Free CPA Canada Performance Management Practice Questions: Internal Control Context

CPA Canada means Chartered Professional Accountants of Canada. Use this focused CPA Canada Performance Management page as a short practice test for Internal Control Context. The items are original Finance Prep sample exam questions built for scenario-based practice, not trivia, puzzle questions, official CPA Canada Performance Management Elective questions, copied live-exam content, or exam dumps.

Topic snapshot

Sample questions

These are original Finance Prep practice questions aligned to this topic area. They are not official CPA Canada Performance Management Elective questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with topic drills, mixed sets, and timed mock exams in Finance Prep.

Question 1

Topic: Internal Control Context

A Canadian distributor recently paid $48,000 to a fraudster after an unauthorized change was made to a supplier’s banking information. The controller has asked whether a proposed ERP workflow would meet the following control objective:

Vendor master banking changes are authorized, independently reviewed, supported by valid supplier documentation, and traceable before related payments are released.

Current process notes:

• An accounts payable clerk can create suppliers, edit banking details, and release payment batches under $25,000.
• Supplier change requests are received by email and saved inconsistently.
• The ERP can produce a monthly bank-change report, but no one reviews it.

Proposed improvement:

• Any vendor banking change entered through the accounts payable screen would create an approval task for the purchasing manager.
• The approval screen would show old and new banking fields and would store the approver ID and date.
• Payments to that supplier would be blocked until the task is approved.
• IT has not yet confirmed whether emergency administrator changes, bulk imports, or direct database changes would be included in the workflow.
• The purchasing manager does not currently perform an independent supplier callback or compare the request to approved supplier records.

Which interpretation best assesses the proposed control improvement?

• A. It does not address the control objective because only a manual callback by accounts payable can prevent fraudulent banking changes.
• B. It partially addresses authorization and traceability, but the control objective is not fully addressed until all change paths are confirmed and independent supplier verification is assigned.
• C. It fully addresses the control objective because the ERP blocks payment until the purchasing manager approves the change.
• D. It mainly addresses compliance with the $25,000 payment-release limit rather than the vendor banking change control objective.

Best answer: B

What this tests: Internal Control Context

Explanation: The proposed workflow is a useful IT-enabled control enhancement, but its effect must be assessed against the specific control objective. It appears to improve authorization, segregation, and traceability for changes entered through the accounts payable screen. However, the objective also requires coverage before payments are released, valid supplier documentation, and independent review. The facts do not confirm that all technical change paths are captured, such as administrator changes, bulk imports, or direct database updates. The facts also do not show that the purchasing manager independently verifies the banking change against a reliable supplier source. A sound interpretation avoids assuming that the ERP workflow automatically covers every route or validates the underlying supplier evidence.

• Treating the payment block as fully sufficient assumes the workflow captures all change methods and validates supplier documentation.
• Rejecting the workflow entirely is too strong; it can improve authorization and audit trail for changes within its confirmed scope.
• Focusing on the $25,000 payment limit misreads the issue, which is control over vendor master banking changes before payment.

The available facts support an approval trail for AP-screen changes, but not complete coverage of all change methods or validation of supplier documentation.

Question 2

Topic: Internal Control Context

A Canadian outdoor equipment retailer recently moved online sales to a new storefront that interfaces daily with its ERP. The controller is assessing whether the key controls are properly designed before presenting the process to the audit committee.

Control objective: all valid shipped online orders must be recorded once in the ERP at the authorized price and supported by payment authorization before month-end reporting.

Process and current controls:

• The storefront requires a payment authorization token before an order can be changed to ready to ship. The order record stores the token, order number, SKU, quantity, and price.
• Each morning, an accounting clerk imports the prior day’s sales batch into the ERP. The ERP displays the total dollars and number of orders imported. The clerk clicks complete and files the ERP import confirmation.
• The clerk does not compare the ERP batch totals to the storefront order report or the payment processor settlement report.
• The shipping manager signs a weekly report of open orders older than five days. The report excludes orders cancelled after payment authorization.
• The controller reviews monthly gross margin by product line and investigates variances greater than 10% from budget.

