Case-based questions and answers focused on Internal Control, Corporate Governance, Risk Assessment, and Technology/Data Analytics, based on real-world scenarios and professional auditing standards.
Case 1: Fraud and Internal Control Failure (Procurement)
Scenario: GlobalTech Solutions suffered a significant financial loss due to a procurement fraud perpetrated by a Senior Procurement Manager. The manager created fictitious vendors and approved payments over two years. An audit revealed that the manager was responsible for both vendor onboarding and payment approval. The company had no continuous monitoring system to detect duplicate payments or unusual vendor patterns.
· Q1.1: What are the primary internal control weaknesses in this scenario?
o Answer: (1) Lack of Segregation of Duties: The same individual was responsible for onboarding (authorization) and payment approval (custody/processing). (2) Inadequate Vendor Management Control: No independent verification of vendor legitimacy before adding to the Master Vendor File.
· Q1.2: Which Data Analytics tests could have detected this fraud earlier?
o Answer: (1) Vendor-Employee Matching: Matching vendor bank accounts or addresses with employee personal data. (2) Duplicate Payment Analysis: Searching for identical amounts, invoice numbers, or payment dates within a short period. (3) Benford’s Law Analysis: Testing for unnatural distribution of invoice amounts.
· Q1.3: How can the company remediate these control deficiencies?
o Answer: (1) Segregate duties: Implement a policy where vendor creation is done by a different department than vendor payment. (2) Implement Continuous Control Monitoring (CCM) tools to run daily checks on payments. (3) Perform a thorough risk assessment on procurement risks.
Risk Management Association of India +4
Case 2: IT Governance and Cybersecurity Risk
Scenario: Pinnacle Bank experienced a major data breach exposing customer financial information. It was found that a previous risk assessment identified vulnerabilities in the security system, but these were not addressed due to resource constraints. The Board of Directors had not reviewed IT security risks in the past 18 months.
Risk Management Association of India
· Q2.1: Identify the failures in the bank’s governance structure.
o Answer: (1) Weak Oversight: The Board failed to monitor IT risks effectively. (2) Ineffective Risk Management: The risk assessment process was not followed by remedial action.
· Q2.2: What are the key elements of a robust IT Governance framework?
o Answer: (1) Alignment of IT strategy with business objectives. (2) Clear policies and accountability for risk management. (3) Regular monitoring and reporting of security breaches and threats. (4) Dedicated Risk Committee.
· Q2.3: How can AI enhance this company's risk mitigation efforts?
o Answer: AI can be used to simulate cyber-attacks (penetration testing), analyze network behavior in real-time for anomalies, and automate compliance checks with data protection laws.
LinkedIn +4
Case 3: Data Analytics in Auditing (Inventory)
Scenario: An auditor is assessing the valuation of inventory for a client with over 100,000 SKUs across 50 locations. Historically, physical inventory counts at year-end are rushed, leading to inaccurate records.
· Q3.1: How can the auditor use data analytics to replace traditional sampling for inventory?
o Answer: The auditor can analyze the entire population of inventory data rather than just a sample. This includes checking for negative quantities, extreme high/low unit costs, and identifying items with no movement over a long period (slow-moving inventory).
· Q3.2: What specific analysis helps detect potential overstatement of inventory?
o Answer: (1) Disaggregated analysis of inventory: Comparing inventory quantities at current period with prior periods by class, location, or SKU. (2) Comparing Perpetual Records to Physical Counts: Using data analytics to match the two datasets and identify discrepancies.
Riskcue +3
Case 4: Risk Management & Corporate Governance (Fintech Startup)
Scenario: FintechPay, a rapidly growing P2P mobile payment startup, has experienced several compliance failures. The company focuses heavily on growth and has delayed the hiring of a Chief Risk Officer (CRO) and an Internal Audit team.
· Q4.1: As an external consultant, what is the most critical risk that needs to be addressed?
o Answer: Compliance Risk & Regulatory Non-compliance. Fintech companies face stringent regulations regarding Know Your Customer (KYC), Anti-Money Laundering (AML), and data protection. Failure can lead to shut down.
· Q4.2: How should the board of FintechPay structure its risk management?
o Answer: (1) Establish a dedicated Risk Management Committee that reports directly to the board. (2) Implement a Risk-Based Internal Audit (RBIA) approach, focusing on key risks like cybersecurity and transaction monitoring.
