Our only savior is our will power. Will is the switch that controls everything in this universe. If you don't exercise your will power, you will be a weakling, easily influenced by your environment. Development of the will is the secret of magnetism. Men of success are men of great will power. When you develop will, no matter how you are pounded down by life, you rise again and say, "I am successful. I can win." Regards from Prof Mahaley Head Gmsisuccess Your Career Mentor Gmsisuccess...

Showing posts with label Risk Assessment. Show all posts

Monday, February 9, 2026

MCQ Questions on Internal control, corporate governance,risk Assessment and accounting information systems

INTERNAL CONTROL – 50 MCQs (US CMA PART 1)

1. Internal Control – Meaning & COSO

Q1. According to COSO, internal control is best described as a process designed to provide:
A. Absolute assurance regarding fraud prevention
B. Reasonable assurance regarding objectives
C. Legal compliance only
D. Risk elimination

Answer:

Q2. COSO defines internal control as a process effected by:
A. Only top management
B. Only auditors
C. Board of directors, management, and other personnel
D. External consultants

Answer:

Q3. Which of the following is NOT an objective of internal control under COSO?
A. Effectiveness and efficiency of operations
B. Reliability of financial reporting
C. Elimination of business risk
D. Compliance with laws and regulations

Answer:

2. COSO Components

Q4. Which COSO component establishes the foundation for all other components?
A. Risk assessment
B. Control activities
C. Information & communication
D. Control environment

Answer:

Q5. Management identifying and analyzing risks relevant to achieving objectives relates to:
A. Monitoring
B. Risk assessment
C. Control activities
D. Information systems

Answer:

Q6. Policies and procedures that ensure management directives are carried out are called:
A. Control environment
B. Monitoring
C. Control activities
D. Risk assessment

Answer:

Q7. Continuous evaluations of internal controls fall under:
A. Monitoring
B. Risk assessment
C. Information & communication
D. Control environment

Answer:

3. Types of Internal Controls

Q8. Which control is designed to stop an error before it occurs?
A. Detective
B. Corrective
C. Preventive
D. Compensating

Answer:

Q9. A bank reconciliation primarily serves as a:
A. Preventive control
B. Detective control
C. Corrective control
D. Application control

Answer:

Q10. Backup data restoration after system failure is a:
A. Preventive control
B. Detective control
C. Corrective control
D. Monitoring control

Answer:

Q11. A control that reduces risk when a primary control fails is called:
A. Detective
B. Corrective
C. Compensating
D. Monitoring

Answer:

4. Preventive, Detective & Corrective – Examples

Q12. Which is a preventive control?
A. Internal audit review
B. Authorization of transactions
C. Reconciliation of accounts
D. Error correction entry

Answer:

Q13. Which is a detective control?
A. Password policy
B. Segregation of duties
C. Exception reports
D. Access control

Answer:

Q14. Reprocessing rejected transactions represents a:
A. Preventive control
B. Detective control
C. Corrective control
D. Compensating control

Answer:

5. Complementary / Compensating Controls

Q15. Lack of segregation of duties in a small company is best addressed by:
A. Eliminating transactions
B. Hiring more staff
C. Owner’s independent review
D. Ignoring the risk

Answer:

Q16. Compensating controls are most commonly used when:
A. Risks are eliminated
B. Preventive controls exist
C. Ideal controls are not feasible
D. Auditors require them

Answer:

6. Inherent Limitations of Internal Control

Q17. Which is an inherent limitation of internal control?
A. Poor documentation
B. Human judgment errors
C. Lack of management support
D. Weak governance

Answer:

Q18. Internal control cannot provide absolute assurance mainly because of:
A. Technology failure
B. Cost-benefit constraints
C. External audits
D. Regulatory oversight

Answer:

Q19. Management override of controls is a risk related to:
A. Control activities
B. Monitoring
C. Inherent limitations
D. Risk assessment

Answer:

7. General Controls & Application Controls

Q20. General IT controls primarily relate to:
A. Specific transaction processing
B. Overall IT environment
C. Data input validation
D. Report accuracy

Answer:

Q21. Which is a general control?
A. Edit checks
B. User access security
C. Input validation
D. Batch totals

Answer:

Q22. Which is an application control?
A. Disaster recovery plan
B. Program change control
C. Authorization checks
D. Logical access policy

Answer:

Q23. Application controls ensure:
A. Proper functioning of IT infrastructure
B. Accuracy and completeness of transactions
C. Segregation of IT duties
D. Data backup

Answer:

8. Corporate Governance & Internal Control

Q24. Primary responsibility for internal control rests with:
A. Internal auditors
B. Audit committee
C. External auditors
D. Management

Answer:

Q25. The audit committee enhances internal control mainly by:
A. Preparing financial statements
B. Overseeing financial reporting and controls
C. Managing daily operations
D. Approving transactions

Answer:

Q26. Strong corporate governance improves internal control by:
A. Eliminating risk
B. Increasing audit fees
C. Enhancing oversight and accountability
D. Reducing regulation

Answer:

9. Sarbanes–Oxley Act (SOX)

Q27. Section 302 of SOX requires:
A. Auditor attestation on controls
B. Management certification of financial reports
C. Mandatory internal audit
D. Risk elimination

Answer:

Q28. Under SOX Section 302, CEOs and CFOs must certify:
A. Audit opinion
B. Effectiveness of internal controls
C. Tax returns
D. Budget accuracy

Answer:

Q29. Section 404 of SOX focuses on:
A. Fraud prevention
B. Management assessment of internal control effectiveness
C. Corporate governance rules
D. Audit committee formation

Answer:

Q30. Section 404 requires:
A. Only management report
B. Only auditor report
C. Both management assessment and auditor attestation
D. No reporting

Answer:

10. Identifying Weaknesses in Internal Control

Q31. A material weakness indicates:
A. Minor error
B. Significant deficiency
C. Reasonable possibility of material misstatement
D. No risk

Answer:

Q32. Which is most likely a control weakness?
A. Independent review
B. Lack of segregation of duties
C. Authorization procedures
D. Monitoring activities

Answer:

Q33. Which tool helps identify control weaknesses?
A. Bank loans
B. Walkthroughs and testing
C. Budgeting
D. Forecasting

Answer:

11. Resolving Internal Control Issues

Q34. The best response to identified control deficiencies is to:
A. Ignore immaterial issues
B. Implement corrective actions
C. Delay until audit
D. Transfer risk

Answer:

Q35. Which action strengthens internal control?
A. Increasing transaction volume
B. Enhancing segregation of duties
C. Reducing documentation
D. Removing monitoring

Answer:

Q36. Training employees improves internal control by enhancing:
A. Fraud opportunity
B. Control environment
C. Risk elimination
D. Monitoring cost

Answer:

12. Integrated & Scenario-Based Questions

Q37. An organization with strong preventive controls but weak detective controls faces risk of:
A. Errors not occurring
B. Errors not being identified timely
C. Absolute assurance
D. No risk

Answer:

Q38. If management ignores known control weaknesses, this affects:
A. Risk assessment
B. Control environment
C. Monitoring
D. Application control

Answer:

Q39. Excessive reliance on manual controls increases risk of:
A. Automation errors
B. Human error
C. IT failures
D. Cyber risk

Answer:

Q40. Which control best mitigates management override risk?
A. Authorization
B. Audit committee oversight
C. Input validation
D. Backup systems

Answer:

13. Advanced CMA-Level Questions

Q41. A control that is effective but too costly violates which principle?
A. Reasonable assurance
B. Segregation of duties
C. Control activities
D. Monitoring

Answer:

Q42. Which COSO component is most impacted by unethical leadership?
A. Risk assessment
B. Control activities
C. Control environment
D. Monitoring

Answer:

Q43. Poor documentation primarily affects:
A. Preventive controls
B. Detective controls
C. Monitoring
D. Information & communication

Answer:

Q44. Unauthorized program changes indicate weakness in:
A. Application control
B. Input control
C. General control
D. Monitoring

Answer:

Q45. Batch totals are used to ensure:
A. System security
B. Data completeness
C. Disaster recovery
D. User authorization

Answer:

14. Final Conceptual MCQs

Q46. Which statement about internal control is TRUE?
A. It guarantees fraud prevention
B. It provides reasonable assurance
C. It eliminates business risk
D. It replaces management responsibility

Answer:

Q47. Internal audit primarily assists management by:
A. Managing operations
B. Designing strategy
C. Evaluating internal controls
D. Preparing financials

Answer:

Q48. Continuous monitoring of controls improves:
A. Risk elimination
B. Timely detection of issues
C. Audit independence
D. Cost reduction only

Answer:

Q49. Which factor most weakens internal control effectiveness?
A. Strong governance
B. Ethical culture
C. Management override
D. Automation

Answer:

Q50. The ultimate goal of an internal control system is to:
A. Reduce audit work
B. Prevent all fraud
C. Achieve organizational objectives
D. Increase compliance cost

Answer:

www.gmsisuccess.in

Got it 👍
Here are US CMA Part 1–style MCQs with answers on Corporate Governance, Board Duties, Audit Committee Duties, and Management Responsibilities for effective operations & internal control.
These are conceptual, exam-oriented, and slightly tricky, exactly how CMA likes them.

