1.

The COSO framework was originally formed in response to:

A. Globalization pressures
B. 1970s–1980s accounting scandals
C. Adoption of IFRS standards
D. Expansion of IT risks
2. Who chaired the National Commission on Fraudulent Financial Reporting, which later
became known as the Treadway Commission?
A. James C. Treadway Jr.
B. Michael Oxley
C. Paul Volcker
D. Warren Buffett
3. Which of the following best describes the main finding of the Treadway Commission’s
1987 report?
A. Weaknesses in IT systems caused fraud
B. Lack of effective internal controls contributed to fraudulent reporting
C. Investors lacked sufficient education on markets
D. Stock exchanges failed to monitor trading properly
4. COSO’s Internal Control—Integrated Framework was first published in:
A. 1985
B. 1987
C. 1992
D. 2002
5. The COSO 1992 Framework was updated in 2013 mainly to:
A. Address globalization and emerging technologies
B. Comply with Basel II banking standards
C. Replace GAAP accounting principles
D. Respond to the Enron scandal directly
6. Which high-profile scandal most directly influenced the passage of SOX in 2002?
A. Facebook Data Breach
B. Enron and WorldCom collapses
C. Lehman Brothers Bankruptcy
D. Volkswagen emissions scandal
7. Under SOX, who must personally certify the accuracy of financial statements?
A. Chief Audit Executive
B. CEO and CFO
C. Board of Directors
D. External Auditor
8. Which SOX provision prohibits auditors from providing both auditing and lucrative
consulting services to the same client?
A. Corporate Responsibility
B. Auditor Independence
C. Internal Control Reporting
D. PCAOB Oversight
9. The PCAOB created by SOX primarily:
A. Oversees audit quality of public companies
B. Trains internal auditors
C. Replaces the SEC
D. Creates IFRS standards
10. Modified True or False:
Statement 1: SOX requires annual reporting on internal controls by both management
and external auditors.
Statement 2: SOX only applies to private companies.
A. Both statements are correct
B. Statement 1 is true; Statement 2 is false
C. Both statements are false
D. Statement 2 is true; Statement 1 is false
11. The “Top Face” of the COSO Cube represents:
A. Business Objectives
B. Organizational Levels
C. Internal Control Components
D. Risk Categories
12. Which of the following is NOT one of the three business objective categories in COSO?
A. Operations
B. Reporting
C. Compliance
D. Innovation
13. The “Right Face” of the COSO Cube illustrates:
A. The levels of the organization where controls apply
B. The risk assessment methodology
C. Specific laws and regulations
D. IT system structures
14. Which of the following BEST describes the “Front Face” of the COSO Cube?
A. Shows governance layers
B. Displays the CRIME components of internal control
 C. Illustrates auditor responsibilities
D. Identifies PCAOB functions
15. Entity-level controls are typically concerned with:
A. Controls affecting the entire organization, like a code of conduct
B. Operational-level policies at one plant
C. Employee time-tracking systems
D. Supplier invoice processing
16. “Tone at the Top” refers to:
A. The management style of mid-level supervisors
B. Policies established by external auditors
C. Ethical culture and values demonstrated by senior leadership
D. External regulations imposed on the company
17. A company claims to value integrity, but its sales manager rewards aggressive selling
that deceives customers. This reflects a weakness in:
A. Risk Assessment
B. Control Environment
C. Monitoring
D. Reporting
18. Modified T/F:
Statement 1: “Form over substance” means activities look correct on paper but are not
actually effective.
Statement 2: Plug figures in reconciliations are an example of form over substance.
A. Both statements correct
B. Statement 1 false; Statement 2 true
C. Both statements false
D. Statement 1 true; Statement 2 false
19. Lewin’s equation (B = f(P, E)) implies that:
A. People’s behavior depends only on personal integrity
B. Environment can strongly influence otherwise ethical people
C. Fraud is solely a result of bad apples
D. Personality traits outweigh workplace culture
20. Which concept emphasizes that not only senior management but also supervisors
influence employee ethics?
A. Auditor independence
B. Tone in the Middle
C. Risk Appetite
D. Monitoring Activities
21. A supervisor signs a purchase order without reviewing it, creating the illusion of control.
This is:
A. Effective control activity
B. Example of tone at the top
C. Form over substance
D. Monitoring
22. Which of the following best illustrates a weak entity-level control?
A. Lack of whistleblower hotline
B. Automated approval workflow
C. Consistent code of conduct training
D. Independent board oversight
23. Modified T/F:
Statement 1: A code of ethics and conflict of interest statement are part of strong
control environment.