· Q4.3: Mention a key control to be added to their P2P payment app.
o Answer: Real-time transaction monitoring AI that flags unusual peer-to-peer transfers or high-volume transactions to prevent fraudulent activities.
LinkedIn +4
Key Takeaways for Case Studies
· Internal Control (IC): Focus on segregation of duties, authorization, and safeguarding assets.
· Governance: Focus on board oversight, transparency, and accountability.
· Risk Assessment: Identify, analyze, and mitigate (Prob x Impact).
· Technology/Data Analytics: Use data to move from detective controls (after the fact) to preventive/continuous controls.
🔷 CASE 1: INTERNAL CONTROL WEAKNESS (Revenue Fraud)
A company allows sales staff to approve credit sales, record transactions, and handle collections. Recently, large receivables became uncollectible.
🔹 MCQ
Q1. What is the primary internal control weakness?
A. Lack of documentation
B. Lack of segregation of duties
C. Lack of audit trail
D. Lack of authorization
✅ Answer: B
👉 Same person handling authorization, recording & custody → high fraud risk.
🔹 Assertion–Reason
Q2. Assertion (A): Segregation of duties reduces fraud risk.
Reason (R): It ensures one person handles all stages of transaction.
A. Both true
B. Both false
C. A true, R false
D. A false, R true
Answer: C
👉 Segregation means dividing duties, not combining them.
🔹 True/False,WITH REASON
Q3. Internal controls are only necessary for large organizations.
❌ Answer: False
👉 Even small firms need controls.
🔹 Fill in the Blank
Q4. Separating authorization, custody, and recording is called ________.
✅ Answer: Segregation of duties
🔹 Odd Man Out
Q5. Identify the control element that does NOT belong:
A. Authorization
B. Custody
C. Recording
D. Profitability
✅ Answer: D
👉 Others are internal control components.
🔷 CASE 2: CORPORATE GOVERNANCE FAILURE
A listed company’s board is dominated by executive directors, and no independent audit committee exists. Financial misstatements go unnoticed.
🔹 MCQ
Q6. Which governance principle is violated?
A. Transparency
B. Accountability
C. Independence
D. Sustainability
✅ Answer: C
👉 Lack of independent oversight.
🔹 Assertion–Reason
Q7. Assertion: Independent directors improve governance.
Reason: They bring unbiased judgment.
A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true
✅ Answer: A
🔹 True/False WITH REASON
Q8. Audit committees should consist mainly of executive directors.
❌ Answer: False
👉 Should be independent.
🔹 Fill in the Blank
Q9. The audit committee ensures integrity of ________ reporting.
✅ Answer: Financial
🔹 Odd Man Out
Q10. Choose the non-governance element:
A. Board oversight
B. Risk management
C. Internal audit
D. Sales promotion
✅ Answer: D
🔷 CASE 3: RISK ASSESSMENT FAILURE
A bank fails to update its cybersecurity controls despite rising cyber threats, leading to data breaches.
🔹 MCQ
Q11. What type of risk is primarily involved?
A. Market risk
B. Credit risk
C. Operational risk
D. Liquidity risk
✅ Answer: C
🔹 Assertion–Reason
Q12. Assertion: Risk assessment should be continuous.
Reason: Business environment changes frequently.
A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true
A. Both true, R explains A
✅ Answer: A
🔹 True/False
Q13. Risk assessment is a one-time activity.
❌ Answer: False
🔹 Fill in the Blank
Q14. Identifying and analyzing risks is part of ________ component of COSO.
✅ Answer: Risk Assessment
🔹 Odd Man Out
Q15. Identify non-risk element:
A. Identification
B. Analysis
C. Mitigation
D. Marketing
✅ Answer: D
🔷 CASE 4: TECHNOLOGY & DATA ANALYTICS
An auditor uses data analytics to identify duplicate payments and unusual transactions in procurement.
🔹 MCQ
Q16. What is the main benefit of data analytics?
A. Reduce audit scope
B. Improve audit quality
C. Eliminate internal control
D. Replace auditors
✅ Answer: B
🔹 Assertion–Reason
Q17. Assertion: Data analytics helps detect anomalies.
Reason: It analyzes entire data population.
