S-Q Unit 1 Business Processes, Risks and Internal Control RECOVER

Q-1 10-02-23 1. Which of the following is correct regarding the consumer price index (CPI ) for measuring the estimated decrease in a company’s buying power?  The products a company buys should differ from what a consumer buys  For a company to maintain its margins in times of rising prices, it must purchase lower-priced, if not lower-quality, products. The consumer may continue to buy the higher-priced products that (s)he is used to purchasing. The CPI is measured only once every 10 years. The CPI measures what consumers will pay for items. The CPI is skewed by foreign currency translations. 2. What is the most likely economic effect of tariffs and quotas ? - Tariffs but not quotas affect all importers of the affected goods equally  A tariff has an equal effect on all goods on which it is applied. Import licenses, however, may be awarded based on political favoritism. -Workers are shifted into more efficient export industries  The effect is to shift workers into relatively inefficient domestic protected industries. The price increase is received by exporters in foreign countries  A tariff increases the domestic government’s general tax revenues. Total world output increases  Total world output decreases. 3. SIM-1 9-30-23 1. Select from the option list provided to indicate the applicable monitoring phase, if any, for each potential component listed below. Each choice may be used once, more than once, or not at all. Potential component Monitoring phase 有效的監測方法包括三階段 1) 建立監測基礎 2) 設計和執行 監測程序 3) 評估和報告結果 監控階段的 基礎包括 a. 頂部的音調 b. 組織結構，以及 c. 對內部控制有效性的基本了解 2. 設計和執行階段包括 a. 優先考慮風險 b. 識別控制 c. 識別有關控制的有說服力信息 d. 實施監測程序。 3. 評估和報告 階段包括 a. 確定調查結果的優先順序 b. 向適當等級報告結果及跟 進糾正措施 1 . Tone at the top Foundation for monitoring 2. Prioritizing findings Assess and report 3. Prioritizing risks Design and execute 4. Organizational structure Foundation for monitoring 5. Identifying controls Design and execute 6. Baseline understanding of internal control deficiencie Foundation for monitoring 7. Reporting results to shareholders in financial statement Not COSO monitoring phas 8. Identifying persuasive information about controls Design and execute 9. Following up on corrective action Assess and report 10. Implementing monitoring procedures Foundation for monitoring /Design and execute/ Assess and report/ Not a COSO /monitoring phase Design and execute 2. Select from the option list provided the word or phrase that correctly completes each sentence related to COSO internal control components below. Statement Missing Item 1. The _____ component is a set of standards, processes, and structures that pervasively affects internal control. Control Environment 2. The organization can demonstrate a commitment to integrity and ethical values by _____. Establishing standards of conduct 3. _____ considers how each risk should be managed. Risk response 4. Control activities _____ and help ensure compliance with Are applied at all levels of the entity .

management directives to mitigate risks. 5. An entity evaluates a mix of control activities, with _____ typically applied at lower levels. Transactional controls 6. An organization _____ information, including objectives and responsibilities, to support the functioning of internal control. internally communicates 7. The COSO internal control framework may be illustrated by a cube with rows, slices, and columns, described as follows: ___ 1) The rows are the five components, 2) the slices are the three objectives , 3) 4 columns are an entity’s organizational structure . COSO Control Components (7 Gradable Items) 1) Control environment is a set of standards, processes, and structures that pervasively affects the system of internal control.Communication and enforcement of integrity and ethical values influence the effectiveness of the other components of internal control. 2) Establishing standards of conduct . The organization demonstrates a commitment to integrity and ethical values by (a) communicating its attitude toward integrity and ethical values, (b) establishing standards of conduct, (c) evaluating performance based on the standards, and (d) correcting deviations in a timely and consistent manner. 3) Risk response. The risk response considers how each risk should be managed; whether to accept, avoid, reduce, or share the risk; and the design of controls. The risk tolerance is a factor considered in choosing the risk response. 4) Risk response. The risk response considers how each risk should be managed; whether to accept, avoid, reduce, or share the risk; and the design of controls. The risk tolerance is a factor considered in choosing the risk response. 5) Are applied at all levels of the entity . Control activities are policies and procedures to help ensure that management directives to mitigate risks are carried out. Whether automated or manual, they are (a) applied at all levels of the entity, (b) within various stages of business processes, and (c) over the technology environment. However, monitoring assesses the quality of internal control performance over time. 6) Transactional controls. Control activities are selected and developed for application at different levels of the organization. Transactional control activities are typically applied at lower levels. Business performance or analytical reviews are typically applied at higher levels. 7) Internally communicates. Internal communication of control information is necessary to the proper functioning of the control system; however, the organization does communicate with external parties about matters affecting internal control. Also, (a) relevant and timely information is communicated to shareholders, regulators, customers, etc.; (b) input from external sources provides relevant information; (c) external assessments are communicated to the board; and (d) legal requirements are considered. 8) The rows are the five components, the slices are the three objectives, and the columns are an entity’s organizational structure . The COSO model may be represented by a cube with rows, slices, and columns representing the five components, the three objectives, and the entity’s organizational structure, respectively. 3. Select from the option list provided the word or phrase that correctly completes each sentence related to the objectives of internal control below. Statement / Missing Item 1. Internal control objectives should be Specific, measurable or observable, attainable, relevant, and time based