Statement 2: Accountability is optional if policies exist.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false
24. An internal auditor finds that management often overrides controls for faster results.
This indicates:
A. Strong compliance environment
B. Weak entity-level controls
C. Effective monitoring
D. Appropriate risk appetite
25. Which of the following BEST reflects “bad barrels” in an organization?
A. A single rogue employee commits fraud
B. Weak overall culture incentivizes unethical behavior
C. Internal audit catches misreporting early
D. Policies prohibit override of system approvals
26. Risk assessment in COSO involves:
A. Only reviewing IT risks
B. Identifying and analyzing what could prevent objectives achievement
C. Monitoring operational productivity
D. Enforcing auditor independence
27. Which is NOT a main COSO objective category for risk assessment?
A. Operations
B. Reporting
 C. Compliance
D. Strategic Alliances
28. A production manager uses cheaper parts to cut costs without consulting engineering.
The risks mainly affect:
A. Short-term profits only
B. Long-term operational and reputational objectives
C. Internal audit budget
D. Board independence
29. Which risk type relates to protecting company assets from theft or misuse?
A. Compliance risk
B. Operations risk
C. Reporting risk
D. Market risk
30. Modified T/F:
Statement 1: Compliance objectives may include service level agreements.
Statement 2: Reporting objectives only apply to external financial statements.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false
31. A company’s database is hacked due to weak access controls. This is an example of:
A. Availability risk
B. Data integrity risk
C. Access risk
D. System capacity risk
32. Employees cannot access payroll systems on payday due to server downtime. This is:
A. Availability risk
B. Compliance risk
C. Market risk
D. Infrastructure risk
33. Modified T/F:
Statement 1: System capacity risk refers to optimizing storage and computing ability.
Statement 2: Infrastructure risk refers to obsolete hardware/software.
A. Both correct
B. Statement 1 false; Statement 2 true
C. Both false
D. Statement 1 true; Statement 2 false
34. B2B and B2C data flows being compromised is an example of:
A. Commerce risk
B. Liquidity risk
C. Mobility risk
D. Market risk
35. Which IT risk occurs if access is too restricted and prevents employees from doing their
jobs?
A. Access risk
B. Availability risk
C. Data integrity risk
D. Compliance risk
36. A company faces difficulty selling its assets quickly to meet cash obligations. This is:
A. Liquidity risk
B. Market risk
C. Commodity risk
D. Foreign currency risk
37. Sudden fluctuations in oil prices impact a manufacturing firm’s profits. This is:
A. Market risk
B. Commodity price risk
C. Liquidity risk
D. Resources risk
38. A company holding euros suffers loss due to unfavorable exchange rate changes. This
is:
A. Market risk
B. Foreign currency risk
C. Liquidity risk
D. Compliance risk
39. Stock price drops reduce a company’s ability to raise new capital. This is:
A. Liquidity risk
B. Market risk
C. Compliance risk
D. Resource risk
40. Modified T/F:
Statement 1: Resource risk is about the availability and proper use of funds.
Statement 2: Market risk includes indices and rate changes.
A. Both correct
B. Statement 1 false; Statement 2 true
 C. Both false
D. Statement 1 true; Statement 2 false
41. A company struggles to recruit skilled employees because of shifting age
demographics. This is:
A. Demographics risk
B. Mobility risk
C. CSR risk
D. Privacy risk
42. Consumers demand stricter control of how their personal data is stored. This is:
A. CSR risk
B. Privacy risk
C. Mobility risk
D. Market risk
43. Modified T/F:
Statement 1: CSR obligations may divert resources from core activities.
Statement 2: Mobility risk refers to changing workforce/customer lifestyle preferences.
A. Both correct
B. Statement 1 false; Statement 2 true
C. Both false
D. Statement 1 true; Statement 2 false
44. Which social risk is illustrated if employees increasingly prefer remote work,
challenging company operations?
A. CSR risk
B. Demographics risk
C. Privacy risk
D. Mobility risk
45. A company invests heavily in community projects instead of upgrading its plant. This is
an example of:
A. CSR risk
B. Market risk
C. Demographics risk
D. Commodity risk
46. A firm has a strong code of conduct, but supervisors often pressure staff to meet
quotas unethically. This reflects weakness in:
A. Tone in the middle
B. Control activities
C. Monitoring activities
D. External audit
47. An auditor finds that while reconciliations are signed, they contain unexplained “plug”
numbers. This indicates:
A. Substance over form
B. Form over substance
C. Effective monitoring
D. Control activities working well
48. A company’s IT system crashes during peak season, halting operations. Which
objectives are primarily at risk?
A. Reporting
B. Operations
C. Compliance
D. CSR
49. A CFO knowingly signs a false certification of financials under SOX. Possible
consequence:
A. Minor fine only
B. Suspension from PCAOB
C. Criminal penalties including prison
D. Reprimand from internal audit
50. A company implements controls only at the division level but neglects entity-level
controls. Which risk increases?