A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true
A. Both true, R explains A
✅ Answer: A
🔹 True/False
Q18. Data analytics can only be used in financial audits. FALSE
Data analytics is widely used across various types of audits and business functions, including:
· Internal Audit: For assessing risks, testing controls, and improving efficiency.
· Compliance Audit: To monitor for policy breaches (e.g., procurement fraud, travel records).
· Operational Audit: To identify inefficiencies, patterns of wasted resources, and improve processes.
· Forensic Audits/Investigations: To detect fraud, money laundering, and suspicious transactions.
· Information System Audits: To audit controls in IT systems
🔹 Fill in the Blank
Q19. Detecting duplicate invoices is an example of ________ analytics
✅ Answer: Diagnostic / Investigative analytics
🔹 Odd Man Out
Q20. Identify tool not used in analytics:
A. ACL
B. IDEA
C. Excel
D. Typewriter
✅ Answer: D
🔷 CASE 5: INTERNAL CONTROL OVER PAYROLL
An employee creates fake employees and processes salary payments.
🔹 MCQ
Q21. What type of fraud is this?
A. Asset misappropriation
B. Financial statement fraud
C. Corruption
D. Tax evasion
✅ Answer: A
These terms represent different categories of occupational fraud and financial crimes, often differentiated by the method used and the objective of the perpetrator. Asset misappropriation is the most common, while financial statement fraud is typically the most costly.
A. Asset Misappropriation
Asset misappropriation involves the theft, misuse, or unauthorized use of an organization's assets by employees, contractors, or insiders for personal gain. It is often referred to as "stealing" or "skimming from the top".
· Examples: Cash skimming, payroll fraud (ghost employees), fraudulent expense reimbursements, stealing inventory, or using company equipment for personal business.
· Key Characteristic: Direct theft of tangible or intangible company resources.
B. Financial Statement Fraud
Financial statement fraud is the deliberate misrepresentation, omission, or alteration of financial data to deceive stakeholders (investors, creditors) and make the organization appear more financially stable or profitable than it actually is. It is usually perpetrated by upper management.
· Examples: Overstating revenues (fictitious sales), understating expenses, inflating asset values, or hiding liabilities/debts.
· Key Characteristic: "Cooking the books" to create a false picture of financial health.
C. Corruption
Corruption is defined as the abuse of entrusted power for private gain, involving dishonest behavior by those in positions of authority. It involves using influence to secure improper advantages.
· Examples: Bribery (giving/accepting cash to influence decisions), kickbacks (receiving money for favorable business terms), conflicts of interest, and extortion.
· Key Characteristic: Misuse of influence to sway business or government decisions.
D. Tax Evasion
Tax evasion is the illegal, intentional act of not paying or underpaying taxes that are owed to tax authorities (government). It involves deliberate concealment of income or falsification of financial records.
· Examples: Underreporting income, inflating deductions, hiding money in offshore accounts, or keeping "double sets of books".
· Key Characteristic: Misrepresenting financial data specifically to avoid tax liability.
Key Differences at a Glance
Type | Main Perpetrator | Objective |
Asset Misappropriation | Employees | Steal company assets. |
Financial Statement Fraud | Management | Manipulate perception of company health. |
Corruption | Influential Personnel | Misuse power for personal gain. |
Tax Evasion | Entity/Individual | Avoid paying taxes. |
Note: According to the ACFE (Association of Certified Fraud Examiners), these types of fraud are often interrelated; for example, corruption often facilitates asset misappropriation, and asset misappropriation can necessitate financial statement fraud to cover the theft.
🔹 Assertion–Reason
Q22. Assertion: Payroll controls prevent ghost employees.
Reason: Proper authorization & verification is required.
A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true
A. Both true, R explains A
✅ Answer: A
🔹 True/False
Q23. Payroll should be handled by one person for efficiency.
False.
While having one person handle payroll might seem faster, it is highly discouraged due to the risk of fraud, errors, and lack of internal controls. Segregation of duties—where one person authorizes payments and another processes them—is essential for security. Automated systems and specialized payroll teams are better for ensuring accuracy, compliance, and efficiency
🔹 Fill in the Blank
Q24. Fake employees are called ________ employees.
Fake employees are called ghost employees.
Key Details:
· A ghost employee is a fictitious or non-existent person listed on a company's payroll system.
· They are created to enable payroll fraud, allowing a fraudster to collect wages or benefits.