CORPORATE GOVERNANCE & INTERNAL CONTROL

MCQs (US CMA PART 1)

A. Corporate Governance – Concepts

Q1. Corporate governance primarily focuses on:
A. Day-to-day operations
B. Maximizing short-term profits
C. Accountability, fairness, and transparency
D. External audit procedures

Answer:

Q2. The primary objective of corporate governance is to:
A. Eliminate business risk
B. Protect stakeholder interests
C. Replace management decisions
D. Reduce operational costs

Answer:

Q3. Which of the following is a key mechanism of corporate governance?
A. Operational budgeting
B. Board of directors
C. Employee training
D. Internal audit planning

Answer:

Q4. Strong corporate governance is MOST likely to result in:
A. Increased fraud risk
B. Improved internal control effectiveness
C. Elimination of internal audits
D. Reduced regulatory compliance

Answer:

B. Board of Directors – Duties & Responsibilities

Q5. The board of directors’ PRIMARY responsibility is to:
A. Prepare financial statements
B. Manage daily operations
C. Oversee management and strategy
D. Perform internal audits

Answer:

Q6. Which of the following is NOT a duty of the board of directors?
A. Approving major policies
B. Hiring and evaluating the CEO
C. Performing transaction authorization
D. Overseeing risk management

Answer:

Q7. The board ensures ethical conduct primarily through:
A. Budget control
B. Code of conduct and tone at the top
C. External audits
D. Performance incentives

Answer:

Q8. Which board responsibility most directly supports effective internal control?
A. Selecting accounting methods
B. Establishing audit committee
C. Approving journal entries
D. Reconciling bank accounts

Answer:

Q9. The board’s oversight role reduces which risk most significantly?
A. Market risk
B. Management override risk
C. Currency risk
D. Liquidity risk

Answer:

C. Audit Committee – Duties & Responsibilities

Q10. The audit committee primarily serves as a link between:
A. Management and employees
B. External auditors and internal auditors
C. Board of directors and auditors
D. Regulators and management

Answer:

Q11. Which of the following is a key responsibility of the audit committee?
A. Preparing financial statements
B. Overseeing financial reporting integrity
C. Approving operational budgets
D. Managing company operations

Answer:

Q12. Audit committee members should be:
A. Company executives
B. Independent directors
C. Internal auditors
D. External consultants

Answer:

Q13. Which activity BEST supports audit committee independence?
A. Participation in daily operations
B. Direct communication with external auditors
C. Authorizing transactions
D. Designing control activities

Answer:

Q14. The audit committee is directly responsible for overseeing:
A. Strategic planning
B. Internal control over financial reporting
C. Marketing strategy
D. Employee performance

Answer:

Q15. Which function typically reports functionally to the audit committee?
A. Operations
B. Marketing
C. Internal audit
D. Human resources

Answer:

D. Management Responsibilities – Operations & Internal Control

Q16. Management is primarily responsible for:
A. Auditing internal controls
B. Designing and implementing internal controls
C. Approving audit opinions
D. Ensuring auditor independence

Answer:

Q17. Which management responsibility MOST directly affects operational effectiveness?
A. External audit coordination
B. Risk assessment and control design
C. Board evaluation
D. Regulatory enforcement

Answer:

Q18. Management demonstrates commitment to internal control by:
A. Delegating all control activities
B. Establishing clear policies and procedures
C. Eliminating detective controls
D. Reducing documentation

Answer:

Q19. Management override of controls is primarily a failure of:
A. Risk assessment
B. Control activities
C. Monitoring
D. Control environment

Answer:

Q20. Which action by management strengthens the control environment?
A. Ignoring minor violations
B. Promoting ethical values
C. Increasing transaction volume
D. Limiting audit access

Answer:

E. Effective Internal Control System – Integrated View

Q21. An effective internal control system provides:
A. Absolute assurance
B. Reasonable assurance
C. Guaranteed fraud prevention
D. Complete risk elimination

Answer:

Q22. Segregation of duties is MOST closely related to which COSO component?
A. Risk assessment
B. Control activities
C. Monitoring
D. Information & communication

Answer:

Q23. Continuous evaluations of controls are part of:
A. Control environment
B. Risk assessment
C. Monitoring
D. Governance

Answer:

Q24. A strong internal control system is LEAST effective when:
A. Board oversight is weak
B. Controls are documented
C. Risks are assessed
D. Monitoring exists

Answer:

Q25. Which factor MOST enhances internal control effectiveness?
A. Increased automation only
B. Strong tone at the top
C. High transaction volume
D. External regulation

Answer:

F. Scenario-Based / CMA-Style Questions

Q26. If the board fails to challenge management decisions, the greatest risk is:
A. Market volatility
B. Management override of controls
C. Increased audit cost
D. Operational inefficiency only

Answer:

Q27. An audit committee that lacks financial expertise increases risk related to:
A. Strategic planning
B. Financial reporting reliability
C. Operational efficiency
D. Employee morale

Answer:

Q28. Management focusing only on financial controls but ignoring operational controls may result in:
A. Strong governance
B. Ineffective operations
C. Better compliance
D. Reduced risk

Answer:

Q29. Which action BEST demonstrates effective governance?
A. CEO dominance over board
B. Independent audit committee oversight
C. Limited internal audit access
D. Management-only risk assessment

Answer:

Q30. In an effective governance structure, internal audit should report:
A. Administratively to CFO and functionally to audit committee
B. Only to management
C. Only to external auditors
D. Only to regulators

Answer:

✅ Exam Tip (CMA Favorite Area):

Board = Oversight
Audit Committee = Financial reporting & internal control oversight
Management = Design, implement & operate controls
Internal Control = Reasonable assurance, not guarantee

www.gmsisuccess.in

RISK ASSESSMENT & INTERNAL CONTROL SYSTEM

MCQs (US CMA PART 1)

A. Risk Assessment – Core Concepts

Q1. Risk assessment under the COSO framework involves:
A. Eliminating all risks
B. Identifying and analyzing risks to achieving objectives
C. Detecting errors after occurrence
D. Implementing corrective controls

Answer:

Q2. Risk assessment is MOST closely related to which COSO component?
A. Control environment
B. Control activities
C. Risk assessment
D. Monitoring

Answer:

Q3. Which of the following BEST describes business risk?
A. Risk of audit failure
B. Risk of incorrect financial statements only
C. Risk that events will adversely affect achievement of objectives
D. Risk eliminated by internal controls

Answer:

Q4. Which risk arises from ineffective or failed internal controls?
A. Inherent risk
B. Residual risk
C. Control risk
D. Detection risk

Answer:

B. Risk Identification & Analysis

Q5. The FIRST step in risk assessment is to:
A. Design control activities
B. Identify relevant risks
C. Evaluate monitoring controls
D. Correct deficiencies

Answer:

Q6. Which factor MOST affects risk assessment?
A. Changes in business environment
B. Historical audit findings only
C. External audit opinion
D. Accounting policies

Answer:

Q7. Rapid growth in operations increases risk primarily due to:
A. Strong controls
B. Inadequate control adaptation
C. Improved governance
D. Reduced transactions

Answer:

Q8. Risk assessment should be performed:
A. Once at formation
B. Only during audits
C. Continuously and periodically
D. Only after control failure

Answer:

C. Inherent, Residual & Control Risk

Q9. Inherent risk is best described as:
A. Risk remaining after controls
B. Risk caused by auditors
C. Risk existing before controls
D. Risk eliminated by governance

Answer:

Q10. Residual risk refers to:
A. Total business risk
B. Risk before controls
C. Risk remaining after controls
D. Detection risk

Answer:

Q11. High inherent risk requires management to:
A. Ignore control design
B. Implement stronger controls
C. Eliminate monitoring
D. Reduce documentation

Answer:

D. Risk Assessment & Internal Control Relationship

Q12. Risk assessment helps management to:
A. Detect errors
B. Determine appropriate control activities
C. Eliminate fraud
D. Replace monitoring

Answer:

Q13. Failure to assess risk properly MOST likely results in:
A. Strong internal controls
B. Ineffective control activities
C. Reduced operational efficiency
D. Better compliance

Answer:

Q14. Which internal control component is directly influenced by risk assessment outcomes?
A. Control environment
B. Control activities
C. Monitoring
D. Governance

Answer:

