CPA Isc

CPA Isc Quiz: Master Data And Data Controls

Practice Master Data And Data Controls in CPA Isc with focused quiz questions that help you check what you know, review explanations, and build confidence with test-style prompts.

What this quiz covers

This quiz focuses on Master Data And Data Controls, giving you a quick way to practice the rules, question types, and explanations that matter most for CPA Isc.

How to use this quiz

Try each quiz question before looking at the correct answer. Use the explanations to review missed ideas, then come back to similar questions until the pattern feels familiar.

Question 1

An organization discovers that the same customer exists in its CRM, billing, and shipping systems under three different names with three different addresses. This is best described as a:

Master data quality problem - duplicate and inconsistent records across systems indicate a lack of master data governance and a single authoritative source.
System integration failure caused by API connectivity issues.
User access control problem requiring additional access restrictions.
Data encryption failure exposing customer data to unauthorized modification.

Explanation: Duplicate customer records with inconsistent data across systems is a master data quality problem - the classic symptom of inadequate MDM governance. Answer A is correct. API failures (B), access controls (C), and encryption (D) are unrelated to the described data consistency issue.

Question 2

Which of the following controls most directly prevents unauthorized additions to the vendor master file in an accounts payable system?

Encrypting all vendor records in the vendor master file.
Running monthly reports of all active vendors for management review.
Requiring that all new vendor additions be approved by an authorized manager who is independent of the accounts payable processing function, with supporting documentation.
Requiring vendors to sign a confidentiality agreement before being added.

Explanation: An authorization control requiring independent management approval for new vendor additions directly prevents unauthorized vendor creation - a key preventive control against fictitious vendor fraud. Answer C is correct. Encryption (A) protects confidentiality. Monthly reports (B) are detective controls. Confidentiality agreements (D) are legal controls, not data entry controls.

Question 3

A company finds that its customer master file contains records for 800 customers who have had no transactions in the past three years. The most appropriate action is:

Delete all inactive customer records immediately to clean up the database.
Encrypt the inactive records to protect them from unauthorized access.
Move all inactive records to a separate, unauthorized-access database.
Review inactive records against retention policies and applicable regulatory requirements, archiving or inactivating records as appropriate while maintaining required records for the mandated period.

Explanation: Inactive master data should be managed through a formal review process - some records may need to be retained for regulatory or legal purposes while others can be archived or inactivated. Answer D is correct. Immediate deletion (A) may violate retention requirements. Encryption (B) doesn't address inactivity. Unauthorized database access (C) is not a data management control.

Question 4

Which of the following is the most effective control for detecting unauthorized changes to the vendor master file?

An automated report comparing all vendor master file changes to approved change requests, with unexplained changes escalated to management for investigation.
Encrypting all vendor records to prevent unauthorized modifications.
Requiring all vendors to confirm their information annually by mail.
Restricting access to vendor master data to read-only for all employees.

Explanation: Comparing master file changes to approved change requests is a detective control that identifies unauthorized modifications - directly linking changes to authorization evidence. Answer A is correct. Encryption (B) prevents reading, not modification by authorized users. Vendor confirmation (C) is a separate reconciliation process. Read-only access (D) prevents all changes including legitimate ones.

Question 5

A company's employee master data record is updated when an employee changes departments. Controls require the HR system to automatically update the payroll and access management systems. An auditor finds that access management was not updated in 12 of 50 sampled department changes. This finding indicates:

The HR system has insufficient capacity to process all employee changes.
The access management system does not support automated updates.
An interface or automated provisioning control failure - the HR-to-access management integration did not consistently update access rights when employees changed departments.
A minor documentation issue that can be resolved with a memo from the HR department.

Explanation: A 24% failure rate in automated access updates represents a significant interface control failure - employees who changed departments may have retained inappropriate access to their former systems. Answer C is correct. Capacity issues (A) would affect all updates. System support (B) would produce 100% failures, not 24%. The financial and security implications are not minor (D).

Question 6

A company's chart of accounts (COA) is a type of master data. Which of the following controls most directly ensures the accuracy and completeness of the COA for financial reporting purposes?

A formal change control process requiring documentation, business justification, and appropriate management approval for all additions, modifications, or deletions of GL accounts.
Encrypting the chart of accounts to prevent unauthorized viewing.
Requiring all employees to verify the chart of accounts annually.
Running an automated comparison of the COA to industry benchmarks each quarter.

Explanation: A formal change control process for the COA ensures changes are authorized and appropriate - preventing unauthorized account creation or modification that could misrepresent or obscure financial activity. Answer A is correct. Encryption (B) protects confidentiality. Employee verification (C) is not a standard COA control. Industry benchmarks (D) are strategic planning tools, not COA controls.

Question 7

An organization implements a data stewardship program for its customer master data. A data steward's primary responsibility for master data is to:

Encrypt all customer records to comply with data privacy regulations.
Back up the customer database on a daily basis.
Monitor and enforce data quality standards, resolve duplicate and inconsistent records, and serve as the accountable party for the accuracy and integrity of customer master data.
Restrict access to customer data to the sales department only.