· The term can also refer to a former employee who is not removed from the payroll system after they have left the organization
🔹 Odd Man Out
Q25. Identify non-payroll control:
A. Employee verification
B. Bank reconciliation
C. Attendance tracking
D. HR approval
✅ Answer: B
SUMMARY OF KEY CONCEPTS
- Internal Control: Segregation of duties, authorization, monitoring
- Corporate Governance: Independence, transparency, accountability
- Risk Assessment: Continuous, dynamic process
- Technology & Analytics: Full data analysis, anomaly detection
- Fraud Prevention: Strong controls + audit procedures
MCQs ON INTERNAL CONTROL WEAKNESSES (AIS)
A company’s AIS does not maintain logs of transaction edits or deletions.
Q1. What is the major control weakness?
A. Lack of authorization
B. Lack of audit trail
C. Lack of segregation
D. Lack of supervision
✅ Answer: B
👉 No tracking → fraud/errors cannot be detected.
🔹 CASE 2: Unauthorized Changes in Master Data
Employees can modify vendor master records without approval.
Q2. Which control is missing?
A. Input control
B. Processing control
C. Access control
D. Output control
✅ Answer: C
👉 Master data requires restricted access.
🔹 CASE 3: Incomplete Documentation
Invoices are processed without supporting purchase orders.
Q3. This indicates failure of:
A. Matching control
B. Authorization control
C. Reconciliation control
D. Backup control
✅ Answer: A
👉 3-way matching (PO, GRN, Invoice) missing.
🔹 CASE 4: Duplicate Payments
System lacks validation checks, leading to duplicate vendor payments.
Q4. Which control would prevent this?
A. Hash totals
B. Edit checks
C. Encryption
D. Batch control
✅ Answer: B
👉 Edit checks identify duplicates.
🔹 CASE 5: Weak Password Controls
Users share login credentials in AIS.
Q5. What risk arises?
A. Data redundancy
B. Lack of accountability
C. Data normalization
D. Processing delay
✅ Answer: B
👉 Cannot identify responsible person.
🔹 CASE 6: Missing Deliverables in System Development
System implementation completed without user acceptance testing (UAT).
Q6. Which deliverable is missing?
A. System design document
B. Test plan
C. User acceptance sign-off
D. Data dictionary
✅ Answer: C
👉 UAT approval is critical before go-live.
🔹 CASE 7: No Backup Policy
Company does not maintain backups of financial data.
Q7. This affects which control objective?
A. Confidentiality
B. Integrity
C. Availability
D. Authorization
✅ Answer: C
Financial reports are modified without tracking versions.
Q8. Which document control is weak?
A. Document retention
B. Version control
C. Authorization
D. Encryption
✅ Answer: B
🔹 CASE 9: Unapproved System Changes
IT team deploys changes directly into production.
Q9. Which control is violated?
A. Change management control
B. Input control
C. Output control
D. Processing control
✅ Answer: A
🔹 CASE 10: Missing Reconciliation
Bank statements are not reconciled regularly.
Q10. This leads to:
A. Data redundancy
B. Undetected errors/fraud
C. Faster reporting
D. Improved accuracy
✅ Answer: B
🔹 Q11
Which of the following is the BEST control for ensuring completeness of input data?
A. Check digits
B. Sequence checks
C. Password controls
D. Encryption
✅ Answer: B
🔹 Q12
Absence of source documents primarily affects:
A. Accuracy
B. Authorization
C. Auditability
D. Confidentiality
✅ Answer: C
Auditability is the capacity of an organization's records, processes, or AI systems to be independently verified, traced, and reviewed for accuracy, compliance, and security. It requires structured logging, transparent documentation, and accessible data trails to ensure accountability, prevent fraud, and meet regulatory standards
🔹 Q13
Which control ensures transactions are processed only once?
A. Run-to-run totals
B. Validity checks
C. Reasonableness tests
D. Limit checks
✅ Answer: A
In the context of IT auditing and application controls, these terms refer to programmed procedures designed to ensure data integrity, accuracy, and completeness:
· Run-to-run totals: These are control totals (such as record counts, hash totals, or financial sums) calculated at one processing step and compared to totals at the next step to ensure no data was lost, added, or unauthorized changes occurred during processing.
· Validity checks: These controls compare data entered into a field against a list of pre-defined, acceptable values to ensure the data is legitimate (e.g., verifying a vendor code exists in the master file).
