CIA Part 2 2019 version Flashcards
To master rationale (206 cards)
1
Q
When gathering data, an audit team identifies both subjective and objective criteria for measuring audit risk. Which of the following risk factors is most objective?
A. Prior audit findings
B. Comfort with operating management
C. Size of the audit unit
D. Changes in staff, systems, or the environment
A
ANSWER: C
RATIONALE: Interpretation of Standard 2420 states that “accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased…” Sawyer’s Internal Auditing states that “every categorical statement, every figure, every reference must be based on hard evidence.” The size of the audit unit is a fact, and it is not affected by the auditor’s impressions and feelings.
(Section I, Chapter 2, Topic A)
2
Q
During the course of a business process review, an internal auditor may
A. decide which controls to select.
B. provide advice on appropriate controls during system design.
C. oversee the implementation of recommended controls.
D. lead a system design team.
A
ANSWER: B
RATIONALE: A business process review falls in the consulting category of engagements. During a consulting engagement (as in assurance engagements), an internal auditor cannot assume management responsibilities, make decisions, or execute transactions as if he or she were part of management. Providing advice is acceptable as long as there is a clear understanding that management has responsibility for accepting or rejecting the advice. The other responsibilities would significantly impair the auditor’s future ability to objectively evaluate the system.
(Section I, Chapter 2, Topic D)
3
Q
Which of the following statements best describes the purpose of the audit manual?
A. To provide training in basic audit techniques for newly hired auditors
B. To describe objectives, policies, and procedures affecting auditors’ work
C. To serve as a reference for approved engagement tools
D. To define the employment relationship between the organization and the employee
A
ANSWER: C
RATIONALE
According to Standard 2040, “Policies and Procedures,” the chief audit executive is responsible for establishing policies and procedures to guide the internal audit activity. The audit manual documents these policies (e.g., avoidance of conflict of interest) and procedures (e.g., engagement process) as well as the activity’s charter, strategic objectives, structure, and annual audit plan.
(Section I, Chapter 1, Topic A)
4
Q
Which is an appropriate role for internal audit during a systems development life cycle (SDLC) review?
A. Ensure that controls are designed during the conversion and implementation phase.
B. Restrict stakeholder representation.
C. Screen the technical expertise of employees participating in the study.
D. Provide the go/no go recommendation based on feasibility study conclusions.
A
ANSWER: C
RATIONALE
Organizations need to control information system resources. During a consulting SDLC review, the auditor could ensure that the team has sufficient hardware and software expertise and includes appropriate stakeholder representation. But internal audit cannot assume management responsibilities or make decisions as if they were part of management. Designing controls during the conversion and implementation phase would be far too late; this should be done during systems design or selection.
(Section I, Chapter 2, Topic D)
5
Q
A new chief audit executive (CAE) is identifying sources of potential engagements for the internal audit activity. Which of the following would be the least helpful activity when examining organizational risk factors?
A. Interviews with senior management, the board, and the audit committee chairperson
B. Discussion with external auditors of open and closed internal control issues identified in their reviews
C. Research conducted with industry benchmarking groups and organizations
D. Review of organizational written policies and procedures
A
ANSWER: C
RATIONALE
The CAE needs to develop an understanding of organizational risks and internal controls available to mitigate these risks in order to help management protect the organization from risk exposures—present and future. Benchmarking is a useful tool for various aspects of the internal audit activity. However, discussions with external auditors and interviews with senior management help to surface problems and opportunities that have already been identified in the organization. Reviewing policies and procedures is of limited value in identifying sources of potential engagements, although policies and procedures do provide a sense of risk areas targeted by the organization.
(Section I, Chapter 2, Topic D)
6
Q
Which of the following is an example of an internal nonfinancial benchmark?
A. The average actual cost per pound of a specific product at the company’s most efficient plant becomes the benchmark for the company’s other plants.
B. The labor rate of comparably skilled employees at a major competitor’s plant becomes a benchmark.
C. The percentage of customer orders delivered on time at the company’s most efficient plant becomes the benchmark for the company’s other plants.
D. The company is setting a benchmark of U.S. $50,000 for employee training programs at each of its plants.
A
ANSWER: C
RATIONALE
The percentage of on-time orders at the best plant is an example of an internal nonfinancial benchmark. The other items are all external financial benchmarks.
(Section I, Chapter 2, Topic D)
7
Q
When the chief audit executive performs the risk assessment for the annual audit plan, which of the following would be most likely to raise the assessed risk of a potential audit area?