E. Risk Response & Control Design

Q15. Which is NOT a common risk response?
A. Risk avoidance
B. Risk reduction
C. Risk acceptance
D. Risk elimination

Answer:

Q16. Implementing segregation of duties is primarily a response to:
A. Market risk
B. Control risk
C. Liquidity risk
D. Compliance risk

Answer:

Q17. Which control BEST addresses high fraud risk?
A. Detective controls only
B. Preventive controls
C. No controls
D. Monitoring only

Answer:

Q18. Compensating controls are MOST appropriate when:
A. Risks are eliminated
B. Primary controls are not feasible
C. Controls already exist
D. Auditors require them

Answer:

F. Risk Assessment in Operations & Reporting

Q19. Risk assessment related to financial reporting focuses on:
A. Market volatility
B. Accuracy and reliability of financial statements
C. Employee performance
D. Customer satisfaction

Answer:

Q20. Operational risk primarily affects:
A. Financial statement presentation
B. Efficiency and effectiveness of operations
C. Audit opinion
D. Compliance reporting

Answer:

Q21. Compliance risk arises from:
A. Operational inefficiency
B. Failure to follow laws and regulations
C. Weak segregation of duties
D. System downtime

Answer:

G. Monitoring Risk & Control Effectiveness

Q22. Continuous monitoring helps management to:
A. Eliminate risk
B. Identify control deficiencies timely
C. Replace risk assessment
D. Avoid governance oversight

Answer:

Q23. Which indicates a failure in risk assessment?
A. Controls not aligned with risk level
B. Strong governance
C. Regular monitoring
D. Ethical leadership

Answer:

H. Scenario-Based / CMA-Tricky Questions

Q24. Management identifies a high risk but implements weak controls. This indicates failure in:
A. Monitoring
B. Risk response
C. Information & communication
D. Control environment

Answer:

Q25. A company with outdated risk assessments is MOST exposed to:
A. Reduced audit cost
B. Emerging risks
C. Strong control environment
D. Low residual risk

Answer:

Q26. Excessive reliance on detective controls increases risk of:
A. Errors occurring
B. Late error detection
C. Strong prevention
D. Risk elimination

Answer:

Q27. Management override risk should be considered during:
A. Risk identification
B. Control design
C. Monitoring
D. All of the above

Answer:

I. Integrated COSO-Based Questions

Q28. Risk assessment interacts MOST closely with:
A. Control activities and monitoring
B. External audit
C. Budgeting
D. Financial reporting only

Answer:

Q29. A well-designed internal control system reduces:
A. Inherent risk
B. Residual risk
C. Business uncertainty
D. External risk

Answer:

Q30. The PRIMARY purpose of risk assessment in internal control is to:
A. Prevent all losses
B. Design effective and efficient controls
C. Reduce audit effort
D. Comply with regulations only

Answer:

✅ CMA Exam Quick Memory Aid

Risk Assessment = Identify → Analyze → Respond
Controls must match risk level
Risk is dynamic → assessment must be ongoing
Goal = Reduce residual risk to acceptable level

www. gmsisuccess.in

ACCOUNTING INFORMATION SYSTEMS (AIS) & INTERNAL Control

A. Accounting Information System – Basics

Q1. The primary purpose of an Accounting Information System (AIS) is to:
A. Eliminate accounting errors
B. Collect, process, and report financial information
C. Replace management judgment
D. Detect fraud only

Answer:

Q2. Which AIS component captures transaction data?
A. Output
B. Processing
C. Input
D. Storage

Answer:

Q3. An effective AIS should provide information that is:
A. Complex and detailed
B. Timely, accurate, and relevant
C. Only historical
D. Only for auditors

Answer:

B. AIS & Internal Control Relationship

Q4. Internal controls in AIS primarily ensure:
A. High profits
B. Data reliability and system integrity
C. Faster processing only
D. Reduced staffing

Answer:

Q5. Which COSO objective is MOST directly supported by AIS?
A. Operational efficiency
B. Reliability of financial reporting
C. Corporate governance
D. Compliance monitoring

Answer:

Q6. A weakness in AIS controls MOST directly affects:
A. Marketing decisions
B. Financial statement reliability
C. Employee morale
D. Customer satisfaction

Answer:

C. General Controls vs Application Controls

Q7. Controls that relate to the overall IT environment are called:
A. Application controls
B. Preventive controls
C. General controls
D. Detective controls

Answer:

Q8. Which of the following is a general control?
A. Input validation checks
B. User access security
C. Edit checks
D. Batch totals

Answer:

Q9. Which of the following is an application control?
A. Disaster recovery plan
B. Program change control
C. Authorization of transactions
D. Logical access policy

Answer:

Q10. Application controls primarily ensure:
A. IT infrastructure reliability
B. Accuracy, completeness, and validity of transactions
C. System availability only
D. Cybersecurity compliance

Answer:

D. Input, Processing & Output Controls

Q11. Which control ensures only valid data is entered into the system?
A. Output control
B. Processing control
C. Input control
D. General control

Answer:

Q12. Edit checks and reasonableness tests are examples of:
A. Output controls
B. Input controls
C. Processing controls
D. Monitoring controls

Answer:

Q13. Run-to-run totals help ensure:
A. Authorized access
B. Processing accuracy and completeness
C. Proper segregation of duties
D. Data backup

Answer:

Q14. Reviewing exception reports is primarily a:
A. Preventive control
B. Detective control
C. Corrective control
D. Compensating control

Answer:

E. Data Security & Access Controls

Q15. Restricting system access using passwords is a:
A. Detective control
B. Corrective control
C. Preventive control
D. Monitoring control

Answer:

Q16. Which control BEST reduces the risk of unauthorized data modification?
A. Backup files
B. Logical access controls
C. Error reports
D. Reconciliations

Answer:

Q17. Segregation of duties in AIS helps prevent:
A. System downtime
B. Fraud and errors
C. Data storage issues
D. Reporting delays

Answer:

F. AIS Risks & Control Weaknesses

Q18. Lack of program change controls increases risk of:
A. Data input errors
B. Unauthorized system modifications
C. Poor audit opinions
D. Late reporting

Answer:

Q19. Excessive reliance on automated controls without monitoring may lead to:
A. Stronger controls
B. Undetected system failures
C. Reduced risk
D. Better compliance

Answer:

Q20. Which situation indicates a weakness in AIS internal control?
A. Regular backup and recovery testing
B. Shared user IDs
C. Access logs review
D. Segregation of duties

Answer:

G. AIS & COSO Integration

Q21. AIS contributes MOST directly to which COSO component?
A. Control environment
B. Risk assessment
C. Information and communication
D. Monitoring

Answer:

Q22. Automated controls mainly strengthen which COSO component?
A. Control activities
B. Control environment
C. Risk assessment
D. Governance

Answer:

Q23. Inadequate AIS documentation primarily affects:
A. Control activities
B. Information and communication
C. Monitoring
D. Risk elimination

Answer:

H. Scenario-Based / CMA-Tricky Questions

Q24. If AIS processes transactions accurately but allows unauthorized access, the weakness is in:
A. Application controls
B. General controls
C. Output controls
D. Processing controls

Answer:

Q25. Management override of AIS controls MOST directly threatens:
A. Operational efficiency
B. Reliability of financial reporting
C. System availability
D. Data storage

Answer:

Q26. A strong AIS with weak governance is MOST exposed to:
A. Data redundancy
B. Fraud risk
C. Processing delays
D. System cost overrun

Answer:

I. Final Integrated Questions

Q27. An effective AIS internal control system provides:
A. Absolute assurance
B. Reasonable assurance
C. Guaranteed fraud prevention
D. Zero system risk

Answer:

Q28. Which control ensures completeness of batch processing?
A. Passwords
B. Batch totals
C. Firewalls
D. Backup files

Answer:

Q29. Internal audit’s role in AIS controls is to:
A. Operate the system
B. Evaluate system controls
C. Design transactions
D. Approve user access

Answer:

Q30. The PRIMARY goal of AIS controls is to:
A. Reduce IT costs
B. Ensure reliable financial information
C. Increase automation
D. Support external audit only

Answer:

✅ CMA Exam Quick Recall

AIS + Internal Control = Reliable, timely, accurate data
General controls → Overall IT environment
Application controls → Transaction accuracy & completeness
Control gives reasonable assurance, not guarantee.

www.gmsisuccess.in

Saturday, January 3, 2026

Risk Assessment..notes helpful for CIA Part 1& US CMA Part 2 students

Below is a high-yield, exam-oriented revision sheet for Risk Assessment, integrating both US CMA Part 2 and CIA Part 1 perspectives. I’ve clearly highlighted what each exam emphasizes, along with keywords, traps, and must-remember frameworks.