revenue to cover an unanticipated decrease in market share. Adjusting entries are a common means of management override. 2) Collusion. The mailroom employee and the accounts receivable clerk agreed to circumvent the controls over cash receipts. The mailroom should (a) separate checks from remittance advices (documents that identify customers, invoice numbers, and amounts), (b) prepare the daily list of checks received, and (c) send the receipts and a copy of the list to the cash receipts function for deposit. The accounts receivable function should be sent only the remittance advices for posting. 3) Human error. Human judgment is faulty and controls may fail because of human error. For example, an error may occur in the design of, or a change in, a control (e.g., changing passwords too infrequently). The operation of a control also may be ineffective, e.g., when an individual does not understand or use an exception report. 4) Human error. The operation of a control may be ineffective because the persons implementing it may be distracted, careless, or fatigued. 5) Cost vs. benefit. An inherent limitation of internal control is the need to balance benefit and cost. Although the ability to provide only reasonable assurance is a primary design criterion for internal control, the precise measurement of costs and benefits is not feasible. However, costs should not exceed the benefits of control. Thus, the cost constraint limits internal control. For example, the retailer must judge whether the savings from eliminating bad checks exceeds the sales lost from limiting payment options. 6) Management override. The COO negotiated an undisclosed agreement outside the ordinary course of business with a related party. (The COO is a director of the other entity.) Furthermore, the COO overrode the relevant controls: (a) the terms and conditions of the standard sales contract and (b) disclosure of the related-party transaction. Monitoring. A principle of the monitoring component of internal control is that the organization evaluates and communicates control deficiencies in a timely manner. COSO- . According to COSO, a primary purpose of monitoring internal control is to verify that the internal control system remains adequate to address changes in Risks  Monitoring assesses the quality of internal control performance over time to ensure that controls continue to effectively manage existing risks. Control activities. A principle of the control activities component of internal control is that the organization selects and develops general control activities over technology to support the achievement of objectives. COSO- the policies and procedures helping to ensure that management directives are executed and actions are taken to address risks to achievement of objectives. Risk assessment . A principle of the risk assessment component of internal control is that the organization identifies and assesses changes that could significantly affect the system of internal control and adopts appropriate controls. Control environment . A principle of the control environment of internal control is that the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. information and communication. A principle of the information and communication component of internal control is that the organization internally communicates information necessary to support the functioning of internal control. This includes communicating objectives. SIM-2 9-27-2023 1. Aaron Corporation is a publicly-held company. Aaron's potential business objectives for the next year are identified below. Select from the option list provided to indicate the most appropriate type of objective for each potential business objective listed.

Potential business objective: Objective type 1) operations,2) reporting, and (3) compliance 1. Implement a workplace training program emphasizing workplace success, safety, and performance improvement in accordance with Aaron Corporation's mission statement. Operations objective. This objective relates to the entity’s mission statement and therefore is an operations objective. 2. Implement a whistleblower training program in accordance with the Occupational Safety and Health Act Compliance objective . This objective relates to compliance with a regulation and therefore is a compliance objective. 3. Release annual financial statements within 30 days after year end. Reporting objective. This objective relates to the entity’s preparation of financial reports and therefore is a reporting objective. 4. Ensure all audit committee members are independent. Compliance objective . As a publicly-held company, Aaron Corporation must comply with the Sarbanes- Oxley Act of 2002 (SOX). SOX requires that all members of an issuer’s (i.e., a publicly-held company) audit committee be independent. Thus, this objective is a compliance objective. 5. Divisional financial statements will be free of material misstatements. Reporting objective. This objective relates to the entity’s preparation of financial reports and therefore is a reporting objective. 6. Rank in the top 10% in product quality. Operations objective. This objective states a specific quality outcome and does not reference a quality standard or authority. It is an objective that is based on the entity’s preferences and judgments. Thus, this objective is an operations objective. 7. Ensure no new regulation is implemented that affects the business. Not a business objective . Regulation is beyond the scope of management and therefore not a business objective. 8. Reduce the supply costs by 5% by the end of the next y ear. Operations objective . This objective states a specific cost-savings outcome and does not refer to a standard or authority. It is an objective that is based on the entity’s preferences and judgments. Thus, it is an operations objective. 9. Implement an effective Environment Monitoring System (EMS) to prevent, detect, and manage areas of violation and recommend corrective action in accordance with requirements by the Environmental Protection Agency. Compliance objective . This objective relates to the entity’s adherence to environmental laws and therefore is a compliance objective. 10. Implement an employee monitoring program to detect unethical behavior and reduce employee theft to 0 Operations objective . This objective relates to protecting and preserving assets and therefore is an operations objective. 2. Select from the option list provided to indicate the component of internal control that relates to each scenario listed below. Each choice may be used once, more than once, or not at all. Scenario: Component of internal control = Control activities // Risk assessment // Information and communication // Monitoring// Control Environment 1. XYZ Corporation discovered that its managers lacked an understanding of the company's key objectives. To solve this problem, the board and senior management restated the key objectives in clear and concise terms and then attached the restated objectives to internally distributed financial statements. information and communication. A principle of the information and communication component of internal control is that the organization internally communicates information necessary to support the functioning of internal control. This includes communicating objectives. 2. During an internal audit of XYZ Corporation, the internal auditors Monitoring. A principle of the monitoring component of internal