Which interpretation of the control design is most appropriate?

• A. The monthly gross-margin review is sufficient as a compensating control because a 10% variance threshold would detect any duplicate or missing sales batch.
• B. The payment-token requirement is sufficient because it prevents any order from shipping unless the related sale will be recorded in the ERP.
• C. The weekly open-order review is the strongest completeness control because unshipped orders are the main source of omitted revenue.
• D. The daily import confirmation is not designed effectively because it confirms an import occurred but does not reconcile ERP results to storefront orders and payment settlements.

Best answer: D

What this tests: Internal Control Context

Explanation: A control is properly designed when it addresses the specific risk and control objective at the right point in the process. Here, the main risk is not only unauthorized shipping; it is that valid shipped orders may be omitted, duplicated, or recorded at the wrong amount when the storefront interfaces with the ERP. Filing an ERP import confirmation proves that a batch was processed, but it does not prove the batch was complete or accurate. A designed control should compare ERP batch totals, order counts, and key values to the storefront and payment processor reports, with exceptions investigated before reporting. The payment token is a useful preventive control over release for shipping, but it does not validate ERP recording. The gross-margin review is too high-level and too late to be the key control over daily interface completeness and accuracy.

• The payment-token control supports authorization before shipping, but it does not confirm that the ERP recorded every valid order once.
• The open-order review addresses fulfilment delays, not the completeness and accuracy of recorded sales batches.
• The gross-margin review may identify broad anomalies, but the monthly timing and 10% threshold are not precise enough for the stated interface risk.

The control objective includes completeness, accuracy, and single recording, which require a reconciliation or comparable check of the interface results to independent source reports.

Question 3

Topic: Internal Control Context

Maple Community Health uses a cloud ERP to maintain supplier master data and process electronic payments. The audit committee approved the following control objective: changes to supplier banking information must be authorized by someone independent of accounts payable data entry before the first payment using the new banking details, and management must retain evidence that the review covered all such changes.

An internal control review noted:

• Accounts payable clerks can create suppliers and change banking information.
• The controller reviews the monthly payment run, but the report shows payment totals only.
• The ERP provider says workflow and audit-log functions may be available, but finance has not confirmed licensing or configuration.
• The operations director proposes reporting that the ERP will be set to “automatically validate supplier banking changes,” with no documentation that the ERP verifies bank ownership or payee-bank matching.

Which recommendation best addresses the control objective without relying on an unsupported technical assumption?

• A. Configure and test a pre-approval workflow and complete change report for supplier banking changes, with an ERP specialist confirming available functionality and an independent reviewer approving changes before payment.
• B. Accept the operations director’s proposal because an automated banking validation setting can be assumed to block unauthorized supplier banking changes once activated.
• C. Replace the controller’s payment review with multi-factor authentication for accounts payable users because it proves that vendor changes were made by authorized employees.
• D. Require accounts payable clerks to email screenshots of banking changes to the controller after each payment run as evidence that changes were reviewed.

Best answer: A

What this tests: Internal Control Context

Explanation: An IT-enabled control improvement should be tied to the control objective and supported by confirmed system functionality. Here, the objective is not merely to identify who logged in or to review payments after the fact. It requires independent authorization before the first affected payment and evidence that all supplier banking changes were included in the review. A suitable recommendation is to work with an ERP specialist to confirm what the system can do, configure the workflow and audit trail, test the control before relying on it, and assign an independent reviewer. Management should not claim that the ERP validates bank ownership or blocks false changes unless that capability is documented and tested.

• Assuming automated bank validation will work is unsupported because no documentation confirms that the ERP verifies bank ownership or payee-bank matching.
• Screenshot emails from accounts payable are incomplete and occur after payment, so they do not provide independent pre-authorization or a complete population.
• Multi-factor authentication strengthens access security, but it does not prove that each banking change was independently authorized before payment.

This directly addresses authorization, completeness of review evidence, and the need to confirm system capability before relying on the control.

Question 4

Topic: Internal Control Context

Ridgeway Components Ltd., a Canadian manufacturer, asked a CPA to review finance-process controls after rapid growth. The audit committee charter says the committee oversees financial reporting controls and receives reports of significant control deficiencies or possible management override. The CFO attends audit committee meetings but is not a committee member.