1. Meaning of Risk Assessment (Exam-Ready Definition)

Risk Assessment =

A systematic process of identifying, analyzing, and prioritizing risks that may prevent an organization from achieving its objectives.

Key Exam Angle

CIA Part 1 → Governance, internal control, assurance focus
CMA Part 2 → Decision-making, performance, financial & strategic risk focus

2. Types of Risks – VERY IMPORTANT (Both Exams)

A. Strategic Risk

Poor business strategy
Wrong market entry
Failure to adapt to technology
M&A failure

Exam keyword: Long-term objectives, external environment

B. Operational Risk

Process inefficiencies
Supply chain disruption
System failure
Human error

CIA loves: segregation of duties, process controls
CMA loves: impact on cost, productivity, margins

C. Financial Risk (CMA Part 2 Heavy Area)

Liquidity risk
Credit risk
Market risk (interest rate, forex)
Cash flow volatility

Red flag: High leverage + unstable cash flows

D. Compliance Risk (CIA Part 1 Favorite)

Violation of laws & regulations
Non-compliance with policies
Regulatory penalties

Exam keyword: Regulatory environment, legal exposure

E. Reputational Risk

Loss of public trust
Brand damage
Ethical failures

Often tested as a consequence, not a primary risk

3. Risk Assessment Process – Must Memorize Steps

Step 1: Risk Identification

Methods:

Brainstorming
Interviews
SWOT analysis
Process mapping
Past loss data

CIA focus: involvement of management & auditors
CMA focus: identification linked to objectives

Step 2: Risk Analysis

Analyze:

Likelihood (Probability)
Impact (Severity)

Tools:

📌 Exam trick:
High impact + low probability ≠ ignore (e.g., fraud, disaster)

Step 3: Risk Evaluation / Prioritization

Rank risks
Focus on residual risk
Align with risk appetite

Keyword: Risk tolerance vs risk appetite

4. Inherent Risk vs Residual Risk (EXAM GOLD)

Type	Meaning
Inherent Risk	Risk before controls
Residual Risk	Risk after controls

📌 CIA exam trap:
If controls are weak → residual risk remains high

5. Risk Responses / Risk Treatment (Frequently Tested)

Four Classic Responses (Remember: T-A-R-A)

Terminate (Avoid)
– Exit risky activity
Treat (Reduce/Mitigate)
– Implement controls
Transfer (Share)
– Insurance, outsourcing
Tolerate (Accept)
– When cost of control > benefit

CMA Part 2 loves decision logic
CIA Part 1 loves control-based mitigation

6. Risk Appetite & Risk Tolerance (Very Confusing Area)

Risk Appetite → Overall level of risk organization is willing to accept
Risk Tolerance → Acceptable deviation from objectives

📌 CIA exam wording:
Board sets risk appetite, management operates within risk tolerance

7. Enterprise Risk Management (ERM) – COSO Framework

COSO ERM Components (CMA + CIA)

Governance & Culture
Strategy & Objective Setting
Performance
Review & Revision
Information, Communication & Reporting

📌 CIA emphasis: governance & board oversight
📌 CMA emphasis: strategy alignment & performance impact

8. Role of Internal Auditor in Risk Assessment (CIA Part 1 CORE)

Internal Auditors:

Evaluate effectiveness of risk management
Provide assurance, not ownership
Must remain independent & objective

❌ Exam trap:
Internal auditors do NOT set risk appetite

9. Risk Assessment & Internal Control Link (CIA Favorite)

Risk assessment drives control design
Poor risk assessment = ineffective controls
Controls must address key risks, not all risks

📌 Keyword: Reasonable assurance, not absolute assurance

10. Continuous Risk Assessment (Modern Exam Trend)

Ongoing, not annual
Driven by:
- Technology
- Big data
- Automation
- Cyber risks

CIA loves: continuous auditing
CMA loves: real-time decision support

11. Common Exam Traps & How to Avoid Them

Trap	Correct Thinking
Eliminating all risk	Impossible
High probability = highest priority	Impact also matters
Auditor managing risk	Auditor evaluates only
Risk = only financial	Risk is multidimensional

12. One-Line Power Statements for Revision

“Risk assessment aligns risks with objectives.”
“Residual risk determines acceptability.”
“Risk appetite is strategic; tolerance is operational.”
“Controls mitigate risk, they do not eliminate it.”
“ERM integrates risk into decision-making.”

13. How Questions Differ in Exams

CIA Part 1

Governance driven
Control effectiveness
Auditor independence
Ethical & compliance risk

CMA Part 2

Strategy & performance
Financial outcomes
Risk-return trade-off
Decision making

www.gmsisuccess.in

Below is a complete, exam-oriented MASTER NOTE covering CIA Part 1 + US CMA Part 2 for Risk, Internal Control, COSO, COBIT, AIS, Application Controls, Fraud Risk & Risk Measurement.
This is structured exactly the way scenario-based MCQs and essays are framed in the exams.

1. TYPES OF RISK (VERY HIGH EXAM WEIGHT)

1. Strategic Risk

Meaning: Risk arising from wrong or ineffective business strategy.

Examples (Must Quote in Exam):

Entering a declining market
Failure to adopt digital technology
Poor merger/acquisition decision
Loss of competitive advantage

CIA Focus: Board oversight & governance
CMA Focus: Impact on long-term profitability

2. Operational Risk

Meaning: Risk from internal processes, people, and systems.

Examples:

Production breakdown
Supply chain disruption
System downtime
Human error

CIA Focus: Internal controls
CMA Focus: Cost inefficiency & productivity loss

3. Financial Risk

Liquidity risk
Credit risk
Market risk (interest, forex)
Solvency risk

CMA Part 2 HEAVY AREA

4. Compliance Risk

Violation of laws/regulations
Non-compliance with policies

CIA Part 1 Favorite

5. Reputational Risk

Brand damage
Loss of stakeholder trust

Often tested as impact of other risks

2. INTERNAL CONTROL & RISK (CORE CIA AREA)

Relationship:

Internal control exists to manage risk, not eliminate it.

Internal Control Objectives:

Effectiveness & efficiency of operations
Reliability of financial reporting
Compliance with laws

📌 Exam Trap:
Internal control provides reasonable assurance, not absolute assurance.

3. RISK CONCEPT IN COSO FRAMEWORK

COSO Internal Control – Risk Assessment Component

Risk Assessment includes:

Specify objectives
Identify risks
Analyze risks
Manage fraud risk
Identify significant change

📌 CIA loves fraud risk here

COSO ERM – Risk View (CMA + CIA)

Key Concepts:

Risk appetite (set by Board)
Risk tolerance (operational limits)
Inherent risk vs residual risk

📌 CMA exam: ERM aligns risk with strategy
📌 CIA exam: Governance & oversight

4. RISK CONCEPT IN COBIT (IT GOVERNANCE)

COBIT focuses on IT-related risks.

Key Risk Areas:

Data security risk
System availability risk
Data integrity risk
Compliance risk (IT laws)

COBIT Goal:

Ensure IT risks are managed to support business objectives.

📌 CIA Exam Point: COBIT supports internal control over IT.

5. APPLICATION CONTROLS & RISK (VERY IMPORTANT)

Application Controls manage:

Input risk
Processing risk
Output risk

Input Controls

Risks:

Unauthorized data entry
Incomplete data

Controls:

Authorization checks
Edit checks
Validity checks

Processing Controls

Risks:

Incorrect processing
Data corruption

Controls:

Run-to-run totals
Reasonableness tests

Output Controls

Risks:

Unauthorized access
Inaccurate reports

Controls:

Distribution controls
Reconciliation

📌 CIA loves linking control weakness → risk

6. ACCOUNTING INFORMATION SYSTEMS (AIS) & RISK

Major AIS Risks:

Unauthorized access
Data manipulation
Loss of data
System failure

Controls:

Segregation of duties
Access controls
Audit trails
Backup & recovery

📌 Exam trap:
Strong IT controls reduce risk of misstatement, not business risk.

7. STRATEGIC vs OPERATIONAL RISK – EXAM COMPARISON

Basis	Strategic Risk	Operational Risk
Nature	Long-term	Day-to-day
Level	Board/Top mgmt	Middle/Operational mgmt
Example	Wrong market entry	Machine breakdown
Control	Policy & governance	Procedures & controls

8. FRAUD RISK MANAGEMENT (CIA PART 1 CORE)

Fraud Risk = Intentional deception for gain

Types:

Asset misappropriation
Financial statement fraud
Corruption

Fraud Risk Management Steps:

Identify fraud risks
Assess likelihood & impact
Design preventive controls
Implement detective controls
Monitor & respond

📌 CIA Keyword:
Internal auditors evaluate fraud risk management effectiveness.

