Professional Documents
Culture Documents
Rev. 1.1
Introduction
Time required
Approx. 10 minutes
Passing score
Basic instructions
Correct
answer
a) 1: a desk 2) an actual
b) 1: a plan 2: an execution
c) 1: a design 2: an operational
d) 1: a mechanism 2: a practical
e) 1: an architectural 2: an operating
Correct
answer
c) 1: a design 2: an operational
Correct
answer
a) Layout change
b) System change
c) Channel change
d) Excessive dependence on individuals
e) Organizational change
Correct
answer
a) Layout change
Options
Correct
answer
No. 6 (Multiple)
Which of the following phrases, from A to C, accurately describe the
"establishment and communication of rules.
Choose the letter of the option with the correct phrases.
A. Establish and clearly document rules.
B. Communicate and enforce rules in the workplace.
C. Conduct an annual review to check if rules are still appropriate for
actual operation.
Options
a) A and B
b) A and C
c) B and C
d) A and B and C
e) None of the above
Correct
answer
d) A and B and C
Correct
answer
Options
Correct
answer
c) The manager was on a business trip, so the data was entered after
receiving approval over the telephone. An approval stamp was
received the following day.
Options
Correct
answer
Options
Correct
answer
No. 1
Explanation
Under J-SOX, the difference between an error" and "fraud" depends on whether the
action was "intentional" or not. An "intentional" action that differs from reality includes
not only matters pertaining to amounts and quantities but also booking dates, operation
of accounts, failure to follow proper approval procedures, and so on.
No. 2
Explanation
A situation where internal control has some kind of problem is called a "deficiency."
There are two types of deficiency: a "design deficiency" that refers to an error in
business process design, and an "operational deficiency" that refers to an error in an
actual operation.
No. 3
Explanation
No. 4
Explanation
There are "situations with a high likelihood of occurrence" of "mistakes" and "fraud."
Situations involving "change" tend to include many unstable and incomplete elements,
creating "a high likelihood of occurrence." However, simple changes, such as changes
in seating arrangement, do not result in operational changes. Thus, a "layout change"
does not create "a high likelihood of occurrence."
No. 5
Explanation
There are six key workplace activities in J-SOX: "establish and communicate rules,"
"perform segregation of duties," "receive proper approval," "leave a trail of the work
performed," "double check by third party," and "proper management of access rights."
Although people should always double check their work, this is not considered to be an
effective form of confirmation in J-SOX because people tend to be lax when doing so.
No. 6
Explanation
There are three key points in the key workplace activity of "establish and communicate
rules": "establish and clearly document rules," "communicate and enforce rules in the
workplace," and "conduct an annual review to check if rules are still appropriate for
actual operation." All three of these must take place.
No. 7
Explanation
No. 8
Explanation
The receipt of proper approval requires that approval authority and "procedures
(steps/trail/timing)" be appropriate. If the manager is away on a business trip, verbal
approval is generally acceptable for proceeding with an operation. However, there is no
"trail" with verbal approval, so it must be supplemented with an approval stamp. It
cannot be considered "proper approval" unless a confirmation stamp is received
afterwards.
No. 9
Explanation
"Leaving a trail of the work performed" needs to be done in line with predefined rules.
An unreliable implementation, where a trail may or may not be left or the method of
doing so depends on the person, is not enough. The trail does not need to be an
official seal or signature, either. If defined in advance, a simple check mark is sufficient.
No. 10
Explanation
There are four key points in the key workplace activity of "proper management of
access rights": "access rights are granted after acquiring proper approval," "there are
different levels of access rights (patterns) suited to specific duties," "an appropriate
level of access rights is assigned based on duties," and "access rights are periodically
inventoried (every six months) and passwords are changed." Access rights are not
being properly managed if a user has access rights that exceed the level required for
their job. Such situations invite the risk of fraud. Access rights need to be divided into
appropriate levels and assigned based on the work being performed.