request form. The CFO then signs the check and sends it to the Treasurer, who is responsible for mailing the signed check. recording, authorization, approval, and custody. 9. Quarterly, management evaluates whether the supervisors performing the review and approval of accounts payable are properly trained and knowledgeable and are performing in accordance with the process design. Monitoring . A principle of the monitoring component of internal control is that the organization selects, develops, and performs ongoing or separate evaluations to ascertain whether the components of internal control are present and functioning. In this scenario, management is performing ongoing evaluations of accounts payable supervisors, specifically, to ascertain whether a particular control activity is present and functioning. 10. In XYZ Corporation, the production, marketing, human resource, and IT departments are managed by the Chief Operating Officer (COO). The accounts payable, payroll, and credit departments are managed by the Chief Financial Officer (CFO). Each department head reports to the person who is responsible for the department (COO or CFO). The COO and CFO directly report to the (CEO). Control environment . A principle of the control environment of internal control is management establishes, with board oversight, structures, reporting lines, and authorities and responsibilities. 3. Select from the option list provided the phrase that correctly completes each statement related to COSO internal control objectives below. Statement VS Missing Item 1. The categories of objectives are _ ( 1)   operations, (2)   reporting, and (3)   compliance 2. Preventing loss through waste and inefficiency relates to broader objectives than t he safeguarding of assets. Objectives related to protecting and preserving assets are the basis for assessing risk and developing controls. 3. Reporting objectives relate to preparing financial and nonfinancial reports for intended users. Internal reporting objectives is influenced by the preferences of management. 4. Examples of compliance objectives include those related to _ applicable laws, rules & regulation Complying with environmental protection and taxation requirements . 5. External reporting that does not conform to an external authority is treated as external communication 4. Select from the option list provided the word or phrase that correctly completes each statement related to COSO internal control components below. Statement VS Missing Item 1. A system of internal control is effective if it provides reasonable assurance of achieving the entity's objectives. 2. The components of internal control and relevant principles are Present. when they exist in the design and implementation of the system of internal control. 3. Under PCAOB standards, external auditors must examine and report on internal control . 4. Internal auditors constitute a third line of defense for effective risk management and control. They evaluate the adequacy and effectiveness of controls and Cannot be responsible for selecting and executing controls 5. An organization's implementation of internal control may depend on its resources . A small entity may rely More on informal controls and outsourcing and have wider spans of control 1) Reasonable assurance. A system of internal control is effective if it provides reasonable assurance of achieving an entity’s objectives relating to operations, reporting, and compliance. Such a system reduces the risk(s) of not achieving those objectives to an acceptable level.

2) Present. An effective system of internal control requires that each of the five components of internal control and the relevant principles are present and functioning. Present refers to whether the components and relevant principles exist in the design and implementation of the system of internal control. Functioning refers to whether the components and relevant principles continue to exist in the operation of the system of internal control. 3) Examine and report on internal control. External auditors are required to consider the auditee’s system of internal control over financial reporting as part of their audit of the financial statements and to express an opinion on it. The PCAOB also requires auditors of public companies to examine and report on internal control. 4) Cannot be responsible for selecting and executing controls . Internal auditors provide the third line of defense for effective management of risk and control. They evaluate the adequacy and effectiveness of controls in responding to risks in the entity’s oversight, operations, and information systems. To remain independent, the internal audit activity cannot be responsible for selecting and executing controls. 5) More on informal controls and outsourcing and have wider spans of control . Senior management of smaller organizations typically has a wider span of control and therefore more direct interaction with personnel than senior management of larger organizations. Larger organizations may need to rely on more formal mechanisms of control (e.g., written reports, formal meetings, or conference calls). Larger organizations have more resources than smaller organizations. Consequently, a smaller organization may have to outsource all, or parts, of its internal audit function or incur higher costs relative to larger organizations because of the lack of economies of scale.