The review found:

• The ERP administrator created an emergency access profile allowing the CFO to create vendors, approve invoices, and release EFTs over $100,000 without second approval.
• The access was intended for two weeks during system conversion but remained active for eight months.
• The controller’s monthly review of new vendors is listed as a compensating control; however, the controller reports to the CFO, receives the report after payments are released, and signs only to confirm it was printed.
• Three large payments were made to a new consulting vendor set up using the CFO profile. AP could not locate a contract before payment, and the CFO told AP to catch up the paperwork later to avoid delaying quarterly results.

Management wants the finding handled by the finance team before the next audit committee meeting. Which interpretation is most appropriate for communicating the weakness?

• A. Communicate it to the accounts payable manager because the missing contract is an invoice-processing issue within AP’s responsibility.
• B. Communicate it directly to the audit committee because it involves possible CFO override of significant payment controls and the proposed compensating control is not independent.
• C. Communicate it to the controller because the controller performs the monthly vendor review and can improve documentation.
• D. Communicate it only to the CFO because the CFO owns the finance process and can authorize removal of the emergency access profile.

Best answer: B

What this tests: Internal Control Context

Explanation: Control weaknesses should be communicated to a level with both authority to address the issue and sufficient independence from the deficiency. Routine processing issues may be reported to process management. However, deficiencies involving senior management override, significant payment authority, ineffective compensating controls, or possible irregular transactions should be escalated to those charged with governance, such as the audit committee. Here, the CFO is part of the control failure and the controller review does not compensate for the risk because it is after-the-fact and not independent. The audit committee has an explicit oversight mandate for significant deficiencies and possible management override, so finance management alone is not an appropriate communication level.

• Reporting only to the CFO fails because the CFO is directly involved in the access and approval breakdown.
• Reporting to the controller overstates the value of a review that is not independent and occurs after payments are released.
• Treating the matter as an AP documentation issue ignores the override of vendor setup, invoice approval, and EFT release controls by senior management.

The audit committee is the appropriate recipient because the weakness involves senior management, significant disbursement authority, and an ineffective compensating control.

Question 5

Topic: Internal Control Context

A CPA on the performance management team is reviewing a control issue for Northlake Components, a Canadian manufacturer. The board’s audit committee has set a low tolerance for preventable payment errors because duplicate payments have affected supplier trust and cash forecasts.

Control note:

• Current system: The existing ERP has purchase order, receiving, invoice, workflow approval, duplicate-invoice detection, and user-access configuration modules.
• Current process: Accounts payable clerks manually compare invoices to purchase orders and receiving reports. Supervisors approve payment batches after the comparison is complete.
• Issue: Three duplicate supplier invoices and two invoices without receiving confirmation were paid in the last quarter.
• Root cause: The ERP matching and duplicate-detection functions were not configured when the ERP was implemented. Supervisory review is too late to prevent payment release.
• Constraint: Management does not have budget approval for a full system replacement this year. IT says configuration changes, user-role updates, testing, and training can be completed within six weeks.

Which recommendation best addresses the control weakness?

• A. Ask the external auditor to expand year-end substantive testing of payables and report any duplicate payments to the audit committee.
• B. Replace the ERP with a new procurement and payables platform because duplicate payments show that the current system cannot support reliable controls.
• C. Redesign the monthly payables dashboard to highlight duplicate payments, unmatched invoices, and supplier complaints for audit committee review.
• D. Configure the existing ERP to require automated three-way matching, duplicate-invoice validation, exception routing, role-based approvals, and documented testing before go-live.

Best answer: D

What this tests: Internal Control Context

Explanation: An IT-enabled control enhancement improves how the current system prevents, detects, or routes exceptions in the business process. Here, the ERP already has the needed functionality, and the root cause is that matching, duplicate detection, access roles, and exception workflow were not configured. The best response is to implement and test those controls with IT and process-owner involvement before the change goes live. A full system replacement is not supported because the current system can address the weakness and replacement is outside the approved constraint. A dashboard may improve reporting to the audit committee, but it is mainly after-the-fact monitoring. Expanded external audit testing may detect misstatements, but it does not correct management’s internal control weakness in the payment process.

