: “segregation”, “override”,
“collusion”, “access”, “certify” → tags the topic
2. *Map to framework*: COSO 5 components, COBIT domains, SOX
302/404, FCPA provisions
3. *COSO default*: If Q mentions “tone”, “ethics”, “board” →
Control Environment
If “risk ID”,
“fraud risk” → Risk Assessment
If “policies”,
“approvals” → Control Activities
If “reports”, “ERP”
→ Info & Communication
If “audits”,
“reviews” → Monitoring
4. *Eliminate absolutes*: “Eliminates all risk” “Guarantees
prevention” = always wrong
5. *SOX/FCPA rule*: SOX = US public co only. FCPA = any US
co or issuer, anywhere
*8. High-Yield Terms to Know for Cases*
*COSO*: Control environment, risk appetite, inherent risk,
residual risk, preventive vs detective, material weakness, significant
deficiency
*COBIT*: DSS05, APO13, BAI09, MEA, ITGC, application
control, change management
*SOX*: 302 certification, 404 management report + auditor
attestation, 301 audit committee, 806 whistleblower
*FCPA*: Anti-bribery, books & records, internal
accounting controls, facilitating payments exception
*Governance*: Three Lines Model, fiduciary duty, ERM, tone
at the top
case-based MCQs with full explanation of why 3
options are wrong?
15 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA,
Governance.
*Q1. COSO Control Environment*
_Case_: CEO frequently overrides the credit approval policy
to land large sales before quarter-end. The CFO adjusts the allowance for
doubtful accounts to keep net income on target. Which COSO principle is MOST
violated?
A. Risk Assessment – Principle 7: Identifies risks
B. Control Environment – Principle 1: Commitment to
integrity
C. Control Activities – Principle 10: Selects controls
D. Monitoring – Principle 16: Conducts evaluations
*Answer: B*
*Why others wrong*:
A. Risk was identified; issue is mgmt ignoring controls, not
ID failure.
C. Control exists but is overridden; design ≠ issue.
D. No mention of monitoring failure; tone at top is root
cause.
---
*Q2. COSO Risk Assessment*
_Case_: ABC Co expanded to Brazil without assessing local
bribery laws or currency controls. Six months later they paid $200K in fines
for FCPA violations. Which COSO component failed FIRST?
A. Control Activities
B. Risk Assessment
C. Information & Communication
D. Monitoring Activities
*Answer: B*
*Why others wrong*:
A. Can’t design controls if risk not identified first.
C. Info not the issue; risk never assessed to
communicate.
D. Monitoring can’t catch unidentified risks.
---
*Q3. COSO Control Activities – Segregation of Duties*
_Case_: The AP clerk can add vendors, approve invoices, and
print checks. To mitigate fraud, which SOD is MOST critical to separate?
A. Vendor setup from invoice approval
B. Invoice approval from check printing
C. Check printing from bank reconciliation
D. All three must be separate per COSO
*Answer: A*
*Why others wrong*:
B. Still allows fake vendor + fake invoice combo.
C. Recon is detective, not preventive for this fraud.
D. COSO allows cost/benefit; A is highest risk pair.
---
*Q4. COSO Monitoring Activities*
_Case_: Internal audit performs an inventory count annually
but mgmt never reviews variances or follows up. Inventory shrinkage increased
300%. This is a failure of:
A. Control Activities
B. Monitoring Activities
C. Risk Assessment
D. Control Environment
*Answer: B*
*Why others wrong*:
A. Count was performed = activity existed.
C. Risk of shrinkage was known; issue is no response.
D. No evidence of bad tone; issue is no follow-up.
---
*Q5. Inherent Limitations – Collusion*
_Case_: Warehouse manager and shipping clerk collude to ship
goods to a fake customer and write off as “damaged”. Physical counts match
book. Which limitation made this possible?
A. Management override
B. Cost vs benefit
C. Collusion
D. Human error
*Answer: C*
*Why others wrong*:
A. No senior mgmt involved; two employees colluded.
B. SOD was in place; cost not the issue.
D. Intentional fraud, not mistake.
---
*Q6. COBIT 2019 – DSS05*
_Case_: IT disabled password expiration for executives “for
convenience”. A terminated VP’s account was used to alter sales data 90 days
post-termination. This violates which COBIT objective?
A. APO13 – Manage Security
B. DSS05 – Manage Security Services
C. BAI09 – Manage Assets
D. MEA03 – Manage Compliance
*Answer: B*
*Why others wrong*:
A. APO13 = plan security; issue is operating security.
C. Account ≠ asset mgmt; it’s logical access.
D. MEA = evaluate; failure was in execution.
---
*Q7. COBIT – ITGC vs Application*
_Case_: ERP has a 3-way match control: PO-GR-Invoice. IT
migrates to cloud and the control stops working, but no one tests it
post-migration. This is:
A. Application control failure only
B. ITGC change management failure
C. COSO monitoring failure
D. SOX 404 scope exclusion
*Answer: B*
*Why others wrong*:
A. App control failed BECAUSE ITGC failed; root cause =
change mgmt.
C. COSO monitoring is broader; specific ITGC issue
here.
