Internal Controls Toolkit

Internal ControlsToolkit

#7800EXAM MATERIAL

7800 Final Exam • 1

INTERNAL CONTROLS TOOLKIT (COURSE #7800)

COURSE DESCRIPTION

Internal controls are necessary in order to provide reliable, timely, and useful data needed to support operating, budgeting, and policy decisions. This course takes a “toolkit” approach to address a practical need for a series of standards of internal controls that can be used to mitigate risk within any size organization. It contains detailed controls and risks outlined for key business processes as well as material to improve internal control efforts. It also provides guidance for M&A projects and SOX 404 initiatives. No prerequisites. Course level: Basic. Course #7800 – 12 CPE hours.

LEARNING ASSIGNMENTS AND OBJECTIVES

As a result of studying each assignment, you should be able to meet the objectives listed below each individual assignment.

ASSIGNMENT 1: SUBJECTIntroduction to the Internal Controls ToolkitBackground on Internal ControlsThe Order to Cash (O2C) Process

Study the course materials from pages 1 to 88Complete the review questions at the end of each chapterAnswer the exam questions 1 to 11

Objectives:

• To identify corporate controls to mitigate risk• To recognize that internal control systems have limitations• To identify the sub-processes of the O2C process

2 • 7800 Final Exam

ASSIGNMENT 2: SUBJECTTreasury ProcessProcure to Pay (P2P) ProcessHire to Retire (H2R) Process


Objectives:

• To identify the foundational elements of the Treasury process• To identify the risks that are mitigated by using supplier portals• To recognize the role that HR and payroll play in internal control processes

ASSIGNMENT 3: SUBJECTThe Supply Chain ProcessRecord to Report (R2R)Government ContractsRecords and Information Management


Objectives:

• To identify the foundational elements of the supply chain process• To identify the foundational elements of the R2R process• To recognize the importance of compliance in government contracting• To recognize the importance of implementing internal controls associated with GRRRC

ASSIGNMENT 4: SUBJECTComputer, Telecommunications, and Systems ControlsProtection of Assets: Human, Physical, and IntellectualThe Insurance Process


Objectives:

• To recognize the importance of internal controls with IT policies and procedures• To identify key assets• To identify which types of insurance are necessary


ASSIGNMENT 5: SUBJECTEnvironmental, Health, and Safety (EH&S)Customer ServicesProfessional Services (PS)Entity-Level Controls


Objectives:

• To identify the role of internal controls on EH&S regulations• To recognize the importance of customer input• To recognize the role of PS metrics• To recognize the role of entity-level controls

ASSIGNMENT 6:• Complete the Answer Sheet and Course Evaluation and submit to PES

NOTICE

This course and test have been adapted from supplemental materials and uses the materials entitled Internal Controls Toolkit © 2019 by Christine H. Doxey. Displayed by permission of the publisher, John Wiley & Sons, Inc., Hoboken, New Jersey. All rights reserved.

Use of these materials or services provided by Professional Education Services, LP (“PES”) is governed by the Terms and Conditions on PES’ website (www.mypescpe.com). PES provides this course with the understanding that it is not providing any accounting, legal, or other professional advice and assumes no liability whatsoever in connection with its use. PES has used diligent efforts to provide quality information and material to its customers, but does not warrant or guarantee the accuracy, timeliness, completeness, or currency of the information contained herein. Ultimately, the responsibility to comply with applicable legal requirements falls solely on the individual licensee, not PES. PES encourages you to contact your state Board or licensing agency for the latest information and to confirm or clarify any questions or concerns you have regarding your duties or obligations as a licensed professional.

© Professional Education Services, LP 2019

Program Publication Date 12/13/2019

THIS PAGE INTENTIONALLY LEFT BLANK.


INTERNAL CONTROLS TOOLKIT (COURSE #7800)

EXAM INFORMATION

COURSE EXPIRATION DATE: Per AICPA and NASBA standards, this course must be completed within ONE YEAR from the date of purchase.

TEST FORMAT: The following final exam, consisting of 60 multiple choice questions, is based specifically on the material included in this course. The answer sheet must be completed and returned to PES for CPE certification. You will find the answer sheet at the back of this exam packet so that you may easily remove it and use it while taking your test.