A. Fact that a critical activity had not been subject to a compliance audit during the past year
B. Request from senior management to review the strategic plan
C. Material, anticipated drop in cash flow after plant closings
D. Significant increase in receivables with a decrease in sales
A
ANSWER: D
RATIONALE
Unanticipated increases or decreases of significant size in significant measures, such as the amount of receivables, are an indicator of risk worth consideration. If sales had also increased commensurately, this would not have been a red flag, but since sales decreased, this is unexpected. A request from management to put an audit on the agenda is significant, but it does not necessarily indicate that the area is at risk. Compliance audits do not have to be conducted annually unless there is evidence indicating that an audit is necessary.
(Section I, Chapter 2, Topic B)
8
Q
Determination of cost savings is most likely to be an objective of
A. program audit engagements.
B. compliance audit engagements.
C. financial audit engagements.
D. operational audit engagements
A
ANSWER: D
RATIONALE
Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency. Program audit engagements address accomplishment of program objectives. Financial auditing addresses accuracy of financial records. Compliance auditing addresses compliance with requirements, including legal and regulatory requirements.
(Section I, Chapter 2, Topic C)
9
Q
Which of the following describes acceptable practice in small internal audit activities?
A. Close and daily supervision may take the place of formal internal audit operations manuals.
B. The quality assurance and improvement program is optional.
C. It is generally understood and accepted that absolute conformance with The IIA’s mandatory guidance is unlikely.
D. Detailed written policies and procedures are even more needed than in large internal audit organizations.
A
ANSWER: A
RATIONALE
Implementation Guide 2040 explains that in small internal audit activities, close and daily supervision may take the place of formal internal audit operations manuals. Conformance with The IIA’s mandatory guidance is expected, regardless of internal audit activity size. Detailed policies and procedures are more likely to be found in larger, more mature audit activities, not smaller ones. The quality assurance and improvement program is part of mandatory guidance (1300 series of Standards) and is not optional, regardless of audit activity size.
(Section I, Chapter 1, Topic A)
10
Q
The primary purpose of budgets is to
A. move a company toward its short- and long-term strategic goals.
B. define a company’s mission.
C. provide an informal communication network.
D. determine when and how much to limit scope on each engagement.
A
ANSWER: A
RATIONALE
Budgets provide a tight, goal-oriented, rational linkage with the strategic plan. The scope of engagements should be based on the risk assessment and other factors rather than the budget. If the budget is not sufficient for the planned scope, the chief audit executive should request the required funds, and if these are not approved, indicate the scope limitation and its likely impact.
(Section I, Chapter 1, Topic B)
11
Q
Of the options listed, the most important risk to consider related to interviews of prospective internal audit employees is
A. extending an offer to someone who is not the most qualified applicant.
B. that the audit activity should be recruiting contractors instead.
C. interviewers asking illegal questions of applicants.
D. needing to conduct multiple rounds of interviews.
A
ANSWER: C
RATIONALE
Those conducting interviews should be trained to reduce the risk of asking illegal questions, requesting that applicants take illegal or invalid tests, or being inconsistent in the use of allowed questions or tests. Extending an offer to someone who is not the most qualified applicant is a risk but it isn’t the biggest risk listed. Also, it may be necessary such as if the most qualified candidate has unrealistic salary expectations. Multiple rounds of interviews are common; recruit selection involves narrowing the choice down to those applicants who have the requisite qualifications and then conducting one or more rounds of interviews with those applicants. Contractor selection will involve many of the same steps as recruit selection, but a key factor is ensuring compliance with tax laws related to use of contractors. Since some organizations have overused contractors to avoid paying benefits and employment taxes, many governments have created tax and employment regulations related to contractor duties and how they are managed; the opposite is true – a risk to interviews of prospective contractors is that the audit activity should be recruiting employees instead.
For more information, refer to Section I, Chapter 1, Topic B
12
Q
In conducting an initial risk assessment, a newly established internal audit activity finds that the organization has no risk management process in place. Which of the following would be an appropriate response, according to The IIA’s International Professional Practices Framework?
A. The internal audit activity should recognize that the decision to establish a risk management policy belongs to management and is not within the scope of the internal audit activity.
B. The internal audit activity should make suggestions to management regarding ways to establish such a process.
C. The internal audit activity should consider lack of a risk management process to be a red flag and should schedule a management fraud engagement.
D. The chief audit executive should seek the advice of legal counsel about violations of regulations governing risk management.
A
ANSWER: B
RATIONALE
Management owns risk and risk management, but, if there is no risk management process in an organization, the internal audit activity should bring this situation to management’s attention and suggest ways to establish such a process. Even if lack of a risk management process were a red flag, scheduling a fraud engagement would be premature without further evidence that fraud might be occurring. In most businesses, lack of a risk management process violates no laws or regulations.
