Answers 125 MCQ Questions with answers on topic Internal Control system control, Governence,Risk Assessment

125 MCQ Questions with answers on topic Internal Control system control, Governence,Risk Assessment 

Internal Control and Risk Management

1. What is the primary objective of internal control?

A) To ensure profitability

B) To ensure compliance with laws and regulations

C) To provide reasonable assurance of achieving organizational objectives

D) To detect and prevent fraud

Answer: C) To provide reasonable assurance of achieving organizational objectives

2. Which of the following is a type of internal control?

A) Detective control

B) Preventive control

C) Corrective control

D) All of the above

Answer: D) All of the above

3. What are the components of internal control?

A) Control environment, risk assessment, control activities, information and communication, monitoring

B) Control environment, risk assessment, control activities, information and communication

C) Control environment, risk assessment, control activities, monitoring

D) Control environment, risk assessment, information and communication, monitoring

Answer: A) Control environment, risk assessment, control activities, information and communication, monitoring

Types of Internal Control and Components

4. What is the purpose of a control environment?

A) To identify and assess risks

B) To design and implement control activities

C) To establish a culture of control and ethics

D) To monitor and report on internal control

Answer: C) To establish a culture of control and ethics

5. What is a risk owner?

A) The person responsible for identifying and assessing risks

B) The person responsible for implementing control activities

C) The person responsible for monitoring and reporting on internal control

D) The person responsible for accepting and managing risks

Answer: D) The person responsible for accepting and managing risks

Internal Control Activation and Function

6. What is the first step in activating internal control?

A) Identifying and assessing risks

B) Designing and implementing control activities

C) Establishing a control environment

D) Monitoring and reporting on internal control

Answer: C) Establishing a control environment

7. What is the function of control?

A) To prevent errors and irregularities

B) To detect errors and irregularities

C) To correct errors and irregularities

D) All of the above

Answer: D) All of the above

Efficient Operation of Internal Control

8. When is internal control considered to be efficiently operating?

A) When it provides reasonable assurance of achieving organizational objectives

B) When it detects and prevents all errors and irregularities

C) When it is designed and implemented effectively

D) When it is monitored and reported on regularly

Answer: A) When it provides reasonable assurance of achieving organizational objectives

Inherent Limitations of Internal Control

9. What is an inherent limitation of internal control?

A) Human error

B) Collusion

C) Management override

D) All of the above

Answer: D) All of the above

Types of Control and Risk Management

10. What is application control?

A) Control over the development and implementation of applications

B) Control over the processing of transactions

C) Control over the storage and retrieval of data

D) Control over the security of applications

Answer: A) Control over the development and implementation of applications

11. What is input control?

A) Control over the input of data into a system

B) Control over the processing of transactions

C) Control over the output of data from a system

D) Control over the storage and retrieval of data

Answer: A) Control over the input of data into a system

12. What is process control?

A) Control over the processing of transactions

B) Control over the input of data into a system

C) Control over the output of data from a system

D) Control over the storage and retrieval of data

Answer: A) Control over the processing of transactions

13. What is general control?

A) Control over the overall IT environment

B) Control over specific applications

C) Control over the development and implementation of applications

D) Control over the security of applications

Answer: A) Control over the overall IT environment

Design and Responsibility

14. Who designs control?

A) Management

B) Internal audit

C) External audit

D) Risk management

Answer: A) Management

15. Who is responsible for risk management?

A) Board of directors

B) Management

C) Risk management department

D) Internal audit

Answer: A) Board of directors

Duties and Responsibilities

16. What is the duty of the board of directors?

A) To oversee the internal control system

B) To design and implement control activities

C) To monitor and report on internal control

D) To manage risk

Answer: A) To oversee the internal control system

17. What is the responsibility of the audit committee?

A) To oversee the internal audit function

B) To design and implement control activities

C) To monitor and report on internal control

D) To manage risk

Answer: A) To oversee the internal audit function

Frameworks and Regulations

18. What is COSO?

A) A framework for internal control

B) A framework for risk management

C) A regulation for corporate governance

D) A standard for auditing

Answer: A) A framework for internal control

19. What is COBIT?

A) A framework for IT governance

B) A framework for internal control

C) A regulation for corporate governance

D) A standard for auditing

Answer: A) A framework for IT governance

20. What is SOX?

A) A regulation for corporate governance

B) A framework for internal control

C) A framework for risk management

D) A standard for auditing

Answer: A) A regulation for corporate governance

21. What is FCPA?

A) A regulation for foreign corrupt practices

B) A framework for internal control

C) A framework for risk management

D) A standard for auditing

Answer: A) A regulation for foreign corrupt practices

Risk Management Concepts

22. What is risk tolerance?

A) The amount of risk an organization is willing to take

B) The amount of risk an organization can take

C) The amount of risk an organization should take

D) The amount of risk an organization must take

Answer: A) The amount of risk an organization is willing to take

23. What is risk appetite?

A) The amount of risk an organization is willing to take

B) The amount of risk an organization can take

C) The amount of risk an organization should take

D) The amount of risk an organization must take

Answer: A) The amount of risk an organization is willing to take

24. What is a risk map?

A) A tool for identifying and assessing risks

B) A tool for prioritizing risks

C) A tool for monitoring and reporting on risks

D) A tool for managing risks

Answer: A) A tool for identifying and assessing risks

25. What is a risk maturity model?

A) A model for assessing the maturity of an organization's risk management process

B) A model for identifying and assessing risks

C) A model for prioritizing risks

D) A model for monitoring and reporting on risks

Answer: A) A model for assessing the maturity of an organization's risk management process

Section B....