· Reasonableness tests: These verify if a data value is logical or plausible when compared to other related data fields (e.g., checking if an employee's $80/hour pay rate is "reasonable" for their specific job skill code).
· Limit checks: These ensure that numerical data falls within a predetermined upper or lower boundary (e.g., a check to ensure a "hours worked per day" field does not exceed 24).
🔹 Q14
Failure to segregate system development and operations leads to:
A. Increased efficiency
B. Higher fraud risk
C. Better control
D. Reduced cost
✅ Answer: B
🔹 Q15
Which document is MOST critical for understanding system flow?
A. Trial balance
B. Flowchart
C. Ledger
D. Journal
✅ Answer: B
🔹 Q16
Which weakness may result from lack of data validation?
A. Unauthorized access
B. Incorrect data entry
C. Data theft
D. System crash
✅ Answer: B
🔹 Q17
Which deliverable ensures system meets user needs?
A. Program code
B. User manual
C. UAT report
D. Backup file
ANSWER C A User Acceptance Testing (UAT) report summarizes final testing results by actual users to confirm software meets requirements before launch. It details testing efforts, pass/fail status of scenarios, identified defects, and provides a final recommendation (sign-off) for deployment, ensuring the product is fit for purpose
🔹 Q18
Which control prevents unauthorized program changes?
A. Access logs
B. Change approval process
C. Edit checks
D. Hash totals
✅ Answer: B
A. Access Logs
Access logs are digital files that record chronological events related to user interactions with a computer system, application, or network. They act as a "security camera" for digital assets, capturing who accessed a resource, when they accessed it (timestamp), the source IP address, the action taken, and whether the attempt was successful.
· Purpose: To monitor for suspicious activity, investigate breaches, and comply with security regulations (e.g., PCI-DSS, HIPAA).
B. Change Approval Process
This is a structured, authorized procedure within IT service management (ITIL) that ensures any change to a production system—such as software updates or hardware changes—is reviewed, evaluated, and approved before implementation.
· Key Elements: It involves assessing risk and impact, often requiring approval from a Change Advisory Board (CAB) or a designated manager to prevent unplanned downtime or security vulnerabilities.
C. Edit Checks
Edit checks are automated input controls (validation rules) integrated into a data processing system to ensure data is accurate, complete, and reasonable before it is processed. Examples include:
· Range Checks: Checking if an age field is between 0 and 120.
· Consistency Checks: Ensuring "not applicable" is not selected for pregnancy status in male patients.
· Format Checks: Ensuring valid date formats.
· Purpose: To detect data entry errors early and ensure data integrity.
D. Hash Totals
A hash total is a control total calculated by summing non-monetary, numeric fields (such as employee IDs, account numbers, or invoice numbers) to verify that all records have been processed correctly.
· Purpose: The sum itself has no financial meaning, but if the hash total calculated before processing does not match the hash total calculated after, it signals that records were lost, added, or changed maliciously.
🔹 Q19
Which is an example of poor output control?
A. Encryption of data
B. Report distribution without authorization
C. Input validation
D. Data backup
✅ Answer: B
🔹 Q20
Lack of proper documentation results in:
A. Better efficiency
B. Poor audit trail
C. Faster processing
D. Improved security
✅ Answer: B
🔷 CASE-BASED INTEGRATED QUESTION
A company processes payroll through AIS. One employee enters data, approves payroll, and distributes salary. No logs or documents are maintained.
🔹 Q21
Primary weakness:
A. Lack of audit trail
B. Lack of segregation of duties
C. Lack of encryption
D. Lack of backups
✅ Answer: B
🔹 Q22
Which fraud risk is highest?
A. Inventory theft
B. Ghost employees
C. Tax evasion
D. Insider trading
✅ Answer: B
🔹 Q23 Which document is missing?
A. Payroll register
B. Purchase order
C. Invoice
D. Ledger
✅ Answer: A
🔥 KEY EXAM INSIGHTS
- AIS weaknesses mostly arise due to:
- Lack of segregation of duties
- Missing audit trail
- Weak access controls
- Poor documentation
- Inadequate change management
- Important AIS Controls:
- Input → validation, completeness
- Processing → run-to-run totals
- Output → controlled distribution
- Master data → restricted access
- Documentation → audit trail
www.gmsisuccess.in