(Section I, Chapter 2, Topic B)
13
Q
Which of the following best describes competitive benchmarking?
A. It looks at the performance of other organizations that have similar processes as the benchmark.
B. It looks within the department or process itself by selecting a stellar performance that rises (but not unreachably) above the current baseline performance.
C. It looks at a process in one operation and compares it to a process with similar characteristics but in another industry.
D. It looks at industry-wide measures as a target for improvement.
A
ANSWER: A
RATIONALE
An example of competitive benchmarking is when an organization attempts to achieve the same sales numbers as a competitor. The organization uses its competitor’s numbers as its benchmark for success.
For more information, refer to Section I, Chapter 2, Topic D
14
Q
A chief audit executive (CAE) of a small community bank refreshes his risk assessment four months into the current audit plan year. From the refresh, he decides it is necessary to adjust the audit plan by adding an assessment of a newly launched, high-risk loan product that was urgently initiated by the vice president of lending due to competition from a local credit union. The CAE should
A. request a meeting with the vice president of lending for her approval of new engagement objectives and scope.
B. notify regulatory authorities to understand their scheduled lending activity examinations for proper coordination of work.
C. communicate the significant audit plan change to the board and senior management for review and approval.
D. substitute the high-risk loan product audit for other routine loan compliance work in the approved plan to stay on budget.
A
ANSWER: C
RATIONALE
Performance Standard 2020, “Communication and Approval,” states: “The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval.” Eliminating previously approved engagements from the audit plan in favor of other work would be considered a significant interim change. It is not appropriate for management of the audited area to approve engagement objectives and scope; this is the CAE’s role. Notification to regulatory examiners regarding a new high-risk lending activity would not be appropriate.
For more information, refer to Section I, Chapter 3, Topic A
15
Q
Several members of an organization’s senior management have questioned whether the internal audit activity should report to the newly established quality audit function as part of the total quality management process within the organization. The chief audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed. The CAE’s response to senior management should include which of the following?
A. Changing the applicable standards for internal auditing within the organization to provide compliance with quality audit standards.
B. Estimating departmental cost savings that would result from the elimination of the internal audit activity.
C. Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.
D. Changing the qualification requirements for new staff members to include quality audit experience.
A
ANSWER: C
RATIONALE
An internal auditor should always consider the added value of coordinating internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process – for example, with other internal assurance functions, such as quality control. By coordinating, the two functions can provide support for each other, and potentially make the audit process more efficient. Therefore, when responding to management in this scenario, the CAE should identify ways in which they believe working with the quality audit function can enhance the audit function.
For more information, refer to Section I, Chapter 2, Topic E
16
Q
In addition to the financial budget for the overall audit activity, the chief audit executive will also routinely prepare
A. a work hours and a schedule budget.
B. an office space requirements budget.
C. a time and materials budget.
D. a fixed vs. variable costs budget.
A
ANSWER: A
RATIONALE
The CAE will also create a schedule budget, aligning the number of available audit personnel against available work hours to determine the amount of coverage that can be provided during a fiscal year as well as within each audit project. A time and materials budget is generally used in production activities, not internal audit activities. Fixed and variable cost budgets are used in cost/volume/profit analysis, which is not generally applicable to internal audit activities. While an office space requirements analysis may be prepared infrequently (i.e., for a growing audit activity or for an upcoming office move), work hours and audit schedule budgets are routinely prepared in conjunction with the financial budget.
refer to Section I, Chapter 1, Topic B
17
Q
A hospital is evaluating the purchase of software to integrate a new cost accounting system with its existing financial accounting system. Which of the following describes the most effective way for the internal audit activity to be involved in the procurement process?
A. The internal audit activity has no involvement, since the system has already been developed externally.
B. The internal audit activity determines whether the prototyped model is validated and reviewed with users before production use begins.
C. The internal audit activity evaluates whether the application design meets internal development and documentation standards.
D. The internal audit activity evaluates whether performance specifications are consistent with the hospital’s needs.
A
ANSWER: D
RATIONALE
The internal audit activity should be involved to ensure the existence of performance specifications consistent with the hospital’s needs. Incomplete or erroneous specifications may result in the acquisition of unusable software or unenforceable contract terms with the software vendor.
For more information, refer to Section I, Chapter 2, Topic D
18
Q
An external auditor has asked the internal audit function of a large air transportation company for information uncovered during the most recent compliance review by a federal transportation regulatory agency. How should internal auditing respond to this request?
A. Share the information in an effort to reduce time spent by the external auditors, which would reduce cost to the organization.