### Accounting Information Systems & Cycles

1. What is the primary function of an Accounting Information System (AIS)?

   a) Process data to provide information to users  

   b) Record financial transactions only  

   c) Manage payroll only  

   d) Prepare financial statements only  

   **Answer:** a  

2. Which document initiates the revenue cycle?  

   a) Sales order  

   b) Purchase order  

   c) Invoice  

   d) Bill of lading  

   **Answer:** a  

3. What document is primarily used to authorize shipments in the revenue cycle?  

   a) Bill of lading  

   b) Purchase order  

   c) Receiving report  

   d) Sales invoice  

   **Answer:** a  

4. Which document starts the purchase cycle?  

   a) Sales order  

   b) Purchase requisition  

   c) Receiving report  

   d) Vendor invoice  

   **Answer:** b  

5. In payroll cycle, what is the primary source document for recording hours worked by hourly employees?  

   a) Time cards  

   b) Pay stub  

   c) Employee contracts  

   d) Payroll register  

   **Answer:** a  

6. Which control is important in the payroll cycle to prevent fictitious employees?  

   a) Segregation of duties  

   b) Matching purchase orders  

   c) Invoice verification  

   d) Inventory count  

   **Answer:** a  

### Risk Concepts and Management

7. Who is the primary risk owner in risk management?  

   a) The individual responsible for managing the risk  

   b) The auditor  

   c) Internal control personnel  

   d) External consultants  

   **Answer:** a  

8. Which of the following is a deliverable of a risk management process?  

   a) Risk register  

   b) Financial statements  

   c) Payroll records  

   d) Audit invoices  

   **Answer:** a  

9. Risk appetite is best described as:  

   a) The amount of risk an organization is willing to accept  

   b) The actual level of risk faced  

   c) Risks identified in a risk assessment  

   d) Risks mitigated through controls  

   **Answer:** a  

10. Risk tolerance is defined as:  

    a) The acceptable level of variation around the risk appetite  

    b) The maximum loss possible  

    c) The number of risks an organization faces  

    d) Risks detected by audit  

    **Answer:** a  

11. What is a risk map used for?  

    a) Visual representation of risks by likelihood and impact  

    b) Listing controls  

    c) Identifying internal control weaknesses  

    d) Scheduling audits  

    **Answer:** a  

12. What does a heat map illustrate in risk management?  

    a) Severity of risks by color coding  

    b) Process flows  

    c) Audit findings  

    d) Employee responsibilities  

    **Answer:** a  

13. The risk maturity model assesses:  

    a) The level of development and effectiveness of risk management processes  

    b) Financial stability  

    c) Internal audit quality  

    d) IT system maturity  

    **Answer:** a  

### Types of Risks

14. Inherent risk is:  

    a) Risk before any controls are applied  

    b) Risk after controls are applied  

    c) Risk of controls failing  

    d) Risk undetected by auditors  

    **Answer:** a  

15. Control risk is:  

    a) Risk that controls will fail to prevent or detect a misstatement  

    b) Risk in the environment  

    c) Risk accepted by management  

    d) Auditor's risk  

    **Answer:** a  

16. Detection risk is:  

    a) Risk that audit procedures will not detect a material misstatement  

    b) Risk of fraud  

    c) Risk of operational loss  

    d) Risk of poor financial performance  

    **Answer:** a  

17. Residual risk is:  

    a) Risk remaining after controls are applied  

    b) Risk inherent to the process  

    c) Risk accepted by the board  

    d) Risk that is transferred  

    **Answer:** a  

### COSO and COBIT Frameworks

18. Which COSO component focuses on setting objectives and identifying risks?  

    a) Risk assessment  

    b) Control activities  

    c) Information and communication  

    d) Monitoring activities  

    **Answer:** a  

19. The role of COBIT in IT governance is to:  

    a) Provide a framework for IT management and governance  

    b) Conduct financial audits  

    c) Develop software  

    d) Manage human resources  

    **Answer:** a  

20. COSO’s five components include all except:  

    a) Risk assessment  

    b) Technology management  

    c) Control environment  

    d) Monitoring activities  

    **Answer:** b  

### Additional Questions on Cycles, Risk, and Controls

21. The primary goal of the revenue cycle is:  

    a) To deliver the right product at the right time to the right customer  

    b) To reduce purchase orders  

    c) To minimize payroll costs  

    d) To control financial reporting  

    **Answer:** a  

22. A purchase requisition is used to:  

    a) Request goods or services internally  

    b) Pay vendors  

    c) Ship products to customers  

    d) Record payroll  

    **Answer:** a  

23. Payroll register contains:  

    a) Details of employee wages and deductions  

    b) Purchase orders  

    c) Sales invoices  

    d) Inventory levels  

    **Answer:** a  

24. What is a key inherent limitation of any internal control system?  

    a) Human error and collusion  

    b) Technology failures only  

    c) Legislation compliance  

    d) Financial accounting standards  

    **Answer:** a  

25. Segregation of duties helps prevent:  

    a) Fraud and errors  

    b) Payroll processing  

    c) Risk appetite setting  

    d) COSO implementation  

    **Answer:** a  

26. Delivery documents in the purchase cycle include:  

    a) Receiving report  

    b) Sales invoice  

    c) Purchase order  

    d) Time card  

    **Answer:** a  

27. The term "control activities" in COSO refers to:  

    a) Policies and procedures that help ensure management directives are carried out  

    b) Financial statements  

    c) Risk transfer strategies  

    d) External audit reviews  

    **Answer:** a  

28. Which is an example of residual risk?  

    a) Risk remaining after implementation of anti-fraud controls  

    b) Risk that exists before controls are applied  

    c) Risk identified by the auditor only  

    d) Risk transferred through insurance  

    **Answer:** a  

29. A delivery note is used to:  

    a) Confirm goods received by the customer  

    b) Initiate purchase requisition  

    c) Record employee attendance  

    d) Authorize payment to vendors  

    **Answer:** a  

30. Which cycle includes activities involving hiring, payroll processing, and benefits administration?  

    a) Payroll cycle  

    b) Revenue cycle  

    c) Purchase cycle  

    d) Inventory cycle  

    **Answer:** a  

31. An example of operational risk is:  

    a) System failure causing business disruption  

    b) Stock market decline  

    c) Legal penalties  

    d) Currency exchange risk  

    **Answer:** a  

32. Risk appetite and risk tolerance are:  

    a) Related but risk tolerance is narrower than risk appetite  

    b) The same concept  

    c) Unrelated  

    d) Only relevant to auditors  

    **Answer:** a  

33. The main purpose of a risk heat map is to:  

    a) Prioritize risks for management focus  

    b) Document payroll transactions  

    c) Audit revenue transactions  

    d) Monitor purchase orders  

    **Answer:** a  

34. The COSO internal control framework was first released in:  

    a) 1992  

    b) 2001  

    c) 2013  

    d) 1985  

    **Answer:** a  

35. Which of the following is a component of the COSO ERM framework?  

    a) Governance and culture  

    b) Financial accounting  

    c) Human resources management  

    d) Supply chain management  

    **Answer:** a  

36. Directive controls focus on:  

    a) Encouraging desired behaviors within a process  

    b) Detecting errors after occurrence  

    c) Preventing entry of transactions  

    d) External audit controls  

    **Answer:** a  

37. Which of these is a preventive control?  

    a) Authorization requirements  

    b) Reconciliations  

    c) Audits  

    d) Reviews  

    **Answer:** a  

38. A detective control is designed to:  

    a) Identify errors or irregularities after they have occurred  

    b) Prevent fraud  

    c) Monitor employee performance  

    d) Mange IT security  

    **Answer:** a  

39. Who is responsible for defining risk appetite?  

    a) Board of directors or senior management  

    b) Internal auditors  

    c) Staff accountants  

    d) External auditors  

    **Answer:** a  

40. An example of a deliverable from a risk assessment process would be:  

    a) Risk register or risk report  

    b) Payroll summary  

    c) Purchase orders  

    d) Financial statements  

    **Answer:** a  

41. Which document controls the flow of goods coming into a company?  

    a) Receiving report  

    b) Sales invoice  

    c) Sales order  

    d) Purchase requisition  

    **Answer:** a  

42. The primary focus of COBIT is:  

    a) IT governance and management  

    b) Internal audit process  

    c) Payroll control  

    d) Inventory management  

    **Answer:** a  

43. The COSO control environment is best described as:  

    a) The foundation for all other components of internal control  

    b) A risk assessment procedure  

    c) An IT control framework  

    d) A compliance guideline  

    **Answer:** a  

44. Risk capacity refers to:  

    a) The maximum amount of risk an organization can bear  

    b) Risk detected by audit  

    c) External risk factors  

    d) Risk transferred to insurers  

    **Answer:** a  

45. Business continuity planning is a control designed to:  

    a) Ensure essential business operations during disruptions  

    b) Reduce payroll errors  

    c) Verify purchase orders  

    d) Manage financial reporting standards  

    **Answer:** a  

46. An example of financial risk is:  

    a) Credit risk from customer defaults  

    b) Employee fraud  

    c) IT system failures  

    d) Legal compliance risk  

    **Answer:** a  

47. Which of these is an example of a residual risk treatment?  

    a) Risk acceptance after controls are applied  

    b) Initial risk identification  

    c) Risk transfer prior to controls  

    d) Auditing the risk process  

    **Answer:** a  

48. What type of risk is most affected by changes in legislation?  

    a) Compliance risk  

    b) Operational risk  

    c) Strategic risk  

    d) Market risk  

    **Answer:** a  

49. The risk management process includes all except:  

    a) Auditing financial statements  

    b) Risk identification  

    c) Risk assessment  

    d) Risk monitoring  

    **Answer:** a  

50. A key characteristic of internal control is that it provides:  

    a) Reasonable, not absolute, assurance  

    b) Absolute assurance of risk elimination  

    c) Financial profitability  

    d) Continuous monitoring without gaps  

    **Answer:** a  

Section C....