• Full system replacement is excessive because the ERP already has the required control functionality and management has no approved replacement budget.
• Dashboard redesign improves visibility but does not prevent payment release without matching or duplicate-invoice checks.
• External auditor testing may provide assurance evidence, but it is not a management control enhancement over accounts payable processing.

This directly enhances the existing IT-enabled control by preventing or flagging payment errors before release and includes appropriate implementation controls.

Question 6

Topic: Internal Control Context

Maple Care, a Canadian not-for-profit, provides home-care visits funded through a provincial claims portal. Coordinators schedule visits, update visit hours, and prepare claim files.

Internal review noted:

• The same coordinator can add a client, change a funded rate, edit visit hours, mark visits complete, and create the claim file.
• No independent review occurs before the claim file is uploaded.
• The vendor confirmed the current system has only one Coordinator role and cannot split these permissions until a system migration in nine months.
• Coordinators need same-day edit access because care schedules change daily.
• Claims must be submitted within five business days; late claims are often rejected.
• The system can export a daily audit log showing user, client ID, rate changes, manual hour edits, and claim batch.
• Finance has separate credentials to upload and release claim files in the provincial portal.
• The current monthly review compares total billings to budget by program only.

Which recommendation best addresses the control deficiency while respecting the process and system constraints?

• A. Keep coordinator data-entry access, but require finance to release each claim batch only after a program manager reviews the daily audit-log export for client, rate, and hour changes.
• B. Require each coordinator to certify their own claim file before upload and investigate only program-level billing variances over budget.
• C. Continue the monthly budget-to-actual review until the migration because daily audit-log reviews would not change system permissions.
• D. Remove coordinator edit access immediately and require finance to enter all schedule and claim changes before each submission deadline.

Best answer: A

What this tests: Internal Control Context

Explanation: The deficiency is an incompatible combination of duties: coordinators can create or change claim data and prepare the claim file without independent review. Since the system cannot split coordinator permissions and same-day edits are operationally necessary, the improvement should not simply remove access or wait for the migration. A practical compensating control is to use the available audit log for timely independent review and use finance’s separate portal access as a release control. This places review close to the transaction, covers the specific risky changes, and still allows claims to meet the five-day deadline. A monthly budget comparison is too aggregated and late to detect inappropriate client, rate, or hour changes before submission.

• Removing coordinator edit access ignores the operational need for same-day schedule changes and the current system-role limitation.
• Waiting for the migration leaves the known control deficiency unaddressed even though an audit-log export and separate release access are available.
• Coordinator self-certification does not provide independent review, and program-level variance checks may miss incorrect claims within budget.

It adds independent transaction-level review and a separate release step using controls available despite the system role limitation.

Question 7

Topic: Internal Control Context

A regional health services not-for-profit implemented a cloud-based scheduling and service-reporting system. The board uses monthly reports from the system to monitor cost per visit, wait-time targets, and compliance with a provincial funding agreement.

An internal control review found the following:

• Clinic supervisors can change service categories and approve completed visit records.
• Three supervisors and two temporary staff use one shared clinic_admin account because management wanted to reduce licence costs.
• The shared password is saved on clinic workstations, and remote access is enabled.
• Change logs show only clinic_admin, so finance cannot identify who changed a service category or approved a visit.
• The finance manager reviews total visits by program each month and investigates variances over 10%.

Management proposes to keep the monthly variance review and add a monthly supervisor sign-off that all visits were properly classified. Which interpretation best identifies the IT security requirement that should be integrated into the control response?

• A. Ask supervisors to keep a manual spreadsheet of all visit-record changes for finance to review monthly.
• B. Encrypt the monthly reports before they are sent to the board and funder.
• C. Increase the variance-review threshold so finance investigates only program variances over 15%.
• D. Require unique user IDs with role-based access and multi-factor authentication for users who can change or approve visit records.