LICENSE RENEWAL INFORMATION: The Internal Controls Toolkit course (#7800) qualifies for 12 CPE hours.

PROCESSING: You must score 70% or better to pass. If you mail or fax your exam, when you pass, your Certificate of Completion will be mailed. If you do not pass, we will give you a courtesy call to inform you of this. When completing your exam online, grading is instantaneous. Upon achieving a passing score, the completion certificate is immediately available in your account under “My Completed CPE.” Please note: failed exams may be retaken. Per NASBA and AICPA guidelines, missed questions cannot be indicated until after you pass.

GRADING OPTIONS – Please choose only ONE of the following:

GRADING OPTIONS: Please choose only ONE of the following. If mailing or faxing, make sure to fill out your Answer Sheet completely prior to submitting it.

• ONLINE GRADING –Visit our website at http://www.mypescpe.com. Login to your account (if you are a first-time user, you must set up a new user account). Click on the course title of the exam you wish to take. Once all answers have been selected, click the “Submit/Grade Answers” button at the bottom of the page for instant grading and certification. If you do not see the exam listed, click on “My CPE in Progress.” Click on the “Add Exam to Account” button and follow the instructions.

• MAIL – Your exam will be graded and your certificate of completion mailed to you within one business day. Your certificate will be dated according to the postmark date. Please mail your Answer Sheet to:

Professional Education Services, LP4208 Douglas Blvd., Ste 50

Granite Bay, CA 95746

• FAX – Your exam will be graded and you will be contacted either via phone or fax with your results within 4 business hours of receipt. A copy of your graded exam and certificate of completion will be mailed to you. Your certificate will be dated according to the fax date. If you choose to fax your exam, please do not mail it. Your fax will serve as the original. Please refer to the attached answer sheet for further instructions on fax grading. Fax number (916) 791-4099.

THANK YOU FOR USING PROFESSIONAL EDUCATION SERVICES.


INTERNAL CONTROLS TOOLKIT (COURSE #7800) – FINAL EXAM

The following questions are multiple choice. Please indicate your choice on the enclosed Answer Sheet.

1. All of the following are critical corporate controls to properly mitigate risk except:

A. system accessB. segregation of dutiesC. internal redundanciesD. delegation of authority

2. Which of the following is generally true regarding risk-based controls:

A. risk-based controls help to mitigate against the risks that exist in every phase and stage of a business process

B. generally only very large companies benefit from risk-based controls

C. risk-based controls should focus only on the audit process

D. risk-based controls should be focused on transactions rather than the end-to-end process

3. Which of the following internal controls is one of the most difficult to accomplish, often due to limited headcount, broadly defined responsibilities, and constantly changing responsibilities:

A. segregation of duties controlB. corporate authorization controlC. system access controlD. delegation of authority control

4. Which of the following generally applies to U.S. corporations and prohibits any payment, offer of payment, or promise of giving anything of value to a foreign official in an attempt to obtain business:

A. the Securities Exchange Act of 1934B. the Foreign Corrupt Practices Act of 1977C. the Comprehensive Crime Control Act of

1984D. the U.S. Sarbanes-Oxley Act of 2002

5. Which of the following components of the COSO internal control framework specifies relevant objectives and identifies and analyzes significant change:

A. control environmentB. risk assessmentC. control activitiesD. monitoring activities

6. Which of the following control measures, when applied to the risk management objective of completeness, is an example of a preventive control:

A. audit trailsB. cross-totalsC. record countsD. application change control

7. Which of the following metrics is a calculation of a company’s ability to retrieve its accounts receivable from customers by measuring the amount collected during a time period to the amount of receivables in the same time period:

A. days sales outstandingB. countback days sales outstanding calculationC. collection effectiveness indexD. delinquent days sales outstanding

8. Which of the following is correct regarding export controls:

A. the Department of Commerce has sole authority to issue export licenses

B. there are five major lists of export-controlled items

C. the U.S. government can promote regional stability and comply with international commitments through its use of export controls