📘 1–10: Accounting Information Systems Basics

1. Which of the following best describes an Accounting Information System (AIS)?

A. A system for recording only financial transactions

B. A system combining people, procedures, data, and IT to process accounting information

C. A manual system used for bookkeeping only

D. A software used for payroll

✅ Answer: B

➡️ AIS integrates people, procedures, and technology to collect and process accounting data.

---

2. The main output of an AIS is:

A. Financial statements and management reports

B. Data entry forms

C. Audit evidence only

D. Purchase orders only

✅ Answer: A

➡️ AIS produces reports to support decision-making.

---

3. The three major subsystems of AIS are:

A. Input, Process, Output

B. Transaction Processing, General Ledger/Reporting, and Management Reporting

C. Sales, Purchase, and Payroll

D. Hardware, Software, and People

✅ Answer: B

➡️ These subsystems capture, process, and report accounting data.

---

4. Which of the following is not a function of AIS?

A. Data collection

B. Data processing

C. Data destruction

D. Information output

✅ Answer: C

---

5. AIS supports internal control by:

A. Promoting segregation of duties

B. Encouraging data duplication

C. Allowing unauthorized access

D. Avoiding audit trails

✅ Answer: A

---

6. The primary objective of an AIS is to:

A. Reduce labor cost

B. Provide accurate and timely information

C. Store large volumes of data

D. Eliminate human errors completely

✅ Answer: B

---

7. Which document is used to record customer orders in AIS?

A. Invoice

B. Sales order

C. Purchase requisition

D. Goods receipt note

✅ Answer: B

---

8. The audit trail in AIS helps auditors:

A. Modify transactions

B. Trace transactions from source to output

C. Delete old records

D. Create new transactions

✅ Answer: B

---

9. Which of the following systems updates records immediately after each transaction?

A. Batch processing system

B. Real-time processing system

C. Periodic system

D. Sequential processing

✅ Answer: B

---

10. In a transaction processing system (TPS), the first step is:

A. Storing data

B. Processing data

C. Capturing data

D. Generating output

✅ Answer: C

---

🧾 11–20: Sales, Purchase, and Payroll Cycles

11. The first document prepared in the sales cycle is:

A. Invoice

B. Customer order

C. Bill of lading

D. Shipping notice

✅ Answer: B

---

12. The last step in the sales cycle is:

A. Shipment

B. Billing

C. Cash collection

D. Order entry

✅ Answer: C

---

13. In the purchase cycle, the process begins with:

A. Purchase order

B. Purchase requisition

C. Receiving report

D. Invoice

✅ Answer: B

---

14. In the payroll cycle, which document authorizes the payroll process?

A. Payroll register

B. Time card

C. Personnel action form

D. Paycheck

✅ Answer: C

---

15. Which document is used to verify goods received in the purchase cycle?

A. Goods receipt note (GRN)

B. Purchase order

C. Invoice

D. Material requisition

✅ Answer: A

---

16. The sales invoice is prepared based on:

A. Purchase order

B. Shipping document

C. Credit memo

D. Journal voucher

✅ Answer: B

---

17. Payroll cycle ends with:

A. Employee hiring

B. Distribution of paychecks

C. Recording journal entry

D. Time recording

✅ Answer: B

---

18. The primary control in payroll is:

A. Budgetary control

B. Authorization of employee records and pay rates

C. Verification of sales orders

D. Supplier reconciliation

✅ Answer: B

---

19. Which document triggers a payment to the supplier?

A. Invoice

B. Purchase order

C. Receiving report

D. Voucher package

✅ Answer: D

---

20. The voucher package consists of:

A. Purchase order, receiving report, supplier invoice

B. Purchase requisition, time card, payroll register

C. Sales order, invoice, receipt

D. Invoice, GRN, delivery challan

✅ Answer: A

---

💻 21–30: Documentation & Flowcharts

21. A data flow diagram (DFD) shows:

A. How data moves through a system

B. Physical movement of documents

C. Organizational hierarchy

D. Control flow in programming

✅ Answer: A

---

22. A system flowchart represents:

A. The sequence of program instructions

B. The physical and logical flow of data in AIS

C. Payroll cycle only

D. Accounting records only

✅ Answer: B

---

23. Document flowcharts focus on:

A. System controls

B. Movement of paper documents through departments

C. Data processing steps

D. Software code

✅ Answer: B

---

24. A control flowchart highlights:

A. Input/output devices

B. Control points within a system

C. Storage locations

D. Network architecture

✅ Answer: B

---

25. In a DFD, the symbol for a process is:

A. Rectangle

B. Circle or bubble

C. Arrow

D. Open-ended rectangle

✅ Answer: B

---

26. In a system flowchart, an arrow represents:

A. Flow of data or control

B. A process step

C. A decision

D. A document

✅ Answer: A

---

27. The triangle symbol in flowcharts often denotes:

A. Delay or storage

B. Decision

C. Process

D. Data input

✅ Answer: A

---

28. Which type of documentation best helps identify control weaknesses?

A. System flowchart

B. Data flow diagram

C. Program code

D. Organization chart

✅ Answer: A

---

29. DFD level 0 represents:

A. Context diagram

B. High-level system overview

C. Detailed process map

D. Flow of documents only

✅ Answer: B

---

30. The context diagram in DFD shows:

A. Internal system only

B. System boundaries and external entities

C. File storage

D. Decision logic

✅ Answer: B

---

⚙️ 31–40: Controls (Input, Process, Output, Application, General)