Common Fraud Controls:

Segregation of duties
Authorization
Whistleblower mechanisms
Continuous monitoring

9. HOW TO MEASURE RISK (EXAM GOLD)

1. Qualitative Methods

Risk ranking
Risk heat map
High / Medium / Low

2. Quantitative Methods (CMA Part 2 Focus)

Expected value
Sensitivity analysis
Scenario analysis
Probability-weighted outcomes

Risk Formula:

Risk Exposure = Probability × Impact

10. INHERENT RISK vs RESIDUAL RISK

Risk Type	Meaning
Inherent Risk	Before controls
Residual Risk	After controls

📌 CIA exam trap: Weak controls → high residual risk

11. COMMON EXAM TRAPS (VERY IMPORTANT)

❌ Auditor managing risk
✅ Auditor evaluates risk management

❌ Eliminating all risks
✅ Managing within risk appetite

❌ Risk = only financial
✅ Risk includes strategic, operational, IT, fraud

12. ONE-LINE EXAM ANSWERS (MEMORIZE)

“Risk assessment aligns risks with organizational objectives.”
“Controls mitigate risk but do not eliminate it.”
“COBIT addresses IT-related risks.”
“Application controls ensure data accuracy, completeness, and authorization.”
“Fraud risk requires both preventive and detective controls.”

www.gmsisuccess.in

Below are VERY TOUGH, LENGTHY, EXAM-LEVEL SCENARIO-BASED MCQs integrating CIA Part 1 + US CMA Part 2 on Risk, Internal Control, COSO, COBIT, AIS, Application Controls & Fraud Risk.
These are written in the exact style of real exam questions, with logic-based distractors.

MCQ 1: ERM, Risk Appetite & Governance (CIA + CMA)

A diversified manufacturing company operates in multiple countries and uses a centralized ERP system. The board has approved a formal risk appetite statement emphasizing stable earnings and regulatory compliance, while allowing moderate operational risk to pursue growth.

During an internal audit, it was observed that management continued expanding into high-risk jurisdictions without updating compliance procedures or conducting a revised risk assessment. Senior management argues that growth is aligned with the organization’s strategic objectives.

Which of the following represents the MOST significant weakness from a governance and risk perspective?

A. Management accepted operational risks exceeding its risk tolerance
B. The board failed to design adequate internal controls
C. Management did not align risk assessment with the approved risk appetite
D. Internal audit failed to identify inherent risks early

✅ Correct Answer: C

Why:

Board already set risk appetite
Management expanded without reassessing compliance risk
Misalignment between strategy & risk appetite → COSO ERM failure

Exam Keyword: Risk appetite vs strategy alignment

MCQ 2: Inherent vs Residual Risk & Controls (CIA Part 1 Core)

An organization processes high-value electronic payments through an automated system. Strong authorization controls exist, but system access rights are not reviewed periodically, and terminated employees’ access is not promptly removed.

Which risk classification is MOST appropriate for unauthorized payment after employee termination?

A. Inherent risk remains high due to transaction value
B. Residual risk is high due to ineffective access controls
C. Detection risk is low due to automation
D. Control risk is eliminated through authorization

✅ Correct Answer: B

Why:

Controls exist but are ineffective
Risk after controls remains high → residual risk

CIA Exam Trap: Authorization ≠ access management

MCQ 3: Application Controls & AIS Risk (CIA Favorite)

A retail company implemented an automated sales system. Input validation checks ensure all sales entries are complete and authorized. However, no controls exist to verify whether data processed by the system is correctly transferred to the general ledger.

Which risk is MOST likely to occur?

A. Unauthorized data entry
B. Incomplete sales transactions
C. Processing errors leading to misstated financial reports
D. Fraudulent override of input controls

✅ Correct Answer: C

Why:

Input controls are strong
Weak processing/interface controls
Risk of incorrect posting to GL

Keyword: Processing control failure → misstatement

MCQ 4: Fraud Risk Management (CIA Part 1 Heavy)

An organization experienced repeated inventory shortages. Management increased physical security and implemented periodic inventory counts. However, the shortages continued.

Internal audit discovered that the same employee was responsible for inventory custody, recording, and reconciliation.

Which action would be the MOST effective fraud risk response?

A. Increase frequency of inventory counts
B. Install additional surveillance cameras
C. Segregate inventory custody and recordkeeping duties
D. Purchase insurance coverage for inventory losses

✅ Correct Answer: C

Why:

Root cause = lack of segregation of duties
Preventive control is superior to detective or transfer

CIA Exam Keyword: Preventive > Detective

MCQ 5: COSO Risk Assessment & Significant Change

A technology company rapidly adopted cloud-based accounting systems to support remote work. Management did not update its risk assessment or internal controls, assuming existing policies were sufficient.

Which COSO risk assessment principle was MOST clearly violated?

A. Risk identification
B. Fraud risk assessment
C. Identification and assessment of significant change
D. Objective setting

✅ Correct Answer: C

Why:

Technology change = significant change
Requires reassessment of risk

CIA loves: Change management risk

MCQ 6: COBIT, IT Risk & Governance (CIA + CMA)

An organization outsourced its data center operations to a third party. While cost savings were achieved, no service-level agreements (SLAs) or monitoring controls were implemented.

Which risk is MOST increased?

A. Strategic risk due to loss of market share
B. Operational risk related to IT availability and data integrity
C. Financial reporting risk due to valuation errors
D. Reputational risk due to employee dissatisfaction

✅ Correct Answer: B

Why:

COBIT focuses on IT availability & integrity
Outsourcing without controls increases IT operational risk

MCQ 7: Risk Measurement & Decision Making (CMA Part 2 Focus)

Management is evaluating two mutually exclusive projects:

Project	Probability of Loss	Potential Loss
A	10%	₹1,000,000
B	40%	₹200,000

Risk appetite allows a maximum expected loss of ₹100,000.

Which project(s) fall within risk appetite?

A. Project A only
B. Project B only
C. Both A and B
D. Neither A nor B

✅ Correct Answer: C

Calculation:

A → 10% × 1,000,000 = ₹100,000
B → 40% × 200,000 = ₹80,000

Both within appetite

CMA Keyword: Expected value

MCQ 8: Strategic vs Operational Risk (Tricky)

A company decides to discontinue a profitable product line to focus on innovative but untested technology. Production inefficiencies later increase costs during implementation.

Which risks are involved?

A. Strategic only
B. Operational only
C. Strategic followed by operational
D. Compliance followed by financial

✅ Correct Answer: C

Why:

Decision = strategic risk
Implementation issues = operational risk

Very common exam pattern

MCQ 9: Internal Audit Role & Risk Ownership (CIA Trap)

During ERM implementation, management asked internal audit to determine acceptable risk levels for new product launches.

What is the MOST appropriate internal audit response?

A. Accept responsibility to support ERM
B. Recommend risk limits but not approve them
C. Determine risk appetite jointly with management
D. Refuse involvement in ERM activities

✅ Correct Answer: B

Why:

Advisory allowed
Ownership not allowed

CIA Keyword: Assurance, not ownership

MCQ 10: Application Controls vs General Controls (Very Tricky)

Strong application controls exist in a payroll system. However, system programmers can directly modify production programs without approval.

Which conclusion is MOST appropriate?

A. Payroll risk is low due to strong application controls
B. General control weakness undermines application controls
C. Fraud risk is eliminated through automation
D. Processing controls compensate for access weaknesses

✅ Correct Answer: B

Why:

General controls override application controls
Classic CIA exam favorite

Final Exam Tip (IMPORTANT)

Always identify:

Type of risk
Control weakness
Framework violated (COSO / COBIT)
Who owns the risk

✔ www.gmsisuccess.in

Below is a high-yield, exam-oriented revision note on Risk Register, Risk Assessment Techniques, and Risk Heat Map — exactly the way they are tested in US CMA (Part 2) and CIA (Part 1 & Part 2) exams.
I’ll focus on definitions + examiner traps + scenario-based logic.

1️⃣ Risk Register (VERY FREQUENTLY TESTED)

📌 What is a Risk Register?

A formal documented list of identified risks with:

Description of risk
Root cause
Impact & likelihood
Risk owner
Existing controls
Residual risk
Risk response (accept / mitigate / transfer / avoid)

➡ CIA view: Governance & risk oversight tool
➡ CMA view: Enterprise risk management & strategic decision-making tool

🔑 Key Exam Keywords

Phrase in question	Meaning
“Documented list of risks”	Risk Register
“Assigned responsibility”	Risk owner
“After controls applied”	Residual risk
“Risk response strategy”	Accept / Avoid / Reduce / Share

⚠️ Exam Traps

❌ Risk register does NOT eliminate risk
❌ It is not a control activity itself
❌ It is not limited to financial risks only

🧠 CIA-Style MCQ Logic

Which document helps management track, prioritize, and assign accountability for risks?