Best answer: D

What this tests: Internal Control Context

Explanation: The control response should address the access weakness at its source. A shared administrative account prevents accountability because changes cannot be traced to an individual, and saved passwords with remote access increase the risk of unauthorized changes. Unique user IDs, role-based access, and multi-factor authentication are IT security requirements that support proper authorization and reliable audit trails. The finance manager’s monthly variance review and supervisor sign-off are detective or compensating controls, but they do not prevent inappropriate access or identify who made a change. Because the board and funder rely on the system reports for performance and compliance monitoring, the control response must strengthen access security for the system functions that affect those reports.

• Encrypting reports may protect confidentiality, but it does not address unauthorized changes inside the system.
• Raising the variance threshold weakens monitoring and does not improve access control.
• A manual spreadsheet adds another review artifact, but it relies on self-reporting and does not fix the shared-account deficiency.

The deficiency involves unauthorized or untraceable access to sensitive system functions, so the response should address authentication, accountability, and least-privilege access.

Question 8

Topic: Internal Control Context

A CPA is advising Maple Ridge Foods, a Canadian packaged-food manufacturer, on controls over customer rebates. Rebates are strategically important because management is trying to protect gross margin while using rebates to retain major grocery customers.

Current process and control facts:

• Sales managers can create new rebate agreements and enter rebate rate changes in the ERP system.
• The controller reviews a spreadsheet of rebate expense after month-end and asks sales managers to explain unusual increases.
• Two unauthorized rate changes were found last quarter; both were posted before the controller’s review.
• The board has set a low tolerance for revenue leakage and wants more reliable weekly margin reporting.
• The ERP system already has unused functions for approval workflow, role-based access, change logs, and exception reports.
• The IT manager says workflow configuration should be designed with the sales, finance, and IT teams and tested before release.

Which recommendation would best enhance controls through information technology?

• A. Continue the month-end spreadsheet review but require the controller to investigate every rebate increase above the weekly average.
• B. Configure ERP workflow so rebate rate changes require finance approval before posting, restrict rate-change access by role, and use change-log exception reports for monitoring.
• C. Remove sales managers’ ability to offer rebates until the board approves a new pricing strategy.
• D. Ask IT to install a new rebate module immediately because the current ERP has already allowed unauthorized changes.

Best answer: B

What this tests: Internal Control Context

Explanation: The main control opportunity is to move from a detective, after-the-fact manual review to IT-enabled preventive and monitoring controls within the existing ERP. Because unauthorized rebate changes were posted before review and the board has low tolerance for revenue leakage, the control should stop inappropriate changes before they affect results. Role-based access and approval workflow address segregation of duties and authorization. Change logs and exception reports provide evidence for ongoing monitoring and support more reliable margin reporting. The recommendation should also recognize that control changes require collaboration among finance, sales, and IT so that the workflow is properly designed, tested, and implemented without disrupting legitimate rebate activity.

• A more detailed month-end review remains detective and would not prevent unauthorized rate changes before posting.
• Blocking all rebates is an operational strategy decision and may conflict with customer-retention objectives.
• Replacing the system is not justified when the existing ERP has unused workflow, access, logging, and reporting capabilities.

This uses existing ERP controls to prevent unauthorized changes before posting and supports monitoring through logged exceptions.

Question 9

Topic: Internal Control Context

Maple Trails Outfitters is expanding a cloud-based sales and customer dashboard from head office to 42 store managers. The dashboard includes customer names, emails, purchase history, loyalty status, refund history, and contribution margin by customer segment. The board has approved the expansion only if the control response reflects the company’s low tolerance for privacy and unauthorized-access incidents.

A control note prepared for the audit committee includes these facts:

• Store managers currently access a pilot dashboard using one shared store.manager login per region.
• The password is changed quarterly and emailed by the regional controller.
• Two former store managers retained access for more than 30 days after termination.
• The vendor can enable single sign-on, multi-factor authentication, role-based access, and user activity logs within the approved budget.
• Management proposed a monthly CFO review of download logs for exports above 1,000 customer records.

Which IT security requirement should be integrated into the control response before the dashboard is expanded?