31. Input controls ensure:

A. Data is authorized, accurate, and complete before processing

B. Processing accuracy only

C. Data storage efficiency

D. System recovery after crash

✅ Answer: A

---

32. An example of an input control is:

A. Hash total

B. Exception report

C. Check digit verification

D. Both A and C

✅ Answer: D

---

33. Processing controls ensure:

A. Transactions are not lost or duplicated

B. Only valid data entered

C. Output is distributed correctly

D. Input data are accurate

✅ Answer: A

---

34. A run-to-run total is an example of:

A. Input control

B. Process control

C. Output control

D. Application control

✅ Answer: B

---

35. Output controls focus on:

A. Validity of printed or displayed information

B. Preventing unauthorized access to data

C. Backup and recovery

D. Input validation

✅ Answer: A

---

36. Application controls include:

A. Input, process, and output controls

B. Network and system software controls

C. Firewall and antivirus

D. Backup power supply

✅ Answer: A

---

37. General controls cover:

A. Overall IT environment controls

B. Specific application procedures

C. Payroll cycle only

D. Document authorization

✅ Answer: A

---

38. Examples of general controls include:

A. Password policies and access controls

B. Input edit checks

C. Output reconciliations

D. Batch totals

✅ Answer: A

---

39. A check digit is used to:

A. Verify data accuracy during input

B. Control report output

C. Record process flow

D. Validate document authorization

✅ Answer: A

---

40. Limit and range checks are types of:

A. Input validation controls

B. Process controls

C. Output controls

D. General controls

✅ Answer: A

---

🔐 41–50: System Security & Transaction Processing

41. The main purpose of transaction processing systems (TPS) is:

A. Decision making

B. Recording routine business transactions

C. Data mining

D. Forecasting

✅ Answer: B

---

42. In batch processing, transactions are:

A. Processed immediately

B. Collected and processed together later

C. Deleted after entry

D. Verified manually

✅ Answer: B

---

43. Real-time processing is most suitable for:

A. Payroll

B. Sales order entry

C. Month-end reports

D. Annual budgets

✅ Answer: B

---

44. Audit trail is an example of:

A. Detective control

B. Preventive control

C. Corrective control

D. Process control

✅ Answer: A

---

45. Backup procedures are part of:

A. Output control

B. General control

C. Application control

D. Input control

✅ Answer: B

---

46. Encryption in AIS is primarily a:

A. Physical control

B. Logical access control

C. Input control

D. Output control

✅ Answer: B

---

47. Exception reports are generated to:

A. Highlight unusual transactions

B. Show all transactions

C. Summarize payroll

D. Display all invoices

✅ Answer: A

---

48. Segregation of duties is an example of:

A. Preventive control

B. Detective control

C. Corrective control

D. Manual control only

✅ Answer: A

---

49. Hash totals help in detecting:

A. Omitted or duplicate transactions

B. Fraudulent journal entries

C. Unauthorized reports

D. Access violations

✅ Answer: A

---

50. Disaster recovery plans (DRP) are designed to:

A. Ensure system recovery after major failures

B. Improve process speed

C. Eliminate user errors

D. Train new employees

✅ Answer: A

www.gmsisuccess.in

Mocktest on internal control Governence Risk Assessment etc

Mocktest on Internal Control, Governence, Risk Assessment etc 

### Section 1: Fundamentals & Concepts (1–25)

1. Which of the following is NOT an objective of an internal control system?  

A) Promote operational efficiency  

B) Safeguard assets  

C) Provide absolute assurance against fraud  

D) Ensure reliable financial reporting  

**Answer: 

2. Internal controls are designed to provide:  

A) Absolute assurance  

B) Reasonable assurance  

C) No assurance  

D) Maximum benefit  

**Answer: 

3. Segregation of duties is a type of:  

A) Preventive control  

B) Detective control  

C) Corrective control  

D) Directive control  

**Answer: 

4. An example of a detective control is:  

A) Bank reconciliation  

B) Password protection  

C) Budget approval  

D) Employee training  

**Answer: 

5. Which internal control component addresses the organization’s “tone at the top”?  

A) Control activities  

B) Control environment  

C) Monitoring  

D) Information and communication  

**Answer: *

6. Which of the following best describes “risk appetite”?  

A) Amount of risk an organization is willing to accept  

B) Probability of a system failure  

C) Number of internal controls in place  

D) The likelihood of collusion  

**Answer: 

7. What is the primary purpose of a code of conduct?  

A) Ensure regulatory compliance  

B) Guide employee ethical behavior  

C) Limit communication  

D) Reduce segregation of duties  

**Answer: 

8. Which of the following is not typically a control activity?  

A) Authorization  

B) Performance reviews  

C) Information technology  

D) Control environment  

**Answer: 

9. The Sarbanes–Oxley Act (SOX) primarily seeks to:  

A) Standardize tax accounting  

B) Improve financial reporting and internal control over financial reporting  

C) Enhance product quality  

D) Increase IT investments  

**Answer: 

10. Internal control weaknesses are most likely if:  

A) One employee handles all aspects of a transaction  

B) Rotation of duties is regular  

C) Access to assets is restricted  

D) There is periodic reconciliation  

**Answer: 

11. Which of these is NOT a control limitation?  

A) Human error  

B) Routine monitoring  

C) Collusion among employees  

D) Management override  

**Answer: 

12. COSO’s framework contains how many components?  

A) 3  

B) 5  

C) 7  

D) 8  

**Answer: **

13. Which is NOT a COSO internal control component?  

A) Control activities  

B) Risk assessment  

C) Governance and culture  

D) Monitoring  

**Answer: *

14. COBIT primarily focuses on:  

A) Enterprise resource planning  

B) Corporate IT governance and management  

C) Financial reporting standards  

D) Product lifecycle management  

**Answer: 

15. Effective internal controls are:  

A) Cost-free  

B) Valued by all stakeholders  

C) Prohibitively expensive  

D) Designed without regard to risk  

**Answer: *

16. Which is a limitation common to all internal control systems?  

A) Cost–benefit constraints  

B) Automatic fraud detection  

C) 100% effectiveness  

D) Elimination of management fraud  

**Answer: 

17. Whose responsibility is it to assess the adequacy of internal controls?  

A) Internal auditors  

B) Management  

C) Board of directors  

D) Audit committee  

**Answer: 

18. Which of the following is not a type of internal control?  

A) Preventive  

B) Detective  

C) Responsive  

D) Corrective  

**Answer: 

19. Which of the following is an example of a detective control?  

A) Supervisory approval  

B) Logical access control  

C) Exception reporting  

D) Segregation of duties  

**Answer:

20. Scenario: An employee prepares and approves payments. What control is most directly lacking?  

A) Authorization  

B) Segregation of duties  

C) Physical controls  

D) Documentation  

**Answer: *

21. Risk that internal controls will not prevent or detect material misstatements is called:  

A) Detection risk  

B) Control risk  

C) Inherent risk  

D) Audit risk  

**Answer: **

22. The initial step in risk assessment per COSO is:  

A) Designing controls  

B) Identifying risks  

C) Communicating policies  

D) Monitoring controls  

**Answer: **

23. To strengthen internal controls, an organization should:  

A) Centralize all authority  

B) Separate authorization and custody of assets  

C) Allow unrestricted access  

D) Eliminate audits  

**Answer: 

24. A limitation of internal controls is:  

A) They promote reliable reporting  

B) They always prevent management fraud  

C) They rely on human judgment  

D) They optimize organizational efficiency  

**Answer: 

25. The FCPA requires:  

A) SOX certification  

B) Accurate books and records  

C) Only U.S.-based companies  

D) Tax compliance exclusively  

**Answer: 

***

### Section 2: Application & Techniques (26–50)

***

### Section 2: Application & Techniques (Questions 26–50)

26. Which is the best example of a corrective control?

A) Password protection

B) Backup data restoration

C) Monthly bank reconciliation

D) Pre-approval of expenditures  

**Answer: 

27. Routine review of operations to identify supply chain risks is an example of:

A) Risk assessment

B) Supervision

C) Control activity

D) Control environment  

**Answer: 

28. Which of the following must management provide under SOX Section 404?

A) Report on IT security

B) Attestation of effectiveness of internal controls

C) Documentation of payroll cycles

D) Annual financial budget  

**Answer: 

29. What is a key role of the internal audit function?

A) Implementing controls only in finance

B) Objectively assessing the effectiveness of the internal control system

C) Eliminating external audit

D) Approving transactions  

**Answer: 

30. A company restricts access to its server room with swipe cards—this is what type of control?

A) Preventive

B) Detective

C) Corrective

D) Oversight  

**Answer: 

31. Organizational attitude toward internal control is best reflected by:

A) Control environment

B) Information systems

C) Procedures manuals

D) Risk matrices  

**Answer: 

32. What is the main objective of performing tests of controls?

A) Ensure all transactions are error free

B) Assess effectiveness of controls to prevent or detect misstatements

C) Calculate tax liabilities

D) Reduce cost of audit  

**Answer: 

33. If two employees collude to override controls, this is considered:

A) Detective risk

B) Inherent limitation of controls

C) Design deficiency

D) Control activity  

**Answer: 

34. Which of the following is NOT an element of COSO’s internal control framework?

A) Risk assessment

B) Control environment

C) Strategic planning

D) Monitoring  

**Answer: 

35. The use of exception reporting is best classified as:

A) Preventive control