✅ Risk Register

2️⃣ Risk Assessment Techniques (HIGH-SCORING AREA)

📌 Definition

Techniques used to identify, analyze, and evaluate risks based on likelihood and impact.

🔥 COMMONLY TESTED TECHNIQUES

(A) Brainstorming

Group-based risk identification
Best for early stage ERM
Weakness: subjective bias

🧠 Exam trick:

“Initial identification of emerging risks” → Brainstorming

(B) Risk & Control Self-Assessment (RCSA) ⭐⭐

Used by management, not auditors
Identifies key risks + effectiveness of controls

➡ CIA LOVES THIS

❌ Trap: Internal auditors facilitate, not own RCSA

(C) SWOT Analysis

Element	Risk Type
Strength	Internal
Weakness	Internal
Opportunity	External
Threat	External

🧠 CMA exam frequently links SWOT to strategic risk

(D) Scenario Analysis / Stress Testing

“What-if” analysis
Used for low probability, high impact risks

Examples:

Cyber attack
Liquidity crisis
Pandemic

➡ Highly tested in CIA Part 2

(E) Delphi Technique

Anonymous expert opinions
Avoids group pressure

🧠 Keyword: “Independent expert judgment”

(F) Quantitative Risk Assessment

Uses:

Expected value
Probability × Impact
Sensitivity analysis

➡ CMA numerical MCQs

3️⃣ Risk Heat Map (VERY COMMON MCQs)

📌 What is a Risk Heat Map?

A visual tool plotting:

X-axis → Likelihood
Y-axis → Impact

Color-coded:

🔴 High risk
🟡 Medium risk
🟢 Low risk

🧠 Exam Focus Points

Used for prioritization, not identification
Shows inherent vs residual risk
Supports risk appetite decisions

⚠️ Examiner Traps

Wrong belief	Why wrong
Heat map reduces risk	It only visualizes
Heat map replaces risk register	No
Heat map shows controls	Controls affect residual risk only

CIA-Style Question Logic

Management wants a visual comparison of risks based on severity

✅ Risk Heat Map

4️⃣ Link to COSO ERM (VERY IMPORTANT)

COSO Component	Related Tool
Risk Identification	Brainstorming, SWOT
Risk Assessment	Quantitative / Qualitative
Risk Response	Risk Register
Monitoring	Heat Map, KRIs

5️⃣ ULTRA-TRICKY SCENARIO QUESTIONS (EXAM LEVEL)

🧠 Q1 (CIA Style)

Management completes a workshop where department heads evaluate risks and rate existing controls.

✅ RCSA

🧠 Q2 (CMA Style)

Which tool helps compare residual risks across departments?

✅ Risk Heat Map

🧠 Q3 (TRAP)

Which activity ensures risks are eliminated?

❌ None (Risk management reduces, not eliminates risk)

🧠 Q4

Who owns the risk register?

✅ Management, not internal auditors

6️⃣ QUICK EXAM MEMORY TABLE 🧠

Tool	Purpose	Exam Favourite
Risk Register	Documentation & accountability	⭐⭐⭐⭐
RCSA	Control effectiveness	⭐⭐⭐⭐
Heat Map	Prioritization	⭐⭐⭐
Scenario Analysis	Extreme risks	⭐⭐⭐
SWOT	Strategic risk	⭐⭐⭐

🎯 FINAL EXAM TIP (VERY IMPORTANT)

If question says:

“Visual” → Heat Map
“Documented list” → Risk Register
“Management assessment” → RCSA
“What-if / crisis” → Scenario analysis

www.gmsisuccess.in

Friday, November 7, 2025

Answers 125 MCQ Questions with answers on topic Internal Control system control, Governence,Risk Assessment

125 MCQ Questions with answers on topic Internal Control system control, Governence,Risk Assessment

Internal Control and Risk Management

1. What is the primary objective of internal control?

A) To ensure profitability

B) To ensure compliance with laws and regulations

C) To provide reasonable assurance of achieving organizational objectives

D) To detect and prevent fraud

Answer: C) To provide reasonable assurance of achieving organizational objectives

2. Which of the following is a type of internal control?

A) Detective control

B) Preventive control

C) Corrective control

D) All of the above

Answer: D) All of the above

3. What are the components of internal control?

A) Control environment, risk assessment, control activities, information and communication, monitoring

B) Control environment, risk assessment, control activities, information and communication

C) Control environment, risk assessment, control activities, monitoring

D) Control environment, risk assessment, information and communication, monitoring

Answer: A) Control environment, risk assessment, control activities, information and communication, monitoring

Types of Internal Control and Components

4. What is the purpose of a control environment?

A) To identify and assess risks

B) To design and implement control activities

C) To establish a culture of control and ethics

D) To monitor and report on internal control

Answer: C) To establish a culture of control and ethics

5. What is a risk owner?

A) The person responsible for identifying and assessing risks

B) The person responsible for implementing control activities

C) The person responsible for monitoring and reporting on internal control

D) The person responsible for accepting and managing risks

Answer: D) The person responsible for accepting and managing risks

Internal Control Activation and Function

6. What is the first step in activating internal control?

A) Identifying and assessing risks

B) Designing and implementing control activities

C) Establishing a control environment

D) Monitoring and reporting on internal control

Answer: C) Establishing a control environment

7. What is the function of control?

A) To prevent errors and irregularities

B) To detect errors and irregularities

C) To correct errors and irregularities

D) All of the above

Answer: D) All of the above

Efficient Operation of Internal Control

8. When is internal control considered to be efficiently operating?

A) When it provides reasonable assurance of achieving organizational objectives

B) When it detects and prevents all errors and irregularities

C) When it is designed and implemented effectively

D) When it is monitored and reported on regularly

Answer: A) When it provides reasonable assurance of achieving organizational objectives

Inherent Limitations of Internal Control

9. What is an inherent limitation of internal control?

A) Human error

B) Collusion

C) Management override

D) All of the above

Answer: D) All of the above

Types of Control and Risk Management

10. What is application control?

A) Control over the development and implementation of applications

B) Control over the processing of transactions

C) Control over the storage and retrieval of data

D) Control over the security of applications

Answer: A) Control over the development and implementation of applications

11. What is input control?

A) Control over the input of data into a system

B) Control over the processing of transactions

C) Control over the output of data from a system

D) Control over the storage and retrieval of data

Answer: A) Control over the input of data into a system

12. What is process control?

A) Control over the processing of transactions

B) Control over the input of data into a system

C) Control over the output of data from a system

D) Control over the storage and retrieval of data

Answer: A) Control over the processing of transactions

13. What is general control?

A) Control over the overall IT environment

B) Control over specific applications

C) Control over the development and implementation of applications

D) Control over the security of applications

Answer: A) Control over the overall IT environment

Design and Responsibility

14. Who designs control?

A) Management

B) Internal audit

C) External audit

D) Risk management

Answer: A) Management

15. Who is responsible for risk management?

A) Board of directors

B) Management

C) Risk management department

D) Internal audit

Answer: A) Board of directors

Duties and Responsibilities

16. What is the duty of the board of directors?

A) To oversee the internal control system

B) To design and implement control activities

C) To monitor and report on internal control

D) To manage risk

Answer: A) To oversee the internal control system

17. What is the responsibility of the audit committee?

A) To oversee the internal audit function

B) To design and implement control activities

C) To monitor and report on internal control

D) To manage risk

Answer: A) To oversee the internal audit function

Frameworks and Regulations

18. What is COSO?

A) A framework for internal control

B) A framework for risk management

C) A regulation for corporate governance

D) A standard for auditing

Answer: A) A framework for internal control

19. What is COBIT?

A) A framework for IT governance

B) A framework for internal control

C) A regulation for corporate governance

D) A standard for auditing

Answer: A) A framework for IT governance

20. What is SOX?

A) A regulation for corporate governance

B) A framework for internal control

C) A framework for risk management

D) A standard for auditing

Answer: A) A regulation for corporate governance

21. What is FCPA?

A) A regulation for foreign corrupt practices

B) A framework for internal control

C) A framework for risk management

D) A standard for auditing

Answer: A) A regulation for foreign corrupt practices

Risk Management Concepts

22. What is risk tolerance?

A) The amount of risk an organization is willing to take

B) The amount of risk an organization can take

C) The amount of risk an organization should take

D) The amount of risk an organization must take

Answer: A) The amount of risk an organization is willing to take

23. What is risk appetite?

A) The amount of risk an organization is willing to take

B) The amount of risk an organization can take

C) The amount of risk an organization should take

D) The amount of risk an organization must take

Answer: A) The amount of risk an organization is willing to take

24. What is a risk map?

A) A tool for identifying and assessing risks

B) A tool for prioritizing risks

C) A tool for monitoring and reporting on risks

D) A tool for managing risks

Answer: A) A tool for identifying and assessing risks

25. What is a risk maturity model?

A) A model for assessing the maturity of an organization's risk management process

B) A model for identifying and assessing risks

C) A model for prioritizing risks

D) A model for monitoring and reporting on risks

Answer: A) A model for assessing the maturity of an organization's risk management process

Section B....