• A. Require the CFO to review monthly download logs and investigate exports above 1,000 customer records.
• B. Require the vendor to carry cyber insurance and provide an annual security report to the board.
• C. Require unique user accounts with multi-factor authentication, role-based access, and HR-triggered removal for terminated employees.
• D. Require store managers to change the shared dashboard password quarterly and certify that exports were deleted.

Best answer: C

What this tests: Internal Control Context

Explanation: A control response for a cloud dashboard with personal and commercially sensitive information should include preventive access security, not only after-the-fact monitoring. Shared credentials prevent accountability and make activity logs less useful because the company cannot reliably identify who accessed or exported data. Former employees retaining access also shows that user removal is a key deficiency. The appropriate requirement is individual authenticated access with multi-factor authentication, role-based restrictions based on the user’s job needs, and timely deprovisioning tied to HR termination records. Monthly log review can still be useful as a monitoring control, but it should support, not replace, strong access management.

• Monthly download reviews are detective only; without unique accounts, the logs may not identify the actual user.
• Quarterly password changes and deletion certificates leave shared credentials in place and do not enforce need-to-know access.
• Cyber insurance and annual vendor reporting may support oversight, but they do not prevent unauthorized dashboard access.

The dashboard contains sensitive customer data, so access must be individually authenticated, limited to need-to-know roles, and removed promptly when employment ends.

Question 10

Topic: Internal Control Context

Prairie Components Ltd. uses an integrated ERP for purchasing and electronic payments. During a COSO-based control review, the controller noted the following:

• Purchasing creates approved purchase orders, and receiving confirms quantities received.
• Accounts payable clerks can create new vendor records, edit vendor banking details, and enter supplier invoices.
• Each week, the ERP generates the payment file from approved invoices and the current vendor banking details.
• The treasurer reviews the total payment file amount and cash forecast before release but does not see vendor master changes.
• The management dashboard uses vendor master data to report supplier spend and duplicate-vendor exceptions.
• A recent supplier complaint revealed that its bank account was changed two days before a payment run using a generic AP adjustments profile. No support or approval was attached.

Management’s main risk is that unauthorized vendor master changes could redirect payments and impair supplier-spend reporting. Which key control would best address this risk?

• A. Require the treasurer to compare the weekly payment file total with prior weeks before releasing the payment file.
• B. Have the accounts payable manager review monthly supplier-spend variances and duplicate-vendor dashboard exceptions.
• C. Configure the ERP so vendor additions and banking changes require independent approval with support before activation, using user-specific audit logs.
• D. Back up the vendor master file nightly and test recovery of the ERP vendor table each quarter.

Best answer: C

What this tests: Internal Control Context

Explanation: The risk occurs at the vendor master stage, not at the payment total or month-end dashboard stage. Because the ERP uses vendor master data to generate payment files and supplier-spend reports, the key control should be preventive and embedded where the data is created or changed. Requiring independent approval of new vendors and banking changes, supported by documentation and user-specific audit logs before activation, addresses both payment redirection and reporting reliability. Reviews of aggregate payment totals or monthly spend variances may identify unusual activity after the fact, but they do not validate whether the master data was authorized before the system used it. Backups support availability and recovery, but they do not prevent or detect unauthorized master-data changes.

• Reviewing weekly payment totals checks cash impact, but it does not validate vendor banking details or master-data authorization.
• Month-end supplier-spend review is detective and late; the dashboard may already be based on incorrect master data.
• Backups protect data availability, but they do not establish authorization, segregation of duties, or accountability for changes.

A system-enforced vendor-master approval control prevents unapproved records or banking changes from being used in payments and preserves accountability for reporting data.

Continue in the web app

Use Finance Prep for interactive CPA Canada Performance Management practice with mixed sets, timed mock exams, topic drills, explanations, and progress tracking.

Related focused pages

• Free CPA Canada Performance Management Practice Exam
• Free CPA Canada Performance Management Practice Questions: Financial Reporting Context
• Free CPA Canada Performance Management Practice Questions: Strategy and Governance
• Free CPA Canada PM Practice Questions: Management Accounting

Practice next step

Use the Finance Prep web app above when you want interactive practice beyond this static page.