Internal Control Essentials
Which controls proactively reduce likelihood of risks materializing?
A. Detective controls
B. Preventive controls
C. Both
D. None
B. Preventive controls
What does MAR stand for?
A. Model Auditor's Rules
B. Modeled Audit Rules
C. Model Audit Rule
D. Mario Andretti's Rules
C. Model Audit Rule
Which of the following is typically considered a fraud red flag?
A. Unexplained lifestyle improvements inconsistent with known income
B. Regular approval of overtime work in finance
C. High staff turnover in the IT department
D. Unreconciled bank accounts with known audit issues
A. Unexplained lifestyle improvements inconsistent with known income
What are the key reasons organizations need internal controls?
A. Risk Mitigation and Fraud Prevention
B. Compliance and Regulatory Requirements
C. Reliable Financial Reporting
D. All of the above
D. All of the above
Which of the below are objectives of the Model Audit Rule (MAR)?
A. Ensure Reinsurers have effective internal controls over financial reporting, which reduces the risk of inaccurate statutory financial statements.
B. Allow state regulators (such as the Florida Office of Insurance Regulation, FLOIR) to rely on Reinsurers’ internal control testing during examinations, making oversight more efficient.
C. Auditor independence and formalize audit committee responsibilities, increasing management’s accountability for financial integrity.
D. All of the above.
D. All of the above.
Based on the information provided below, which control would best mitigate the risk of data loss resulting from a phishing attack?
A. A disaster recovery exercise is completed annually to test restoration of systems after major disruptions.
B. A Data Loss Protection tool is used to automatically identify and block unauthorized access to data considered Sensitive by the Group Data Protection Policy.
C. Phishing tests are conducted by the VP of IT at least monthly and deployed to all employees.
D. None of these controls mitigate the risk.
B. A Data Loss Protection tool is used to automatically identify and block unauthorized access to data considered Sensitive by the Group Data Protection Policy.
What best describes the purpose of a corrective control?
A. To stop errors or fraud before they happen.
B. To identify errors or irregularities after they have occurred.
C. To fix problems identified by detective controls and prevent re-occurrence.
D. To guide or direct behavior to achieve objectives.
C. To fix problems identified by detective controls and prevent re-occurrence.
As part of the 2024 Model Audit Rule Compliance Testing, how many key controls were tested by the Internal Audit function?
A. 249
B. 86
C. 159
D. 203
A. 249
As part of the FBI's 2024 Annual Internet Crime Report (based on 900k complaints of suspected internet crime), how much in losses were reported?
A. Over $16 billion
B. Over $30 billion
C. Over $22 billion
D. Over $10 billion
A. Over $16 billion
Which best describes the difference between a control activity and a process description?
A. I don’t know. I am only here because the session on dividends was full.
B. There is no difference. These terms are used interchangeably.
C. A control activity is a factual, step-by-step account of a business operation while a process description is a specific action within a process designed to manage a risk and ensure objectives are met.
D. A process description is a factual, step-by-step account of a business operation while a control activity is a specific action within a process designed to manage a risk and ensure objectives are met.
D. A process description is a factual, step-by-step account of a business operation while a control activity is a specific action within a process designed to manage a risk and ensure objectives are met.
Which of the following is not a requirement of the Model Audit Rule (MAR) for a Florida based Reinsurance company?
A. Reinsurance companies must maintain a system of internal control over financial reporting (ICFR) for Statutory Reporting.
B. Submission of Annual internal control report to be filed by the management of the Reinsurer, asserting the responsibility of management for establishing and maintaining adequate internal control over financial reporting and disclosure of any material weaknesses in internal control.
C. Submission of annual financial statement audited by an independent CPA and the organization’s Internal Audit function.
D. Submission of annual financial statement audited by an independent CPA.
C. Submission of annual financial statement audited by an independent CPA and the organization’s Internal Audit function.
Which control activity is the weakest for mitigating the risk of management override in the Journal Entry (JE) process?
A. A quarterly review of user access rights is performed to confirm that no user holds conflicting roles (e.g., creator and approver). Exceptions are documented and remediated.
B. JEs exceeding predefined thresholds (e.g., $100,000 or outside normal business hours) require multi-level manual approval before posting. Approvers review supporting documentation and confirm compliance with policy.
C. The G/L automatically enforces strict role-based entries by eliminating the possibility of a single user performing conflicting roles.
A. A quarterly review of user access rights is performed to confirm that no user holds conflicting roles (e.g., creator and approver). Exceptions are documented and remediated.