Explanation: A data steward is the operational accountability role for master data quality - monitoring quality metrics, resolving issues, enforcing standards, and ensuring the data remains accurate and fit for use. Answer C is correct. Encryption (A), backup (B), and access restriction (D) are IT operations and security functions, not data stewardship roles.

Question 8

An organization's payroll system maintains an employee master file with salary and bank account information. An auditor reviews controls over this file and finds that payroll staff can modify bank account numbers without any secondary approval. The primary fraud risk is:

Payroll staff may change bank accounts for legitimate employees who lost access to their accounts.
Bank account changes will cause payroll processing to run slower.
Employees will have difficulty receiving their pay if accounts are changed incorrectly.
Payroll staff could redirect payroll funds to personal accounts by changing bank account numbers for other employees, a form of payroll diversion fraud.

Explanation: Unrestricted bank account modification in payroll is a direct fraud risk - payroll staff can redirect employee pay to accounts they control. This is one of the most common payroll fraud schemes. Answer D is correct. Legitimate reasons (A) do not eliminate the fraud risk. Processing speed (B) and payment receipt (C) are operational concerns, not the primary fraud risk.

Question 9

A company's price master data contains approved pricing for 50,000 products. An auditor finds that 127 products have negative prices in the master file. This represents:

A data quality control failure - negative prices are likely data entry errors or unauthorized modifications that could result in customers being paid to purchase products, causing revenue and financial reporting errors.
A system configuration setting allowing price promotions.
Normal pricing variations within acceptable business rules.
A minor finding since only 0.25% of products are affected.

Explanation: Negative prices in a product master file are a significant data quality error - they could result in credit invoices being generated instead of sales invoices, directly affecting revenue. Answer A is correct. Price promotions use discount structures, not negative prices (B). Negative prices are not normal (C). Financial impact of 127 products could be material (D).

Question 10

Which of the following represents the primary risk of maintaining outdated or inaccurate customer master data?

The customer management system will require additional storage capacity.
Customer service staff will have difficulty navigating the customer database.
Billing errors, shipments to wrong addresses, incorrect tax calculations, and inaccurate accounts receivable records could result from using stale customer data in transactions.
Marketing campaigns will be less effective due to outdated customer preferences.

Explanation: Inaccurate customer master data cascades through all downstream processes - billing, shipping, AR, tax calculations - because transactions reference master data at the time of processing. Answer C is correct. Storage capacity (A) and navigation difficulty (B) are operational concerns. Marketing effectiveness (D) is a business concern but not the primary data integrity risk.

Question 11

An organization's ERP system is configured to prevent the same bank account number from being assigned to more than one vendor. This system control is best described as:

A processing control that validates bank account numbers after payments are made.
An output control that generates alerts about suspicious vendor payments.
An access control restricting which users can update vendor bank accounts.
An input/master data validation control that prevents duplicate bank account numbers in the vendor master file - directly blocking a common fictitious vendor fraud technique.

Explanation: A uniqueness constraint on bank account numbers in the vendor master file is a preventive input control - blocking at the data entry stage the creation of multiple vendor records pointing to the same bank account. Answer D is correct. Processing controls (A) and output controls (B) operate after entry. Access controls (C) restrict users, not data values.

Question 12

A company's item master data includes the unit of measure (UOM) for each inventory item. A UOM error causes 100 units of a high-value component to be recorded as 100 individual items instead of 100 boxes of 12. The primary financial reporting impact is:

The inventory system will display items in the wrong location.
Inventory quantities and values will be materially misstated - the correct count is 1,200 units but the system records 100, significantly understating inventory and potentially COGS.
The warehouse will have difficulty physically locating the items.
The purchasing department will order too much inventory in future periods.

Explanation: A UOM error directly causes financial misstatement - recording 100 boxes of 12 as 100 individual units understates inventory count by 1,100 units, which could be material depending on the item value. Answer B is correct. Location display (A) and physical location (C) are operational concerns. Future ordering (D) is a downstream operational impact.

Question 13

Which of the following is the most important control over changes to the employee pay rate master data in a payroll system?

Segregation of duties requiring that pay rate changes be initiated by HR and approved by management, with a separate reviewer comparing authorized rates to processed payroll.
Encrypting all pay rate data to prevent unauthorized reading of salary information.
Requiring employees to confirm their pay rate each month via a self-service portal.
Archiving all historical pay rate data for regulatory compliance.

Explanation: Pay rate changes require segregation of duties: HR initiates based on approved changes, management approves, and an independent reviewer verifies payroll processed correctly - preventing unauthorized rate increases. Answer A is correct. Encryption (B) protects confidentiality. Employee self-service (C) is not an authorization control. Archiving (D) supports retention but not change authorization.

Question 14

An organization maintains a chart of accounts with 2,400 active GL accounts. During an audit, the auditor finds 340 accounts that have never been used in the 5 years since the ERP system was implemented. The most appropriate recommendation is:

Delete all 340 unused accounts to simplify the financial reporting structure.
No action required since unused accounts do not create risks.
Review the unused accounts, inactivate those with no legitimate future business purpose, and document the disposition - reducing the COA complexity and eliminating potential vehicles for unauthorized transaction recording.
Transfer all unused accounts to a contingency reserve category.