D. all of the above


9. Inaction is a risk that may adversely impact U.S. national security and foreign policy if which of the following safeguards is not implemented:

A. order entry/edit controlsB. export controlsC. sales contracts controlsD. credit controls

10. Which of the following establishes the specific steps for revenue recognition:

A. IFRS 4B. IFRS 9C. IFRS 15D. IAS 17

11. Which of the following is not a standard of internal control for effective collection procedures:

A. establishing and enforcing a procedure to settle employee accounts prior to termination

B. investigating customer correspondence in a timely manner

C. adequately documenting and approving customer account write-offs

D. adequately documenting collection efforts in the customer credit files

12. Which of the following Treasury process metrics is found by applying the formula (actual cash balance – forecasted cash balance) / forecasted cash balance:

A. accuracy of cash forecastsB. percentage of daily cash balances vs.

forecastC. accuracy of forecasted investment incomeD. accuracy of forecasted interest expense

13. Which of the following is not a sub-process function of the Treasury process:

A. foreign exchangeB. investment of available fundsC. financing operationsD. sales contracts

14. Which of the following is defined as the purchase and/or sale of foreign currency to satisfy payment obligations due in the next one to three business days:

A. hedging transactionsB. spot transactionsC. conversion transactionsD. capital transactions

15. All of the following are risks mitigated through the usage of supplier portals except:

A. the risk of an employee intending to act as a supplier

B. the risk of fines and incorrect tax information which may result in penalties

C. the risk of fraud and builds in Segregation of Duties (SoD) controls

D. the risk of paying an invalid supplier

16. Automated three-way matching provides an immediate match of which of the following when using related accounts payable automation:

A. the purchase order, the shipping manifest, and the receipt

B. the invoice, the purchase order, and the shipping manifest

C. the invoice, the purchase order, and the discount schedule

D. the invoice, the purchase order, and the receipt


17. In general, which of the following is true regarding customs authorities:

A. customs border patrol (CBP) has the sole responsibility for maximizing compliance with laws and regulations

B. customs authorities have very limited enforcement power

C. the primary role of a customs authority is border enforcement rather than trade facilitation

D. all of the above

18. Which of the following, originally targeted for low-level transactions as supplies, provides a means for streamlining the procure-to-pay process, allowing organizations to procure goods and services in a timely manner, reduce transaction costs, and more:

A. the use of corporate debit cardsB. the use of corporate credit cardsC. the use of procurement cards (P-cards)D. the use of e-checks

19. Which of the following establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity:

A. the HIPAA Security RuleB. the NIST ToolkitC. the Sarbanes-Oxley RuleD. the Privacy in Health Act

20. All of the following are steps to be taken by an employee’s supervisor and Human Resources upon notice of the employee’s termination or resignation except:

A. conducting an exit interview only in cases of employee termination

B. notifying third-party vendors to eliminate any authority that the departing employee may have had to conduct company business

C. verifying all company property has been returned

D. verifying that all company credit cards have been returned and are destroyed

21. Human Resources must establish and maintain policies and guidelines for the hiring and tenure of which of the following:

A. individual workersB. consultantsC. third-party service providersD. all of the above

22. Which of the following supply chain process metrics is the most common key performance indicator used by managers in measuring supply chain efficiency:

A. inventory velocityB. inventory turnover ratioC. days of supplyD. inventory turnover

23. Which of the following is not a sub-process of the supply chain process:

A. inventory controlB. intercompany transactionsC. product cost managementD. planning and control

24. Which of the following is correct regarding inventory verification:

A. inventory verification must be accomplished through the use of statistical sampling

B. an annual physical inventory is required even if perpetual inventory records are verified through cycle counting

C. corrective actions should be taken to eliminate the root causes of inventory discrepancies

D. all of the above


25. Which of the following is correct regarding the differences between IFRS and U.S. GAAP as it relates to the R2R process:

A. IFRS favors a risks-and-rewards model for consolidation while U.S. GAAP favors a control model

B. IFRS does not segregate extraordinary items in the income statement, whereas under U.S. GAAP they are shown below the net income

C. under IFRS, the earnings-per-share calculation averages the individual interim period incremental shares while under U.S. GAAP the calculation does not average the individual interim period calculations