A. Market risk
B. Inconsistent culture and tone at the top
C. Demographics risk
D. Availability risk
51. Statement 1: PCAOB was created by SOX to oversee public company audits.
Statement 2: PCAOB replaced the SEC entirely.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false
52. Statement 1: The CRIME acronym represents COSO components.
Statement 2: Monitoring is NOT part of the CRIME acronym.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 1 false; Statement 2 true
53. Statement 1: Compliance objectives include following laws and contracts.
Statement 2: Reporting objectives are limited to SEC filings only.
 A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false
54. Statement 1: “Bad apples” theory blames individuals for fraud.
Statement 2: “Bad barrels” theory blames weak environments.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 1 false; Statement 2 true
55. Statement 1: Auditor independence was strengthened under SOX.
Statement 2: Auditors can freely provide both audit and consulting services under SOX.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false
56. A bank experiences a shortage of buyers for its securities during a crisis. Which risk is
most evident?
A. Liquidity risk
B. Compliance risk
C. CSR risk
D. Data risk
57. An employee with authorized access manipulates data unnoticed due to lack of
monitoring. Which COSO component failed?
A. Control environment
B. Monitoring
C. Information and communication
D. Risk assessment
58. A company’s whistleblower hotline is poorly advertised, leading employees not to
report fraud. Which area is weak?
A. Entity-level controls
B. Control activities
C. Reporting objectives
D. PCAOB oversight
59. A pharmaceutical company introduces new technology but fails to assess the risks of
implementation. Which COSO component is lacking?
A. Control environment
B. Risk assessment
 C. Monitoring activities
D. Control activities
60. Senior management ignores reports of compliance violations. Which is compromised
most?
A. Tone at the top
B. IT governance
C. Market risk
D. System capacity
61. An international company suffers from foreign exchange losses and inaccurate external
reporting. Which two COSO objectives are primarily at risk?
A. Operations and reporting
B. Reporting and compliance
C. Compliance and operations
D. Reporting and IT risks
62. A manager bypasses IT security protocols for convenience. This creates:
A. Access risk and control override
B. Commodity risk only
C. Market and liquidity risk
D. Ethical strengthening of controls
63. If management encourages substance but staff practices only form, the organization
suffers from:
A. Weak monitoring
B. Form over substance
C. Strong compliance culture
D. Independence
64. An airline’s ticketing system collapses before holiday season. This mainly represents:
A. Availability risk affecting operations
B. CSR risk affecting compliance
C. Liquidity risk affecting market
D. Privacy risk affecting customers
65. A company signs contracts without reviewing regulatory compliance terms. This is a
failure in:
A. Compliance objective assessment
B. Reporting objective
C. IT risk management
D. Auditor independence
66. Which situation BEST shows an alignment failure between company “walk” and “talk”?
A. Ethical policy exists but sales pressure forces unethical conduct
 B. IT systems have capacity risk
C. Commodity price swings reduce profits
D. Demographic risk alters staff age profile
67. An investor loses trust due to late disclosure of off-balance-sheet obligations. Which
SOX provision addresses this?
A. PCAOB oversight
B. Enhanced financial disclosures
C. Auditor independence
D. Internal audit function
68. An external auditor detects plugged reconciliation entries signed by management.
Which issue is demonstrated?
A. Auditor independence violation
B. Form over substance
C. Proper monitoring
D. Effective entity-level controls
69. Which of the following is NOT one of COSO’s CRIME components?
A. Control Environment
B. Risk Assessment
C. Information & Communication
D. Strategic Planning
70. A middle manager ignoring corporate ethics undermines which concept?
A. Tone in the middle
B. Monitoring activities
C. Compliance objective
D. External audit
71. A company reports accurate financials but fails to comply with environmental laws.
Which COSO objective fails?
A. Compliance
B. Reporting
C. Operations
D. IT
72. If a board is not independent of management, the weakness lies in:
A. Monitoring
B. Control environment
C. Risk assessment
D. Compliance
73. If a firm neglects IT infrastructure upgrades, which risk increases most?
A. Infrastructure risk
 B. Market risk
C. Mobility risk
D. Privacy risk
74. Employees leaking personal customer data expose the company to:
A. Privacy risk
B. Liquidity risk
C. Operations risk
D. Commodity price risk
75. Modified T/F:
Statement 1: COSO’s purpose includes improving governance and preventing fraud.
Statement 2: COSO was developed solely for private companies.
A. Both correct
B. Statement 1 true; Statement 2 false
C. Both false
D. Statement 2 true; Statement 1 false