Questions And Correct Answers
(Verified Answers) Plus Rationales 2026
Q&A | Instant Download Pdf
QUESTION 1
An organization is designing a new accounts payable system. Which of the
following best exemplifies a preventive control?
A. Reconciling vendor statements to the accounts payable ledger on a monthly
basis
B. Requiring that all purchase orders over $5,000 receive dual approval before
transmission to the vendor
C. Running a weekly report of all payments made to a single vendor and reviewing
for unusual patterns
D. Performing a surprise audit of the receiving department's count of high-value
inventory items
Answer: B
Rationale: Preventive controls are designed to deter or prevent undesirable
events before they occur. Dual approval on high-value purchase orders stops
unauthorized or erroneous commitments from being made in the first place.
Choices A, C, and D are detective controls because they identify errors or
irregularities after the fact.
QUESTION 2
In the COSO Internal Control—Integrated Framework, which component is
considered the foundation upon which all other components are built?
A. Risk Assessment
B. Control Activities
,C. Control Environment
D. Information and Communication
Answer: C
Rationale: The control environment sets the tone of an organization, influencing
the control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Without a
strong control environment, risk assessment, control activities,
information/communication, and monitoring are unlikely to be effective.
QUESTION 3
Which of the following is a key principle associated with the Control Environment
component of COSO?
A. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives
B. The organization identifies and analyzes risks to the achievement of its
objectives
C. The organization selects and develops control activities that contribute to the
mitigation of risks
D. The organization uses relevant information to support the functioning of
internal control
Answer: A
Rationale: Principle 3 under the Control Environment component specifically
addresses the organization's commitment to competent personnel. Options B, C,
and D relate to Risk Assessment, Control Activities, and Information &
Communication, respectively.
QUESTION 4
An internal auditor is evaluating the design of controls over cash receipts. Which
of the following would be considered a weakness in segregation of duties?
A. The mail clerk opens the mail and prepares a list of checks received, which is
then sent to the cashier
B. The cashier deposits the checks and records the receipts in the general ledger
C. The accounts receivable clerk reconciles the bank statement and writes off
,uncollectible accounts
D. The controller reviews the monthly bank reconciliation prepared by the
accounting manager
Answer: C
Rationale: Segregation of duties requires that authorization, custody, recording,
and reconciliation be separated. The accounts receivable clerk should not both
reconcile the bank statement (a reconciliation function) and write off
uncollectible accounts (an authorization/recording function). This creates a
fraud opportunity (e.g., writing off a relative's account and concealing it in the
reconciliation). Choices A and B show proper segregation; D is a supervisory
review, which is a compensating control.
QUESTION 5
What is the primary purpose of a walkthrough in the context of internal controls
testing?
A. To confirm the mathematical accuracy of transaction processing
B. To observe the physical safeguards over assets such as inventory and cash
C. To trace a single transaction from initiation through the entire processing cycle
to understand the process and identify control points
D. To test a large sample of transactions for compliance with authorization policies
Answer: C
Rationale: A walkthrough involves selecting one or a few transactions and
following them step-by-step through the entire process, from origination to final
recording. It is used to confirm the auditor's understanding of the process and to
verify that controls are actually in place as described. Options A, B, and D
describe other audit procedures (recalculation, observation, and substantive
testing/sampling).
QUESTION 6
Which of the following risks arises from the possibility that a control itself may fail
or be overridden?
A. Inherent risk
B. Detection risk
, C. Control risk
D. Residual risk
Answer: C
Rationale: Control risk is the risk that a misstatement that could occur in an
assertion and that could be material, individually or in combination with other
misstatements, will not be prevented, or detected and corrected, on a timely
basis by the entity's internal control. It is directly related to the effectiveness of
internal controls. Inherent risk is the susceptibility to misstatement without
considering controls; detection risk is the risk that audit procedures will not
detect a misstatement; residual risk is the risk remaining after management's
response.
QUESTION 7
An effective monitoring activity for internal controls could include:
A. Periodic reconciliation of subsidiary ledgers to the general ledger
B. A mandatory annual ethics training for all employees
C. A hotline for reporting suspected fraud, with regular review of complaints by
the audit committee
D. Implementing a new enterprise resource planning (ERP) system
Answer: C
Rationale: Monitoring activities assess the quality of internal control
performance over time. A fraud hotline with audit committee review is a
monitoring control because it provides a mechanism for ongoing assessment
and detection of control breakdowns. Choices A and B are control activities
(reconciliations and training, respectively). Choice D is an IT implementation
project, not a monitoring activity.
QUESTION 8
According to the COSO framework, which of the following is a principle of the Risk
Assessment component?
A. The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
B. The organization selects and develops general control activities over technology