D. development costs are considered “expenses” under IFRS while U.S. GAAP allows development costs to be capitalized if certain criteria are met

26. For intercompany transactions, reconciling items and items in dispute must be resolved within which of the following time periods:

A. within 10 daysB. within 30 daysC. within 60 daysD. within 90 days

27. Which of the following standards of internal control for the final mile of the R2R process, if not implemented and followed, may result in the SEC and other governmental reporting requirements and/or loan restrictions potentially being violated:

A. documenting and maintaining current definitions for all ledger accounts

B. keeping current the lists of general ledger account owners

C. safeguarding access to accounting and finance records, documents, and information systems

D. defining and reporting related-party transactions

28. Which of the following is correct regarding fixed assets:

A. business revenue is generally derived from the sale of fixed assets

B. fixed assets is specifically limited to land and/or buildings used in a business

C. an item must generally have an estimated useful life of at least five years to be classified as a fixed asset

D. fixed assets have little to no risk of loss, theft, or unauthorized transfer

29. According to internal control 8.1.2, Business Conduct, each operating unit and subsidiary must be able to demonstrate that employees having responsibilities related to government contracting have complied with which of the following:

A. where appropriate, have signed a certification

B. have read and understood applicable code of conduct guides pertaining to government contracting

C. have participated in all training required by law, regulation, or contractual obligation

D. all of the above

30. Which of the following must be established between all operating units or subsidiaries having intercompany transfers related to U.S. government contracts:

A. Memorandums of UnderstandingB. Interdivisional Work OrdersC. Intercompany Transfer OrdersD. Lateral Work Orders


31. Which of the following is correct regarding the General Data Protection Regulation (GDPR):

A. the GDPR was created as part of the Tax Creation and Jobs Act of 2017

B. the GDPR applies to all companies processing and holding the personal data of data subjects residing in the EU

C. the GDPR only applies to companies located in Europe

D. the GDPR applies to American companies located in the United States handling the personal data of American citizens

32. The author identifies all of the following as potential risks associated with not implementing the internal control standards associated with 9.1.2, Responsibilities of the Global Records Retention Review Committee (GRRRC) except:

A. the company’s competitive position or reputation could be adversely affected

B. noncompliance with government regulation may result in substantial fines, penalties, and/or loss of business

C. the company could be held responsible for negligence, errors, or omissions resulting in financial loss to its shareholders

D. legal restrictions and covenants may be violated

33. How often should each operating unit perform compliance reviews as part of an effective internal record-keeping control:

A. weeklyB. monthlyC. quarterlyD. annually

34. All of the following are correct regarding establishing internal controls that are part of IT policies and procedures except:

A. only large organizations will benefit from establishing internal controls that are part of IT policies and procedures

B. internal controls that are established as part of the planning process help IT departments meet the organization’s technology needs more effectively

C. internal controls help create a controlled IT environment that is compliant with corporate policies and regulatory requirements

D. IT policies and procedures help executive managers know the role IT plays within the organization

35. Organizations providing which of the following services will generally have to provide an SOC 1 Type II Report:

A. medical claims processingB. loan servicingC. payroll processorsD. all of the above

36. Which of the following terms applies to an individual with approved management responsibility for a physical computer or telecommunications system:

A. system ownerB. ownerC. application ownerD. user

37. Which of the following is a responsibility of an application owner:

A. provide a physical environment with safeguards against unauthorized removal of data

B. ensure procedures exist to comply with agreements for use of licensed software

C. assign security classificationsD. arrange for the approved system banner to

be displayed as part of the logon process


38. Which of the following is the responsibility of a user:

A. ensure all software installed on company computers/devices is properly licensed

B. arrange for the backup and retention of critical application data files and programs in secure third party locations where normal processing occurs

C. ensure compliance with all local statutory requirements

D. acknowledge acceptance of additions or changes to applications

39. Which of the following control techniques must be employed according to 10.2.1:

A. physical access to computer and network hardware should be restricted to management

B. terminated or transferred employees must turn in all keys/keycards used to limit access to restricted computing areas within one week of the termination or transfer