B) Detective control

C) Corrective control

D) Directive control  

**Answer: 

36. Management override of controls is best described as:

A) Permitted flexibility for staff

B) A limitation of any internal control system

C) Part of effective monitoring

D) Requirement under SOX  

**Answer: 

37. Who is responsible for determining the level of internal control in an organization?

A) Board of directors only

B) Internal auditor only

C) All employees

D) Senior management  

**Answer: *

38. Which SOX requirement was originally NOT part of FCPA?

A) Accurate book and records requirements

B) Prohibition of bribery

C) Annual management assessment of internal control effectiveness

D) Compliance documentation  

**Answer: 

39. When is risk assessment most critical in internal control?

A) Quarterly, after year-end

B) During financial statement audit only

C) Continuously, as part of operations and planning

D) At tax filing  

**Answer: 

40. Scenario: Payroll clerk and payroll approver are the same person. This best represents a weakness in:

A) Supervisory controls

B) Segregation of duties

C) Audit trail

D) Physical security  

**Answer: 

41. The COBIT framework provides guidance primarily for:

A) IT governance and controls

B) Supply chain management

C) Inventory valuation

D) Manufacturing process  

**Answer: 

42. The risk that a material misstatement will not be caught by internal controls is:

A) Control risk

B) Detection risk

C) Inherent risk

D) Regulatory risk  

**Answer: 

43. The existence of written job descriptions is a control related to:

A) Physical controls

B) Authorization controls

C) Human resource controls

D) Preventive controls  

**Answer: 

44. COSO defines “Monitoring Activities” as:

A) Developing new policies

B) Ongoing evaluations and separate evaluations of controls

C) Performing risk assessments only

D) Performing fraud investigations only  

**Answer: 

45. Who should approve the company-wide internal control policy?

A) Line supervisors

B) External auditors

C) Senior management and board of directors

D) Department heads  

**Answer: 

46. Which action is least likely to result in effective monitoring?

A) Regular internal audits

B) Ignoring exception reports

C) Following up on reported deficiencies

D) Using key control indicators  

**Answer: 

47. If an organization relies too heavily on a single individual for transaction processing, this exposes the entity to:

A) Improved fraud detection

B) Increased risk of error and fraud

C) Reduced documentation needs

D) Enhanced regulatory compliance  

**Answer: *

48. A flow chart of an internal control system primarily:

A) Illustrates understanding and documentation of the system

B) Is rarely used in auditing

C) Reduces the need for other documentation

D) Is required by SOX  

**Answer: *

49. Information technology controls commonly focus on all EXCEPT:

A) Systems access

B) Data integrity

C) Compliance to SOX solely

D) Disaster recovery  

**Answer: 

50. Which of the following is the BEST example of a scenario-based control test for auditors?

A) Reviewing hiring policies annually

B) Simulating a breach in payroll approval process

C) Verifying purchase orders

D) Reconciling cash accounts monthly  

**Answer: 

### Section 3: Weaknesses & Limitations (Questions 51–75)

51. Which of these is an inherent limitation of any internal control system?

A) Rotating duties

B) Management override

C) Pre-numbering documents

D) Segregation of duties  

**Answer: *

52. The control environment can be undermined by:

A) Setting a strong ethical tone

B) Willful negligence at any management level

C) Hiring competent staff

D) Documenting all policies  

**Answer: 

53. If monthly reconciliations are skipped, which control component is directly weakened?

A) Information and communication

B) Monitoring

C) Risk assessment

D) Control environment  

**Answer:*

54. Which is NOT a control weakness?

A) Unrestricted access to assets

B) Collusion between multiple employees

C) Signed job descriptions

D) Lack of performance reviews  

**Answer:

55. Most control activities are effective ONLY if:

A) Employees are rotated annually

B) Controls are monitored

C) Duties are not segregated

D) Management overrides are permitted  

**Answer:

56. Scenario: The top sales staff submit expenses with non-allowable charges, and management approves to avoid conflict. Which control component suffers most?

A) Monitoring

B) Control environment

C) Information & communication

D) Control activities  

**Answer: *

57. Limitation of internal control in computerized systems is MOST likely due to:

A) Segregation of duties

B) Unauthorized access to data

C) Frequent equipment upgrades

D) Use of passwords  

**Answer: 

58. Management override risks are best addressed by:

A) Preventing all overrides

B) Implementing whistleblower policies and monitoring mechanisms

C) Rotating staff

D) Ignoring reporting lines  

**Answer: 

59. An internal auditor suspects collusion. The highest-risk area is usually:

A) Payroll processing

B) Petty cash handling

C) Inventory counting

D) Bank reconciliation  

**Answer: *

60. Control effectiveness is BEST measured by:

A) Number of controls existing

B) Ability to prevent or detect material errors and fraud

C) Speed of transaction processing

D) Employees' seniority  

**Answer: *

61. The best way to test effectiveness of physical inventory controls:

A) Analytical procedures only

B) Direct observation during inventory counts

C) Reviewing accounting records only

D) Reviewing purchase orders  

**Answer: *

62. Which function provides the BEST segregation of duties for payroll?

A) HR creates payroll; accounting processes payroll; treasurer signs checks

B) Payroll clerk manages everything

C) HR hires/fires; payroll processes

D) Accounting and payroll share all tasks  

**Answer:

63. Internal auditors deter fraud mainly by:

A) Investigating bribery only

B) Having strong written policies

C) Testing controls and monitoring fraud risks

D) Reviewing board minutes  

**Answer: *

64. When controls are effective ONLY in specific contexts, it is due to:

A) Inherent limitations

B) Control design

C) Monitoring frequency

D) Directive controls  

**Answer: *

65. Which of the following BEST addresses efficiency of internal controls?

A) Formal job descriptions

B) Cost-benefit analysis of controls

C) Annual external audits

D) Detailed policies  

**Answer: *

66. Control risk is highest when:

A) Controls are regularly tested and updated

B) Management frequently overrides controls

C) Duties are strictly segregated

D) Control activities are automated  

**Answer: 

67. Which is a key sign of weak control in purchase order processing?

A) Use of pre-numbered forms

B) Rush orders by telephone without supporting documentation

C) Written approvals for every purchase

D) Restricted vendor list  

**Answer: 

68. A company lacks adequate documentation for all expenditures. The main risk is:

A) Efficient reporting

B) Unauthorized payments and fraud

C) Strong compliance

D) Effective budgeting  

**Answer: 

69. Monitoring control performance is mainly the responsibility of:

A) Board of directors

B) Senior management

C) Internal audit

D) IT department  

**Answer: 

70. Regarding payroll, what control can best prevent inclusion of fictitious employees?

A) Time cards and attendance records verified by HR

B) Payroll clerk authorized all changes

C) No authorization required for payroll changes

D) Clerk approves own payroll  

**Answer: 

71. When control activities focus only on detecting problems, what is missing?

A) Preventive controls

B) Monitoring

C) Authorization

D) Oversight  

**Answer: *

72. Most frauds occur due to:

A) Lack of detective controls

B) Weak preventive controls and collusion

C) Efficient reconciliation

D) Proper segregation of duties  

**Answer: *

73. Which control would most likely prevent unauthorized access to cash receipts?

A) Daily reconciliation by accounting

B) Prelisting incoming receipts (separate from cashier)

C) Open access for staff

D) Periodic external audit only  

**Answer: *

74. When is control efficiency maximized?

A) When controls cost less than the value of risk reduction

B) When all risks are eliminated

C) When only senior management oversees controls

D) When all controls are physical  

**Answer: 

75. A purchasing agent who acquires items for personal use exploits a weakness in:

A) Segregation of duties and approval controls

B) Documentation only

C) Control environment only

D) External audit  

**Answer: *

### Section 4: Advanced Scenarios & Assessment (Questions 76–100)

76. Which of the following best describes the role of internal audit regarding IT governance?  

A) Selecting IT candidates  

B) Ensuring IT governance aligns with organizational risk appetite  

C) Developing IT policies  

D) Operating IT systems  

**Answer: **

77. Scenario: The sales team repeatedly submits expense claims with non-allowable charges that management approves. Which internal control component is most compromised?  

A) Information and communication  

B) Control environment  

C) Monitoring  

D) Risk assessment  

**Answer: 

78. Which of the following statements about risk appetite is correct?  

A) It is the maximum level of risk the organization will accept in pursuit of objectives.  

B) It refers to the likelihood of risk occurrence.  

C) It is the probability of a financial loss.  

D) It is the absence of risk.  

**Answer:

79. Under COSO, which component ensures management evaluates whether controls are present and functioning?  

A) Control environment  

B) Monitoring  

C) Information and communication  

D) Control activities  

**Answer: *

80. What is the purpose of the Foreign Corrupt Practices Act (FCPA)?  

A) To prevent bribery of foreign officials  

B) To regulate financial audits  

C) To oversee employee hiring  

D) To establish IT governance  

**Answer:

81. Scenario: An auditor discovers unauthorized access to the accounting system by an employee with a terminated contract. Which control was most likely deficient?  