D. SOX 404 includes ITGC; can’t exclude.
---
*Q8. SOX 302 – Certification*
_Case_: CFO signs 10-Q but internal audit just reported a
material weakness in revenue recognition not yet disclosed. CFO says “We’ll fix
it before 10-K”. SOX 302 requires:
A. Disclosure of weakness in 10-Q now
B. Can delay until 10-K if remediation planned
C. Only CEO must disclose, not CFO
D. Disclosure only if auditor agrees
*Answer: A*
*Why others wrong*:
B. 302 = current report; no delay allowed.
C. Both CEO + CFO certify per 302.
D. Mgmt’s responsibility, not auditor’s permission.
---
*Q9. SOX 404 – Material Weakness*
_Case_: External auditor concludes controls over financial
reporting are ineffective due to material weakness. Management believes
financials are fairly stated. Management’s 404 report should:
A. State controls are effective because statements are
right
B. State controls are NOT effective due to material
weakness
C. Not issue a report if they disagree with auditor
D. Issue report with “except for” qualification
*Answer: B*
*Why others wrong*:
A. 404 = controls, not financials. Can have clean statements
+ bad controls.
C. Public co must issue mgmt report per 404.
D. “Except for” is auditor language; mgmt says effective or
not.
---
*Q10. FCPA – Accounting Provisions*
_Case_: US Co hides $1M bribe to foreign minister by
debiting “Marketing Expense” and crediting Cash. This violates FCPA
because:
A. Bribe exceeds $10,000 threshold
B. Books must accurately reflect transactions
C. Foreign minister is not “foreign official”
D. Only SEC registrants need accurate books
*Answer: B*
*Why others wrong*:
A. FCPA has no dollar threshold for books/records.
C. Minister = foreign official under FCPA.
D. Accounting provisions apply to all issuers, not just SEC.
---
*Q11. FCPA – Internal Controls*
_Case_: Subsidiary in Asia has no approval matrix; sales
reps can authorize $500K discounts verbally. Which FCPA requirement is MOST at
risk?
A. Anti-bribery provision
B. System of internal accounting controls
C. Quarterly certification
D. Whistleblower provision
*Answer: B*
*Why others wrong*:
A. No bribe mentioned yet; control weakness is issue.
C. FCPA doesn’t require quarterly certs; SOX does.
D. Whistleblower = SOX 806, not FCPA.
---
*Q12. Governance – Three Lines*
_Case_: Compliance department reports to CFO and is told to
“go easy” on sales audits before IPO. Under Three Lines Model, which line is
compromised?
A. 1st Line – Sales owns risk
B. 2nd Line – Compliance independence
C. 3rd Line – Internal Audit
D. Board oversight
*Answer: B*
*Why others wrong*:
A. Sales is 1st line but issue is oversight, not
ownership.
C. IA not mentioned; compliance = 2nd line.
D. Board not in case; immediate issue is 2nd line pressure.
---
*Q13. ERM – Risk Appetite vs Tolerance*
_Case_: Board sets “zero tolerance for FCPA violations” but
mgmt accepts $2M in high-risk agent commissions without due diligence to meet
sales targets. This shows:
A. Risk appetite exceeded
B. Risk tolerance exceeded
C. Both appetite and tolerance breached
D. COSO Principle 6 failure only
*Answer: C*
*Why others wrong*:
A. Appetite = zero; tolerance also zero if appetite zero.
Breach = both.
B. Can’t exceed tolerance without exceeding appetite
here.
D. Principle 6 = specify objectives; broader issue is
breach.
---
*Q14. Data Analytics + Internal Control*
_Case_: Company uses RPA bot to post AP invoices. Bot has no
exception report and was coded to accept duplicate invoice numbers. Month-end
close had $3M duplicate payments. This is primarily a failure of:
A. COSO Control Activities – Principle 10: Selects
controls
B. COSO Information & Communication – Principle 13:
Quality info
C. IT Application Control – Input/edit checks
D. COBIT MEA03 – Monitor compliance
*Answer: C*
*Why others wrong*:
A. Control was selected but coded wrong; specific app
control fail.
B. Info quality is output; issue is input control.
D. MEA = monitoring; design failure came first.
---
*Q15. Benefits of Internal Control*
_Case_: After COSO implementation, controller tells board
“We now have zero risk of financial misstatement”. CAE should clarify that
internal control provides:
A. Elimination of inherent risk
B. Reasonable assurance, not absolute
C. Guarantee against collusion
D. Compliance with SOX 404 only
*Answer: B*
*Why others wrong*:
A. Inherent risk always exists; controls reduce
residual.
C. Collusion is specific inherent limitation.
D. COSO benefits > SOX; applies to all entities.
---
*How to Use These for Exam Prep*
1. *For each Q you miss*: Write “Rule tested” + “Why I
picked wrong” + “Trap type”
2. *Trap types*: Absolute words, SOX vs FCPA mix-up, COSO
component confusion, ITGC vs App control
3. *2024-2025 focus*: Expect 3-4 cases on data analytics,
RPA, cyber, ESG controls in Section E/F

No comments:
Post a Comment