Explanation: Unused GL accounts should be reviewed and inactivated if no longer needed - they represent unnecessary complexity and potential avenues for posting unauthorized transactions. Answer C is correct. Immediate deletion (A) requires review first. Unused accounts can create fraud risk (B). Reclassification (D) doesn't address the control issue.

Question 15

Which of the following data controls addresses the risk that a vendor's banking information is fraudulently changed to divert future payments?

Encrypting vendor bank account numbers in the vendor master file.
Limiting vendor access to the accounts payable system.
Sending payment confirmation emails to vendors after each payment.
Requiring that changes to vendor bank account information be verified by calling the vendor using a phone number from the original vendor contract (not the number provided in the change request).

Explanation: Verifying bank account changes using independently confirmed contact information (original contract phone numbers) prevents fraudulent bank account redirections - a common social engineering attack. Answer D is correct. Encryption (A) protects stored data but not change authorization. Vendor access restriction (B) addresses vendor-side access. Payment confirmations (C) detect fraud after it occurs.

Question 16

An auditor reviews vendor master file change activity and finds that 3 new vendors were added, all within the same week, by the same AP clerk, with addresses in the same city, and all have received payments within 30 days of being added. This pattern is most consistent with:

Normal vendor onboarding activity for a new geographic market.
Automatic vendor creation triggered by EDI purchase orders.
A potential fictitious vendor fraud scheme warranting detailed investigation of the new vendors, their payments, and the clerk's authorization.
A data quality issue causing vendor records to be duplicated.

Explanation: The combination of rapid creation by a single individual, geographic clustering, and quick payments is a high-risk pattern for fictitious vendor fraud - the clerk may have created vendors they control to divert company payments. Answer C is correct. The pattern is too specific to be coincidental normal activity (A) or automated (B). Duplicates don't explain rapid new payments (D).

Question 17

A company's master data management policy requires that all master data changes be logged in an immutable audit trail. The primary purpose of this requirement is to:

Improve system performance by recording changes in a separate database.
Ensure master data backups include a complete change history.
Allow IT staff to roll back unauthorized changes automatically.
Create an unalterable record of all changes to master data, including who made changes, when, and what was changed - supporting investigation, accountability, and regulatory compliance.

Explanation: An immutable audit trail for master data changes ensures accountability and provides evidence for investigations, audits, and regulatory examinations - it cannot be altered or deleted by the individuals who made changes. Answer D is correct. Performance optimization (A) and backup completeness (B) are secondary benefits. Automatic rollback (C) requires additional tooling beyond logging.

Question 18

Which of the following represents the most significant data control weakness in an accounts payable master data environment?

The vendor master file contains 50 inactive vendor records from suppliers that are no longer used.
The same individual can add vendors, approve invoices for those vendors, and release payments - with no system-enforced segregation of duties.
Vendor contact information is not verified annually by the AP team.
The vendor master file does not include vendor tax classification information.

Explanation: The ability for one person to create vendors, approve invoices, and release payments represents the most dangerous combination of incompatible duties in AP - enabling the complete fraud cycle without any compensating check. Answer B is correct. Inactive records (A), unverified contacts (C), and missing tax fields (D) are data quality issues but far less severe than the segregation of duties failure.

Question 19

A company's product master data includes standard cost information used for inventory valuation. An unauthorized change increases the standard cost of a component by 35%. What is the primary financial reporting risk?

The inventory system will display incorrect location codes for affected items.
Inventory balances and cost of goods sold will be materially misstated - overstated inventory and understated COGS (or vice versa) resulting from incorrect standard costs flowing through inventory valuation.
The purchasing team will pay too much for the component in future periods.
The system will trigger a variance alert that IT staff will need to investigate.

Explanation: Standard costs directly drive inventory valuation and COGS calculations - a 35% unauthorized change in standard cost produces material misstatement of both balance sheet inventory and income statement COGS. Answer B is correct. Location codes (A) are operational. Future purchasing (C) is a procurement concern. Variance alerts (D) may be a detective control but the primary risk is financial misstatement.

Question 20

Which of the following best describes the purpose of data ownership in a master data governance framework?

Assigning accountability for the accuracy, completeness, and appropriate use of a master data domain to a specific business leader who is responsible for defining standards and resolving quality issues.
Tracking which users last modified each master data record.
Restricting read access to master data to the department that creates it.
Ensuring each record has a unique identifier assigned by the IT department.

Explanation: Data ownership establishes accountability - the data owner (business leader) is responsible for the master data domain's quality, standards, and governance. Answer A is correct. Modification tracking (B) is audit logging. Access restriction (C) relates to access controls. Unique identifiers (D) are a technical data integrity measure.

Opening subject page...

Opening subject page...

CPA Isc Quiz: Master Data And Data Controls

What this quiz covers

How to use this quiz