A) Physical controls  

B) Access controls  

C) Segregation of duties  

D) Authorization controls  

**Answer: 

82. Which of the following best describes the effectiveness of internal control?  

A) Controls must eliminate all risks  

B) Controls provide reasonable assurance to meet objectives  

C) Controls are only monitoring tools  

D) Controls guarantee 100% accuracy  

**Answer:

83. Management override of controls is:  

A) Prohibited and impossible  

B) An inherent limitation of any internal control system  

C) A monitoring control  

D) A preventive control  

**Answer: 

84. An important preventive control for cash receipts includes:  

A) Daily reconciliation by management  

B) Restricting cash handling to authorized personnel  

C) Periodic external audits  

D) Surprise cash counts  

**Answer: *

85. COBIT aligns IT goals with:  

A) Sales targets  

B) Corporate governance and enterprise goals  

C) Stock market trends  

D) Tax regulations  

**Answer: 

86. The primary focus of SOX Section 404 is to:  

A) Enhance internal control over financial reporting  

B) Require external audits  

C) Limit executive compensation  

D) Regulate tax filings  

**Answer: 

87. Scenario: An audit finds inconsistent application of controls across regional offices. This is a weakness in:  

A) Control environment  

B) Control activities  

C) Monitoring  

D) Communication  

**Answer: 

88. An effective whistleblower policy contributes to which internal control component?  

A) Monitoring  

B) Segregation of duties  

C) Risk assessment  

D) Information and communication  

**Answer:*

89. Which of the following is best practice when applying COSO and COBIT frameworks together?  

A) Using COSO for overall enterprise risk and COBIT for IT governance  

B) Using both interchangeably  

C) Applying only COSO for IT controls  

D) Ignoring framework alignment  

**Answer: *

90. Which action best supports the ethical tone in an organization?  

A) Strong and enforced code of conduct  

B) Flexible work hours  

C) Minimum training  

D) Light audit oversight  

**Answer: **

91. Scenario: A company uses pre-numbered forms for sales but does not account for missing forms. This control weakness exposes the company to:  

A) Unauthorized sales recording  

B) Ineffective job descriptions  

C) Cost-benefit imbalance  

D) Lack of training  

**Answer: **

92. Which audit procedure most effectively identifies control weaknesses?  

A) Inquiry only  

B) Inspection and observation  

C) Casual conversation  

D) Reviewing outdated reports  

**Answer: *

93. Internal control risk assessment is crucial for:  

A) Planning audit procedures  

B) Tax compliance  

C) Budget setting only  

D) HR hiring  

**Answer: *

94. Management’s responsibility for internal control includes:  

A) Designing and maintaining effective controls  

B) Approving external audit reports  

C) Investigating fraud independently  

D) Developing audit plans  

**Answer: *

95. An auditor reviewing access logs and permissions of an IT system is performing:  

A) Control testing procedures  

B) Risk identification  

C) Compliance review only  

D) IT system design  

**Answer: 

96. Scenario: No independent verification is required for cash disbursements. This control weakness increases the risk of:  

A) Unauthorized payments  

B) System downtime  

C) Tax penalties  

D) Physical loss  

**Answer: 

97. Financial statement fraud is most likely prevented by:  

A) Segregation of duties over accounting functions  

B) Management override flexibility  

C) Efficient IT infrastructure only  

D) Informal document controls  

**Answer:

98. Which of these is NOT a control activity?  

A) Documented policies and procedures  

B) Authorization of transactions  

C) Risk assessment  

D) Physical controls  

**Answer: 

99. A board of directors’ oversight role is critical for:  

A) Ensuring internal audit independence  

B) Preparing audit reports  

C) Daily operational control  

D) Payroll processing  

**Answer: 

100. Which of the following is a key benefit of implementing COSO framework controls?  

A) Enhanced risk management and governance structure  

B) Reduction in employee headcount  

C) Increased leniency in financial reporting  

D) Elimination of fraud risk  

**Answer:

www.gmsisuccess.in

Answers:

### Section 1: Fundamentals & Concepts (1–25)

1. Which of the following is NOT an objective of an internal control system?  

A) Promote operational efficiency  

B) Safeguard assets  

C) Provide absolute assurance against fraud  

D) Ensure reliable financial reporting  

**Answer: C**

2. Internal controls are designed to provide:  

A) Absolute assurance  

B) Reasonable assurance  

C) No assurance  

D) Maximum benefit  

**Answer: B**

3. Segregation of duties is a type of:  

A) Preventive control  

B) Detective control  

C) Corrective control  

D) Directive control  

**Answer: A**

4. An example of a detective control is:  

A) Bank reconciliation  

B) Password protection  

C) Budget approval  

D) Employee training  

**Answer: A**

5. Which internal control component addresses the organization’s “tone at the top”?  

A) Control activities  

B) Control environment  

C) Monitoring  

D) Information and communication  

**Answer: B**

6. Which of the following best describes “risk appetite”?  

A) Amount of risk an organization is willing to accept  

B) Probability of a system failure  

C) Number of internal controls in place  

D) The likelihood of collusion  

**Answer: A**

7. What is the primary purpose of a code of conduct?  

A) Ensure regulatory compliance  

B) Guide employee ethical behavior  

C) Limit communication  

D) Reduce segregation of duties  

**Answer: B**

8. Which of the following is not typically a control activity?  

A) Authorization  

B) Performance reviews  

C) Information technology  

D) Control environment  

**Answer: D**

9. The Sarbanes–Oxley Act (SOX) primarily seeks to:  

A) Standardize tax accounting  

B) Improve financial reporting and internal control over financial reporting  

C) Enhance product quality  

D) Increase IT investments  

**Answer: B**

10. Internal control weaknesses are most likely if:  

A) One employee handles all aspects of a transaction  

B) Rotation of duties is regular  

C) Access to assets is restricted  

D) There is periodic reconciliation  

**Answer: A**

11. Which of these is NOT a control limitation?  

A) Human error  

B) Routine monitoring  

C) Collusion among employees  

D) Management override  

**Answer: B**

12. COSO’s framework contains how many components?  

A) 3  

B) 5  

C) 7  

D) 8  

**Answer: B**

13. Which is NOT a COSO internal control component?  

A) Control activities  

B) Risk assessment  

C) Governance and culture  

D) Monitoring  

**Answer: C**

14. COBIT primarily focuses on:  

A) Enterprise resource planning  

B) Corporate IT governance and management  

C) Financial reporting standards  

D) Product lifecycle management  

**Answer: B**

15. Effective internal controls are:  

A) Cost-free  

B) Valued by all stakeholders  

C) Prohibitively expensive  

D) Designed without regard to risk  

**Answer: B**

16. Which is a limitation common to all internal control systems?  

A) Cost–benefit constraints  

B) Automatic fraud detection  

C) 100% effectiveness  

D) Elimination of management fraud  

**Answer: A**

17. Whose responsibility is it to assess the adequacy of internal controls?  

A) Internal auditors  

B) Management  

C) Board of directors  

D) Audit committee  

**Answer: B**

18. Which of the following is not a type of internal control?  

A) Preventive  

B) Detective  

C) Responsive  

D) Corrective  

**Answer: C**

19. Which of the following is an example of a detective control?  

A) Supervisory approval  

B) Logical access control  

C) Exception reporting  

D) Segregation of duties  

**Answer: C**

20. Scenario: An employee prepares and approves payments. What control is most directly lacking?  

A) Authorization  

B) Segregation of duties  

C) Physical controls  

D) Documentation  

**Answer: B**

21. Risk that internal controls will not prevent or detect material misstatements is called:  

A) Detection risk  

B) Control risk  

C) Inherent risk  

D) Audit risk  

**Answer: B**

22. The initial step in risk assessment per COSO is:  

A) Designing controls  

B) Identifying risks  

C) Communicating policies  

D) Monitoring controls  

**Answer: B**

23. To strengthen internal controls, an organization should:  

A) Centralize all authority  

B) Separate authorization and custody of assets  

C) Allow unrestricted access  

D) Eliminate audits  

**Answer: B**

24. A limitation of internal controls is:  

A) They promote reliable reporting  

B) They always prevent management fraud  

C) They rely on human judgment  

D) They optimize organizational efficiency  

**Answer: C**

25. The FCPA requires:  

A) SOX certification  

B) Accurate books and records  

C) Only U.S.-based companies  

D) Tax compliance exclusively  

**Answer: B**

***

### Section 2: Application & Techniques (26–50)

***

### Section 2: Application & Techniques (Questions 26–50)

26. Which is the best example of a corrective control?

A) Password protection

B) Backup data restoration

C) Monthly bank reconciliation

D) Pre-approval of expenditures  

**Answer: B**

27. Routine review of operations to identify supply chain risks is an example of:

A) Risk assessment

B) Supervision

C) Control activity

D) Control environment  

**Answer: A**

28. Which of the following must management provide under SOX Section 404?

A) Report on IT security

B) Attestation of effectiveness of internal controls

C) Documentation of payroll cycles

D) Annual financial budget  

**Answer: B**

29. What is a key role of the internal audit function?

A) Implementing controls only in finance

B) Objectively assessing the effectiveness of the internal control system

C) Eliminating external audit

D) Approving transactions  

**Answer: B**

30. A company restricts access to its server room with swipe cards—this is what type of control?

A) Preventive

B) Detective

C) Corrective

D) Oversight  

**Answer: A**

31. Organizational attitude toward internal control is best reflected by:

A) Control environment

B) Information systems

C) Procedures manuals

D) Risk matrices  

**Answer: A**

32. What is the main objective of performing tests of controls?

A) Ensure all transactions are error free

B) Assess effectiveness of controls to prevent or detect misstatements

C) Calculate tax liabilities

D) Reduce cost of audit  

**Answer: B**

33. If two employees collude to override controls, this is considered:

A) Detective risk

B) Inherent limitation of controls

C) Design deficiency

D) Control activity  

**Answer: B**

34. Which of the following is NOT an element of COSO’s internal control framework?

A) Risk assessment

B) Control environment

C) Strategic planning

D) Monitoring  

**Answer: C**

35. The use of exception reporting is best classified as:

A) Preventive control

B) Detective control

C) Corrective control

D) Directive control  

**Answer: B**

36. Management override of controls is best described as:

A) Permitted flexibility for staff

B) A limitation of any internal control system

C) Part of effective monitoring

D) Requirement under SOX  

**Answer: B**

37. Who is responsible for determining the level of internal control in an organization?

A) Board of directors only

B) Internal auditor only

C) All employees

D) Senior management  

**Answer: D**

38. Which SOX requirement was originally NOT part of FCPA?

A) Accurate book and records requirements

B) Prohibition of bribery

C) Annual management assessment of internal control effectiveness

D) Compliance documentation  

**Answer: C**

39. When is risk assessment most critical in internal control?

A) Quarterly, after year-end

B) During financial statement audit only

C) Continuously, as part of operations and planning

D) At tax filing  

**Answer: C**

40. Scenario: Payroll clerk and payroll approver are the same person. This best represents a weakness in:

A) Supervisory controls

B) Segregation of duties

C) Audit trail

D) Physical security  

**Answer: B**

41. The COBIT framework provides guidance primarily for:

A) IT governance and controls

B) Supply chain management

C) Inventory valuation

D) Manufacturing process  

**Answer: A**

42. The risk that a material misstatement will not be caught by internal controls is:

A) Control risk

B) Detection risk

C) Inherent risk

D) Regulatory risk  

**Answer: A**

43. The existence of written job descriptions is a control related to:

A) Physical controls

B) Authorization controls

C) Human resource controls

D) Preventive controls  

**Answer: C**

44. COSO defines “Monitoring Activities” as:

A) Developing new policies

B) Ongoing evaluations and separate evaluations of controls

C) Performing risk assessments only

D) Performing fraud investigations only  

**Answer: B**

45. Who should approve the company-wide internal control policy?

A) Line supervisors

B) External auditors

C) Senior management and board of directors

D) Department heads  

**Answer: C**

46. Which action is least likely to result in effective monitoring?

A) Regular internal audits

B) Ignoring exception reports

C) Following up on reported deficiencies

D) Using key control indicators  

**Answer: B**

47. If an organization relies too heavily on a single individual for transaction processing, this exposes the entity to:

A) Improved fraud detection

B) Increased risk of error and fraud

C) Reduced documentation needs

D) Enhanced regulatory compliance  

**Answer: B**

48. A flow chart of an internal control system primarily:

A) Illustrates understanding and documentation of the system

B) Is rarely used in auditing

C) Reduces the need for other documentation

D) Is required by SOX  

**Answer: A**

49. Information technology controls commonly focus on all EXCEPT:

A) Systems access

B) Data integrity

C) Compliance to SOX solely

D) Disaster recovery  

**Answer: C**

50. Which of the following is the BEST example of a scenario-based control test for auditors?

A) Reviewing hiring policies annually

B) Simulating a breach in payroll approval process

C) Verifying purchase orders

D) Reconciling cash accounts monthly  

**Answer: B**

### Section 3: Weaknesses & Limitations (Questions 51–75)

51. Which of these is an inherent limitation of any internal control system?

A) Rotating duties

B) Management override

C) Pre-numbering documents

D) Segregation of duties  

**Answer: B**

52. The control environment can be undermined by:

A) Setting a strong ethical tone

B) Willful negligence at any management level

C) Hiring competent staff

D) Documenting all policies  

**Answer: B**

53. If monthly reconciliations are skipped, which control component is directly weakened?

A) Information and communication

B) Monitoring

C) Risk assessment

D) Control environment  

**Answer: B**

54. Which is NOT a control weakness?

A) Unrestricted access to assets

B) Collusion between multiple employees

C) Signed job descriptions

D) Lack of performance reviews  

**Answer: C**

55. Most control activities are effective ONLY if:

A) Employees are rotated annually

B) Controls are monitored

C) Duties are not segregated

D) Management overrides are permitted  

**Answer: B**

56. Scenario: The top sales staff submit expenses with non-allowable charges, and management approves to avoid conflict. Which control component suffers most?

