Question

1. Entity-level controls are__________ Select one: a. Are designed to supplement a key control that is either ineffective or cannot fully mitigate a risk or group of risks by itself. b. Are designed to mitigate risks that threaten processes, activities, tasks, and transactions. c. Are designed to reduce key risks associated with business objectives d. Are designed to directly mitigate risks that exist at the organization-wide level.

2. Which of the following statement regarding risks and controls associated with business process outsourcing is correct? Select one: a. Outsource vendor is responsible for reporting to management regarding documenting the outsourced process and monitoring the effectiveness of the process b. Risks associated with process outsourcing are concentrated in the transition phase so once past that phase management can rely on the outsource vendor for risk management and control c. Management and internal audit function is responsible to ensuring an adequate system of internal controls existed with the outsource vendor d. Business process outsourcing not only improves efficiency and quality but also transfers all process risks to the outsource vendor

Answer 1

1. Entity refers to the organization. Similarly the entity level control is the internal control which help ensure that the management directives associated with the particular whole entity is successfully carried out. Therefore the correct option is optuon (d) - are designed to directly mitigate risks that exist at the organization-wide level.

These entity level control includes - code of ethics, procedures concerned with risk management , HR hiring process controls, IT general control.

So here we can see it covers almost controls which are for the entire organization at different levels. So the correct option is controls designed to mitigate the risk existing at organization-wide level and not only for the business objectives or related to certain processes, activities , tasks and transactions.

The other options are incorrect as in option (b) and (c) they are mentioning to deal with the risks associated with the business objectives (option c) and mitigate risks associated with certain processes, activities, tasks and transactions (option b) but they also lack some basic internal controls which are made for the basic functionality of the organization like ethical conducts.

If we consider option (a) , it is also incorrect as these are not supplement key controls but consists of internal controls which are alone sufficient to look after the entire entity , its functioning, its risks associated with its other processes at second level of top - down approach which is covering the whole organization.

Therefore the correct option is (d).