C. all entrances/exits to restricted computing and telecommunications areas must be physically secured

D. access lists to restricted computing and telecommunications areas must be reviewed on at least a quarterly basis

40. Which of the following is considered by the author to be one of the most important internal controls an organization of any size should establish:

A. version controlB. security framework controlC. access controlD. IT control

41. Which of the following is correct regarding password controls:

A. passwords must be a minimum of 10 characters in length

B. a password must be changed every 30 days for general users

C. password controls apply only to external applications that contain publicly available information

D. after three unsuccessful password attempts, the user ID must be deactivated until reactivated by the security administrator or established automated processes

42. Which of the following allows organizations to plan, schedule, implement, and track modifications to corporate activities:

A. promotion/migration managementB. change managementC. release managementD. workflow management

43. Which of the following is correct regarding file retention in accordance with regulatory or statutory requirements:

A. history files should be kept on a secure server at the processing site

B. data files must be retained to comply with regulatory or statutory requirements of taxing authorities or government contracting agencies

C. owners/service providers are responsible for identifying data files that must be retained to comply with regulatory or statutory requirements

D. all of the above

44. Which of the following describes an application that a company must have to support major revenue activities, movement of goods to customers, or a strategic manufacturing process:

A. mission critical applicationsB. critical business applicationsC. infrastructure applicationsD. going concern applications


45. All of the following are correct regarding Trading Partner Agreements (TPAs) except:

A. a TPA applies only to the substance of the message transmitted

B. the TPA is an agreed code of conduct between parties involved in electronic commerce

C. the TPA deals with questions of security, verification, and authentication of communicating parties

D. the purpose of a TPA is to provide a set of rules that set out minimum standards with which parties trading electronically will comply

46. Which of the following is correct regarding IT vulnerability and threat management:

A. IT departments should update software on a weekly basis

B. software and hardware applications should undergo an ethical attack after production is completed

C. companies should follow change management protocols

D. organizations should consider conducting an ethical attack at least three times per year to verify system vulnerabilities

47. Which of the following is correct regarding firewalls and Intrusion Detection Systems (IDSs):

A. all firewall and IDS alarms should be logged and archived weekly

B. firewalls should be set up with a default “accept-all” configuration

C. all external Internet protocol connections must take place through an IDS

D. firewall and IDS configuration changes must follow the change management process

48. Which of the following is correct regarding property control procedures:

A. management is responsible for establishing property control policies and procedures

B. an audit process to verify the effectiveness of controls should be established

C. management is responsible for creating paper or electronic documentation that tracks non-company assets that are brought on premises to ensure accountability for the asset when it is removed from the premises

D. all of the above

49. Which of the following is correct regarding identification badge internal control standards:

A. identification badges must only include the name of the employee, their picture, and their security clearance level

B. there should only be two groups of identification badges used for access control

C. permanent photo identification badges should only be used by management

D. both A and B are correct

50. Which of the following types of insurance is an organization’s corporate risk management department not responsible for purchasing:

A. vehicle insuranceB. product liability insuranceC. workers’ compensation insuranceD. property insurance

51. Which of the following is correct regarding environmental, health, and safety (EH&S) regulations and internal controls:

A. organizations based in the United States are subject to EH&S regulations in the Internal Revenue Code

B. EH&S management is limited to legal compliance

C. regulatory requirements play an important role in EH&S discipline

D. all of the above


52. Which of the following customer service metrics is a commonly used key performance indicator to track customer feelings about an organization’s products and/or services:

A. customer churnB. customer attritionC. customer effort scoreD. customer satisfaction rating

53. Each customer service policy expires after which of the following periods of time:

A. six months after its last approvalB. one year after its last approvalC. two years after its last approvalD. five years after its last approval

54. A company must provide its customers with no less than _______________ advanced notice of intent to discontinue standard maintenance services as a result of changing business demands.

A. one monthB. three monthsC. six monthsD. one year

55. Which of the following professional services (PS) metrics is a major indicator of opportunity and workload balance and is a metric to determine expansion of the workforce:

A. employee satisfaction ratingB. billable utilizationC. employee attrition/retentionD. number of employees per project

56. All PS employees in a worldwide or field practice are required to record their effort on a ___________ basis unless prohibited by local law.