A) Monitoring

B) Control environment

C) Information & communication

D) Control activities  

**Answer: B**

57. Limitation of internal control in computerized systems is MOST likely due to:

A) Segregation of duties

B) Unauthorized access to data

C) Frequent equipment upgrades

D) Use of passwords  

**Answer: B**

58. Management override risks are best addressed by:

A) Preventing all overrides

B) Implementing whistleblower policies and monitoring mechanisms

C) Rotating staff

D) Ignoring reporting lines  

**Answer: B**

59. An internal auditor suspects collusion. The highest-risk area is usually:

A) Payroll processing

B) Petty cash handling

C) Inventory counting

D) Bank reconciliation  

**Answer: C**

60. Control effectiveness is BEST measured by:

A) Number of controls existing

B) Ability to prevent or detect material errors and fraud

C) Speed of transaction processing

D) Employees' seniority  

**Answer: B**

61. The best way to test effectiveness of physical inventory controls:

A) Analytical procedures only

B) Direct observation during inventory counts

C) Reviewing accounting records only

D) Reviewing purchase orders  

**Answer: B**

62. Which function provides the BEST segregation of duties for payroll?

A) HR creates payroll; accounting processes payroll; treasurer signs checks

B) Payroll clerk manages everything

C) HR hires/fires; payroll processes

D) Accounting and payroll share all tasks  

**Answer: A**

63. Internal auditors deter fraud mainly by:

A) Investigating bribery only

B) Having strong written policies

C) Testing controls and monitoring fraud risks

D) Reviewing board minutes  

**Answer: C**

64. When controls are effective ONLY in specific contexts, it is due to:

A) Inherent limitations

B) Control design

C) Monitoring frequency

D) Directive controls  

**Answer: A**

65. Which of the following BEST addresses efficiency of internal controls?

A) Formal job descriptions

B) Cost-benefit analysis of controls

C) Annual external audits

D) Detailed policies  

**Answer: B**

66. Control risk is highest when:

A) Controls are regularly tested and updated

B) Management frequently overrides controls

C) Duties are strictly segregated

D) Control activities are automated  

**Answer: B**

67. Which is a key sign of weak control in purchase order processing?

A) Use of pre-numbered forms

B) Rush orders by telephone without supporting documentation

C) Written approvals for every purchase

D) Restricted vendor list  

**Answer: B**

68. A company lacks adequate documentation for all expenditures. The main risk is:

A) Efficient reporting

B) Unauthorized payments and fraud

C) Strong compliance

D) Effective budgeting  

**Answer: B**

69. Monitoring control performance is mainly the responsibility of:

A) Board of directors

B) Senior management

C) Internal audit

D) IT department  

**Answer: B**

70. Regarding payroll, what control can best prevent inclusion of fictitious employees?

A) Time cards and attendance records verified by HR

B) Payroll clerk authorized all changes

C) No authorization required for payroll changes

D) Clerk approves own payroll  

**Answer: A**

71. When control activities focus only on detecting problems, what is missing?

A) Preventive controls

B) Monitoring

C) Authorization

D) Oversight  

**Answer: A**

72. Most frauds occur due to:

A) Lack of detective controls

B) Weak preventive controls and collusion

C) Efficient reconciliation

D) Proper segregation of duties  

**Answer: B**

73. Which control would most likely prevent unauthorized access to cash receipts?

A) Daily reconciliation by accounting

B) Prelisting incoming receipts (separate from cashier)

C) Open access for staff

D) Periodic external audit only  

**Answer: B**

74. When is control efficiency maximized?

A) When controls cost less than the value of risk reduction

B) When all risks are eliminated

C) When only senior management oversees controls

D) When all controls are physical  

**Answer: A**

75. A purchasing agent who acquires items for personal use exploits a weakness in:

A) Segregation of duties and approval controls

B) Documentation only

C) Control environment only

D) External audit  

**Answer: A**

### Section 4: Advanced Scenarios & Assessment (Questions 76–100)

76. Which of the following best describes the role of internal audit regarding IT governance?  

A) Selecting IT candidates  

B) Ensuring IT governance aligns with organizational risk appetite  

C) Developing IT policies  

D) Operating IT systems  

**Answer: B**

77. Scenario: The sales team repeatedly submits expense claims with non-allowable charges that management approves. Which internal control component is most compromised?  

A) Information and communication  

B) Control environment  

C) Monitoring  

D) Risk assessment  

**Answer: B**

78. Which of the following statements about risk appetite is correct?  

A) It is the maximum level of risk the organization will accept in pursuit of objectives.  

B) It refers to the likelihood of risk occurrence.  

C) It is the probability of a financial loss.  

D) It is the absence of risk.  

**Answer: A**

79. Under COSO, which component ensures management evaluates whether controls are present and functioning?  

A) Control environment  

B) Monitoring  

C) Information and communication  

D) Control activities  

**Answer: B**

80. What is the purpose of the Foreign Corrupt Practices Act (FCPA)?  

A) To prevent bribery of foreign officials  

B) To regulate financial audits  

C) To oversee employee hiring  

D) To establish IT governance  

**Answer: A**

81. Scenario: An auditor discovers unauthorized access to the accounting system by an employee with a terminated contract. Which control was most likely deficient?  

A) Physical controls  

B) Access controls  

C) Segregation of duties  

D) Authorization controls  

**Answer: B**

82. Which of the following best describes the effectiveness of internal control?  

A) Controls must eliminate all risks  

B) Controls provide reasonable assurance to meet objectives  

C) Controls are only monitoring tools  

D) Controls guarantee 100% accuracy  

**Answer: B**

83. Management override of controls is:  

A) Prohibited and impossible  

B) An inherent limitation of any internal control system  

C) A monitoring control  

D) A preventive control  

**Answer: B**

84. An important preventive control for cash receipts includes:  

A) Daily reconciliation by management  

B) Restricting cash handling to authorized personnel  

C) Periodic external audits  

D) Surprise cash counts  

**Answer: B**

85. COBIT aligns IT goals with:  

A) Sales targets  

B) Corporate governance and enterprise goals  

C) Stock market trends  

D) Tax regulations  

**Answer: B**

86. The primary focus of SOX Section 404 is to:  

A) Enhance internal control over financial reporting  

B) Require external audits  

C) Limit executive compensation  

D) Regulate tax filings  

**Answer: A**

87. Scenario: An audit finds inconsistent application of controls across regional offices. This is a weakness in:  

A) Control environment  

B) Control activities  

C) Monitoring  

D) Communication  

**Answer: B**

88. An effective whistleblower policy contributes to which internal control component?  

A) Monitoring  

B) Segregation of duties  

C) Risk assessment  

D) Information and communication  

**Answer: D**

89. Which of the following is best practice when applying COSO and COBIT frameworks together?  

A) Using COSO for overall enterprise risk and COBIT for IT governance  

B) Using both interchangeably  

C) Applying only COSO for IT controls  

D) Ignoring framework alignment  

**Answer: A**

90. Which action best supports the ethical tone in an organization?  

A) Strong and enforced code of conduct  

B) Flexible work hours  

C) Minimum training  

D) Light audit oversight  

**Answer: A**

91. Scenario: A company uses pre-numbered forms for sales but does not account for missing forms. This control weakness exposes the company to:  

A) Unauthorized sales recording  

B) Ineffective job descriptions  

C) Cost-benefit imbalance  

D) Lack of training  

**Answer: A**

92. Which audit procedure most effectively identifies control weaknesses?  

A) Inquiry only  

B) Inspection and observation  

C) Casual conversation  

D) Reviewing outdated reports  

**Answer: B**

93. Internal control risk assessment is crucial for:  

A) Planning audit procedures  

B) Tax compliance  

C) Budget setting only  

D) HR hiring  

**Answer: A**

94. Management’s responsibility for internal control includes:  

A) Designing and maintaining effective controls  

B) Approving external audit reports  

C) Investigating fraud independently  

D) Developing audit plans  

**Answer: A**

95. An auditor reviewing access logs and permissions of an IT system is performing:  

A) Control testing procedures  

B) Risk identification  

C) Compliance review only  

D) IT system design  

**Answer: A**

96. Scenario: No independent verification is required for cash disbursements. This control weakness increases the risk of:  

A) Unauthorized payments  

B) System downtime  

C) Tax penalties  

D) Physical loss  

**Answer: A**

97. Financial statement fraud is most likely prevented by:  

A) Segregation of duties over accounting functions  

B) Management override flexibility  

C) Efficient IT infrastructure only  

D) Informal document controls  

**Answer: A**

98. Which of these is NOT a control activity?  

A) Documented policies and procedures  

B) Authorization of transactions  

C) Risk assessment  

D) Physical controls  

**Answer: C**

99. A board of directors’ oversight role is critical for:  

A) Ensuring internal audit independence  

B) Preparing audit reports  

C) Daily operational control  

D) Payroll processing  

**Answer: A**

100. Which of the following is a key benefit of implementing COSO framework controls?  

A) Enhanced risk management and governance structure  

B) Reduction in employee headcount  

C) Increased leniency in financial reporting  

D) Elimination of fraud risk  

**Answer: A**

www.gmsisuccess.in