### Accounting Information Systems & Cycles

1. What is the primary function of an Accounting Information System (AIS)?

a) Process data to provide information to users

b) Record financial transactions only

c) Manage payroll only

d) Prepare financial statements only

**Answer:** a

2. Which document initiates the revenue cycle?

a) Sales order

b) Purchase order

c) Invoice

d) Bill of lading

**Answer:** a

3. What document is primarily used to authorize shipments in the revenue cycle?

a) Bill of lading

b) Purchase order

c) Receiving report

d) Sales invoice

**Answer:** a

4. Which document starts the purchase cycle?

a) Sales order

b) Purchase requisition

c) Receiving report

d) Vendor invoice

**Answer:** b

5. In payroll cycle, what is the primary source document for recording hours worked by hourly employees?

a) Time cards

b) Pay stub

c) Employee contracts

d) Payroll register

**Answer:** a

6. Which control is important in the payroll cycle to prevent fictitious employees?

a) Segregation of duties

b) Matching purchase orders

c) Invoice verification

d) Inventory count

**Answer:** a

### Risk Concepts and Management

7. Who is the primary risk owner in risk management?

a) The individual responsible for managing the risk

b) The auditor

c) Internal control personnel

d) External consultants

**Answer:** a

8. Which of the following is a deliverable of a risk management process?

a) Risk register

b) Financial statements

c) Payroll records

d) Audit invoices

**Answer:** a

9. Risk appetite is best described as:

a) The amount of risk an organization is willing to accept

b) The actual level of risk faced

c) Risks identified in a risk assessment

d) Risks mitigated through controls

**Answer:** a

10. Risk tolerance is defined as:

a) The acceptable level of variation around the risk appetite

b) The maximum loss possible

c) The number of risks an organization faces

d) Risks detected by audit

**Answer:** a

11. What is a risk map used for?

a) Visual representation of risks by likelihood and impact

b) Listing controls

c) Identifying internal control weaknesses

d) Scheduling audits

**Answer:** a

12. What does a heat map illustrate in risk management?

a) Severity of risks by color coding

b) Process flows

c) Audit findings

d) Employee responsibilities

**Answer:** a

13. The risk maturity model assesses:

a) The level of development and effectiveness of risk management processes

b) Financial stability

c) Internal audit quality

d) IT system maturity

**Answer:** a

### Types of Risks

14. Inherent risk is:

a) Risk before any controls are applied

b) Risk after controls are applied

c) Risk of controls failing

d) Risk undetected by auditors

**Answer:** a

15. Control risk is:

a) Risk that controls will fail to prevent or detect a misstatement

b) Risk in the environment

c) Risk accepted by management

d) Auditor's risk

**Answer:** a

16. Detection risk is:

a) Risk that audit procedures will not detect a material misstatement

b) Risk of fraud

c) Risk of operational loss

d) Risk of poor financial performance

**Answer:** a

17. Residual risk is:

a) Risk remaining after controls are applied

b) Risk inherent to the process

c) Risk accepted by the board

d) Risk that is transferred

**Answer:** a

### COSO and COBIT Frameworks

18. Which COSO component focuses on setting objectives and identifying risks?

a) Risk assessment

b) Control activities

c) Information and communication

d) Monitoring activities

**Answer:** a

19. The role of COBIT in IT governance is to:

a) Provide a framework for IT management and governance

b) Conduct financial audits

c) Develop software

d) Manage human resources

**Answer:** a

20. COSO’s five components include all except:

a) Risk assessment

b) Technology management

c) Control environment

d) Monitoring activities

**Answer:** b

### Additional Questions on Cycles, Risk, and Controls

21. The primary goal of the revenue cycle is:

a) To deliver the right product at the right time to the right customer

b) To reduce purchase orders

c) To minimize payroll costs

d) To control financial reporting

**Answer:** a

22. A purchase requisition is used to:

a) Request goods or services internally

b) Pay vendors

c) Ship products to customers

d) Record payroll

**Answer:** a

23. Payroll register contains:

a) Details of employee wages and deductions

b) Purchase orders

c) Sales invoices

d) Inventory levels

**Answer:** a

24. What is a key inherent limitation of any internal control system?

a) Human error and collusion

b) Technology failures only

c) Legislation compliance

d) Financial accounting standards

**Answer:** a

25. Segregation of duties helps prevent:

a) Fraud and errors

b) Payroll processing

c) Risk appetite setting

d) COSO implementation

**Answer:** a

26. Delivery documents in the purchase cycle include:

a) Receiving report

b) Sales invoice

c) Purchase order

d) Time card

**Answer:** a

27. The term "control activities" in COSO refers to:

a) Policies and procedures that help ensure management directives are carried out

b) Financial statements

c) Risk transfer strategies

d) External audit reviews

**Answer:** a

28. Which is an example of residual risk?

a) Risk remaining after implementation of anti-fraud controls

b) Risk that exists before controls are applied

c) Risk identified by the auditor only

d) Risk transferred through insurance

**Answer:** a

29. A delivery note is used to:

a) Confirm goods received by the customer

b) Initiate purchase requisition

c) Record employee attendance

d) Authorize payment to vendors

**Answer:** a

30. Which cycle includes activities involving hiring, payroll processing, and benefits administration?

a) Payroll cycle

b) Revenue cycle

c) Purchase cycle

d) Inventory cycle

**Answer:** a

31. An example of operational risk is:

a) System failure causing business disruption

b) Stock market decline

c) Legal penalties

d) Currency exchange risk

**Answer:** a

32. Risk appetite and risk tolerance are:

a) Related but risk tolerance is narrower than risk appetite

b) The same concept

c) Unrelated

d) Only relevant to auditors

**Answer:** a

33. The main purpose of a risk heat map is to:

a) Prioritize risks for management focus

b) Document payroll transactions

c) Audit revenue transactions

d) Monitor purchase orders

**Answer:** a

34. The COSO internal control framework was first released in:

a) 1992

b) 2001

c) 2013

d) 1985

**Answer:** a

35. Which of the following is a component of the COSO ERM framework?

a) Governance and culture

b) Financial accounting

c) Human resources management

d) Supply chain management

**Answer:** a

36. Directive controls focus on:

a) Encouraging desired behaviors within a process

b) Detecting errors after occurrence

c) Preventing entry of transactions

d) External audit controls

**Answer:** a

37. Which of these is a preventive control?

a) Authorization requirements

b) Reconciliations

c) Audits

d) Reviews

**Answer:** a

38. A detective control is designed to:

a) Identify errors or irregularities after they have occurred

b) Prevent fraud

c) Monitor employee performance

d) Mange IT security

**Answer:** a

39. Who is responsible for defining risk appetite?

a) Board of directors or senior management

b) Internal auditors

c) Staff accountants

d) External auditors

**Answer:** a

40. An example of a deliverable from a risk assessment process would be:

a) Risk register or risk report

b) Payroll summary

c) Purchase orders

d) Financial statements

**Answer:** a

41. Which document controls the flow of goods coming into a company?

a) Receiving report

b) Sales invoice

c) Sales order

d) Purchase requisition

**Answer:** a

42. The primary focus of COBIT is:

a) IT governance and management

b) Internal audit process

c) Payroll control

d) Inventory management

**Answer:** a

43. The COSO control environment is best described as:

a) The foundation for all other components of internal control

b) A risk assessment procedure

c) An IT control framework

d) A compliance guideline

**Answer:** a

44. Risk capacity refers to:

a) The maximum amount of risk an organization can bear

b) Risk detected by audit

c) External risk factors

d) Risk transferred to insurers

**Answer:** a

45. Business continuity planning is a control designed to:

a) Ensure essential business operations during disruptions

b) Reduce payroll errors

c) Verify purchase orders

d) Manage financial reporting standards

**Answer:** a

46. An example of financial risk is:

a) Credit risk from customer defaults

b) Employee fraud

c) IT system failures

d) Legal compliance risk

**Answer:** a

47. Which of these is an example of a residual risk treatment?

a) Risk acceptance after controls are applied

b) Initial risk identification

c) Risk transfer prior to controls

d) Auditing the risk process

**Answer:** a

48. What type of risk is most affected by changes in legislation?

a) Compliance risk

b) Operational risk

c) Strategic risk

d) Market risk

**Answer:** a

49. The risk management process includes all except:

a) Auditing financial statements

b) Risk identification

c) Risk assessment

d) Risk monitoring

**Answer:** a

50. A key characteristic of internal control is that it provides:

a) Reasonable, not absolute, assurance

b) Absolute assurance of risk elimination

c) Financial profitability

d) Continuous monitoring without gaps

**Answer:** a

Section C....