A. dailyB. weeklyC. monthlyD. quarterly

57. Which of the following is correct regarding change control management:

A. only changes that result in an increase of effort, cost, or price of the end solution must be reported at their full gross price

B. a contract amendment is only required if a requested change results in a change in payment terms

C. the company and the customer shall each designate a single point of contact to manage the change process

D. only changes that in the scope of customer projects initiated by the company must be recorded in a change control log

58. Which of the following is correct regarding corporate compliance:

A. effective corporate compliance covers both internal policies and rules and federal and state laws

B. corporate compliance lays out expectations for employee behavior

C. corporate compliance is the process of making sure that a company and its employees follow the laws, regulations, standards, and ethical processes that apply to the organization

D. all of the above


59. Health care organizations are impacted by the specific regulatory requirements of which of the following:

A. System of Award Management Security (SAM)

B. Office of the Inspector General (OIG)C. U.S. Patriot Act and Consumer Identification

Program (CIP)D. Standards for Attestation Engagements

(SSAE-16)

60. Which of the following is the audit committee responsible for:

A. regulatory complianceB. the oversight of financial reportingC. the oversight of any external auditorsD. all of the above

Congratulations –

you’ve completed the exam!


INTERNAL CONTROLS TOOLKIT #7800 (12 CPE HOURS) ANSWER SHEET (12/19)

IMPORTANT NOTE: For certification, this answer sheet must be completed and submitted to PES for grading within ONE YEAR from the date of purchase. Please use BLACK INK and PRINT for quicker processing – thank you.

Full Name (as it appears on your license) _______________________________________________________________________________

Address (□ Home □ Work ) ___________________________________________________________________________________

City _____________________________________________________ State ______________________________ Zip __________

Daytime Phone ( ) _______________________________________ E-mail ___________________________________________

License Number ______________________ State _______ Exp Date: ____/____ Are you a: □ CPA □ CFP □ EA (check all that apply)

PTIN Number (if applicable) ______________________________________________________________________________________

If course was ordered by another party, please indicate their name here: _____________________________________________

GRADING OPTIONS – Please choose only ONE of the following:ONLINE GRADING – Visit our website at www.mypescpe.com. Login to your account (if you are a first-time user, you must set up a new user account). Click on the course title of the exam you wish to take. If you do not see the exam listed, click on “My CPE in Progress,” then click on the “Add Exam to Account” button and follow the instructions.

Mail – Mail your exam to: PES, 4208 Douglas Blvd., Ste 50, Granite Bay, CA 95746

Fax – Fax your exam to (916) 791-4099 and choose one of the following options: □ Mail my results □ Fax my results (_____)__________________ □ Phone my results (_____)__________________

PLEASE INDICATE YOUR ANSWER BY FILLING IN THE APPROPRIATE CIRCLE

Please complete the attached course evaluation - your opinion is extremely valuable!


INTERNAL CONTROLS TOOLKIT #7800 - COURSE EVALUATION

Rate on a scale of 1-10 with 1 being poor and 10 being excellent.

1. The course met the course objectives described in the promotional material. ______

2. The course was up to date, held my interest, was timely, and effective. ______

3. The course materials were understandable, valuable, and suitable for a correspondence course. ______

4. The amount of advance knowledge and stated prerequisites were appropriate. ______

5. The completion time was appropriate for the number of credits allowed. ______

6. The course met my professional education needs. ______

Please answer the following questions – mark/rate any and all that may apply

1. How would you rate PES’s order desk ______ customer service ______

2. What can PES do to keep you as a valued customer? __________________________________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

3. Any other comments regarding this course or our company would be appreciated. ____________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

4. What other courses/subjects would you like to see PES offer in the future? __________________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

_____________________________________________________________________________

PLEASE MAIL YOUR EVALUATION TO: Professional Education Services, LP

4208 Douglas Blvd., Ste 50 • Granite Bay, CA 95746

Internal Controls Toolkit

Documents

Transcript of Internal Controls Toolkit