📘 1–10: Accounting Information Systems Basics

1. Which of the following best describes an Accounting Information System (AIS)?

A. A system for recording only financial transactions

B. A system combining people, procedures, data, and IT to process accounting information

C. A manual system used for bookkeeping only

D. A software used for payroll

✅ Answer: B

➡️ AIS integrates people, procedures, and technology to collect and process accounting data.

---

2. The main output of an AIS is:

A. Financial statements and management reports

B. Data entry forms

C. Audit evidence only

D. Purchase orders only

✅ Answer: A

➡️ AIS produces reports to support decision-making.

---

3. The three major subsystems of AIS are:

A. Input, Process, Output

B. Transaction Processing, General Ledger/Reporting, and Management Reporting

C. Sales, Purchase, and Payroll

D. Hardware, Software, and People

✅ Answer: B

➡️ These subsystems capture, process, and report accounting data.

---

4. Which of the following is not a function of AIS?

A. Data collection

B. Data processing

C. Data destruction

D. Information output

✅ Answer: C

---

5. AIS supports internal control by:

A. Promoting segregation of duties

B. Encouraging data duplication

C. Allowing unauthorized access

D. Avoiding audit trails

✅ Answer: A

---

6. The primary objective of an AIS is to:

A. Reduce labor cost

B. Provide accurate and timely information

C. Store large volumes of data

D. Eliminate human errors completely

✅ Answer: B

---

7. Which document is used to record customer orders in AIS?

A. Invoice

B. Sales order

C. Purchase requisition

D. Goods receipt note

✅ Answer: B

---

8. The audit trail in AIS helps auditors:

A. Modify transactions

B. Trace transactions from source to output

C. Delete old records

D. Create new transactions

✅ Answer: B

---

9. Which of the following systems updates records immediately after each transaction?

A. Batch processing system

B. Real-time processing system

C. Periodic system

D. Sequential processing

✅ Answer: B

---

10. In a transaction processing system (TPS), the first step is:

A. Storing data

B. Processing data

C. Capturing data

D. Generating output

✅ Answer: C

---

🧾 11–20: Sales, Purchase, and Payroll Cycles

11. The first document prepared in the sales cycle is:

A. Invoice

B. Customer order

C. Bill of lading

D. Shipping notice

✅ Answer: B

---

12. The last step in the sales cycle is:

A. Shipment

B. Billing

C. Cash collection

D. Order entry

✅ Answer: C

---

13. In the purchase cycle, the process begins with:

A. Purchase order

B. Purchase requisition

C. Receiving report

D. Invoice

✅ Answer: B

---

14. In the payroll cycle, which document authorizes the payroll process?

A. Payroll register

B. Time card

C. Personnel action form

D. Paycheck

✅ Answer: C

---

15. Which document is used to verify goods received in the purchase cycle?

A. Goods receipt note (GRN)

B. Purchase order

C. Invoice

D. Material requisition

✅ Answer: A

---

16. The sales invoice is prepared based on:

A. Purchase order

B. Shipping document

C. Credit memo

D. Journal voucher

✅ Answer: B

---

17. Payroll cycle ends with:

A. Employee hiring

B. Distribution of paychecks

C. Recording journal entry

D. Time recording

✅ Answer: B

---

18. The primary control in payroll is:

A. Budgetary control

B. Authorization of employee records and pay rates

C. Verification of sales orders

D. Supplier reconciliation

✅ Answer: B

---

19. Which document triggers a payment to the supplier?

A. Invoice

B. Purchase order

C. Receiving report

D. Voucher package

✅ Answer: D

---

20. The voucher package consists of:

A. Purchase order, receiving report, supplier invoice

B. Purchase requisition, time card, payroll register

C. Sales order, invoice, receipt

D. Invoice, GRN, delivery challan

✅ Answer: A

---

💻 21–30: Documentation & Flowcharts

21. A data flow diagram (DFD) shows:

A. How data moves through a system

B. Physical movement of documents

C. Organizational hierarchy

D. Control flow in programming

✅ Answer: A

---

22. A system flowchart represents:

A. The sequence of program instructions

B. The physical and logical flow of data in AIS

C. Payroll cycle only

D. Accounting records only

✅ Answer: B

---

23. Document flowcharts focus on:

A. System controls

B. Movement of paper documents through departments

C. Data processing steps

D. Software code

✅ Answer: B

---

24. A control flowchart highlights:

A. Input/output devices

B. Control points within a system

C. Storage locations

D. Network architecture

✅ Answer: B

---

25. In a DFD, the symbol for a process is:

A. Rectangle

B. Circle or bubble

C. Arrow

D. Open-ended rectangle

✅ Answer: B

---

26. In a system flowchart, an arrow represents:

A. Flow of data or control

B. A process step

C. A decision

D. A document

✅ Answer: A

---

27. The triangle symbol in flowcharts often denotes:

A. Delay or storage

B. Decision

C. Process

D. Data input

✅ Answer: A

---

28. Which type of documentation best helps identify control weaknesses?

A. System flowchart

B. Data flow diagram

C. Program code

D. Organization chart

✅ Answer: A

---

29. DFD level 0 represents:

A. Context diagram

B. High-level system overview

C. Detailed process map

D. Flow of documents only

✅ Answer: B

---

30. The context diagram in DFD shows:

A. Internal system only

B. System boundaries and external entities

C. File storage

D. Decision logic

✅ Answer: B

---

⚙️ 31–40: Controls (Input, Process, Output, Application, General)

31. Input controls ensure:

A. Data is authorized, accurate, and complete before processing

B. Processing accuracy only

C. Data storage efficiency

D. System recovery after crash

✅ Answer: A

---

32. An example of an input control is:

A. Hash total

B. Exception report

C. Check digit verification

D. Both A and C

✅ Answer: D

---

33. Processing controls ensure:

A. Transactions are not lost or duplicated

B. Only valid data entered

C. Output is distributed correctly

D. Input data are accurate

✅ Answer: A

---

34. A run-to-run total is an example of:

A. Input control

B. Process control

C. Output control

D. Application control

✅ Answer: B

---

35. Output controls focus on:

A. Validity of printed or displayed information

B. Preventing unauthorized access to data

C. Backup and recovery

D. Input validation

✅ Answer: A

---

36. Application controls include:

A. Input, process, and output controls

B. Network and system software controls

C. Firewall and antivirus

D. Backup power supply

✅ Answer: A

---

37. General controls cover:

A. Overall IT environment controls

B. Specific application procedures

C. Payroll cycle only

D. Document authorization

✅ Answer: A

---

38. Examples of general controls include:

A. Password policies and access controls

B. Input edit checks

C. Output reconciliations

D. Batch totals

✅ Answer: A

---

39. A check digit is used to:

A. Verify data accuracy during input

B. Control report output

C. Record process flow

D. Validate document authorization

✅ Answer: A

---

40. Limit and range checks are types of:

A. Input validation controls

B. Process controls

C. Output controls

D. General controls

✅ Answer: A

---

🔐 41–50: System Security & Transaction Processing

41. The main purpose of transaction processing systems (TPS) is:

A. Decision making

B. Recording routine business transactions

C. Data mining

D. Forecasting

✅ Answer: B

---

42. In batch processing, transactions are:

A. Processed immediately

B. Collected and processed together later

C. Deleted after entry

D. Verified manually

✅ Answer: B

---

43. Real-time processing is most suitable for:

A. Payroll

B. Sales order entry

C. Month-end reports

D. Annual budgets

✅ Answer: B

---

44. Audit trail is an example of:

A. Detective control

B. Preventive control

C. Corrective control

D. Process control

✅ Answer: A

---

45. Backup procedures are part of:

A. Output control

B. General control

C. Application control

D. Input control

✅ Answer: B

---

46. Encryption in AIS is primarily a:

A. Physical control

B. Logical access control

C. Input control

D. Output control

✅ Answer: B

---

47. Exception reports are generated to:

A. Highlight unusual transactions

B. Show all transactions

C. Summarize payroll

D. Display all invoices

✅ Answer: A

---

48. Segregation of duties is an example of:

A. Preventive control

B. Detective control

C. Corrective control

D. Manual control only

✅ Answer: A

---

49. Hash totals help in detecting:

A. Omitted or duplicate transactions

B. Fraudulent journal entries

C. Unauthorized reports

D. Access violations

✅ Answer: A

---

50. Disaster recovery plans (DRP) are designed to:

A. Ensure system recovery after major failures

B. Improve process speed

C. Eliminate user errors

D. Train new employees

✅ Answer: A

www.gmsisuccess.in