B. Refuse. Internal audit should not share such information with parties outside the organization.
C. Direct the regulatory agency to release the information to the external auditors.
D. Ask the external auditors to demonstrate a need for specific information in writing before releasing the requested details.
A
ANSWER: A
RATIONALE
It is appropriate for the internal audit function to share information generated through a regulatory compliance review with external auditors since it will support a more efficient external auditing process and benefit the organization.
For more information, refer to Section I, Chapter 2, Topic E
19
Q
Internal auditing has been asked to help the marketing department of a health-care services company assess its performance and identify areas for improvement. Which of the following types of benchmarking would be most useful to the internal auditor in accomplishing this task?
A. Competitive
B. Internal
C. Generic
D. Functional
A
ANSWER: A
RATIONALE
Since there are many businesses competing to provide health-care services, it would be feasible to identify successful competitors and compare their skill sets, activities, and sophistication in process with the client activity. Functional benchmarking would use performance in another industry and might offer too many variables for easy comparison. Generic benchmarking would probably yield data that is too general. Internal benchmarking, which might compare the current marketing function with previous marketing functions in the organization, would not allow for the introduction of new ideas being tried outside the organization.
For more information, refer to Section I, Chapter 2, Topic D
20
Q
What is something to be gained from a Statement on Standards for Attestation Engagements (SSAE) No. 18 engagement?
A. Service providers can speed up the audits that each of their user organizations will need to do at least every three years.
B. Service providers can take advantage of a checklist for audit of control effectiveness.
C. It allows service organizations to disclose their control activities and processes in a uniform reporting format.
D. User organizations receive an internal auditor assessment of controls.
A
ANSWER: C
RATIONALE
The American Institute of Certified Public Accountants (AICPA) published its Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, to provide consolidated guidance for independent audits for certification to standards related to service providers and users of these services. SSAE 18 is widely recognized as authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. In other words, the organization contracts with an independent accounting and auditing firm to perform an audit in accordance with SSAE 18 and is able to produce the certification document for multiple parties that want assurance rather than being audited by all of them.
For more information, refer to Section I, Chapter 2, Topic C
21
Q
In a recent data backup recovery drill at a data center, an internal auditor observing the test noted that the IT professional had trouble reading the labels on some older backup repositories due to fading. This required loading several repositories until the correct one was found, which took a long time because it involved doing file date checks after the version was loaded. What would be the best thing for the internal auditor to recommend?
A. Off-site storage of backup media repositories
B. Storing the backup repositories in a dark place
C, Adoption of an automatic electronic labeling system
D. Periodic replacement of the oldest backups with newer versions
A
ANSWER: C
RATIONALE
Using systems that automatically label a file with an internal code mitigates the risk of external labels being lost or removed or becoming unreadable through time.
For more information, refer to Section I, Chapter 2, Topic C
22
Q
Having completed a thorough risk assessment process and selection of areas to audit, the internal audit activity should give first priority to which of the following engagements?
A. IT, because network software has recently been upgraded by an external consultant
B. Receivables, because they ranked highest in potential dollar loss
C. Payables, because an audit committee member has received an anonymous tip alleging that a staff member has been directing payments to fictitious accounts
D. Financial statements, because the report had a “qualified opinion” on a recent external audit report
A
ANSWER: C
RATIONALE
The first priority is to investigate the potential fraud in payables. A high ranking on particular measures (the large potential loss, for example) is not necessarily of highest priority if other measures of risk have been identified as significant.
For more information, refer to Section I, Chapter 2, Topic B
23
Q
The internal auditor is considering performing a risk analysis as a basis for determining which areas of the organization ought to be examined. Which of the following statements is correct regarding risk analysis?
A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
B. The highest risk assessment should always be assigned to the area with the highest probability of risk occurrence.
C. The highest risk assessment should always be assigned to the area with the largest potential loss.
D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
A
ANSWER: A
RATIONALE
The auditor could appropriately consider the extent of management judgments and accounting estimates as a risk factor. Risk analysis should consider both the potential loss (or damages) and the probability of occurrence.
For more information, refer to Section I, Chapter 2, Topic B
24
Q
A department asks internal audit to participate in a business process benchmarking initiative. The goal is to achieve a world-class work process and enhance customer satisfaction. Which is an appropriate activity for internal audit participation?
A. Determine how to measure the activity.
B. Identify the activity to benchmark.
C. Analyze the benchmark data and set goals and an action plan.
D. Evaluate the appropriateness of the benchmark.
A
ANSWER: D
RATIONALE
Effective benchmarking depends upon the care and intelligence invested in selecting the goal. A benchmark that can’t be measured and can’t be reached—or that can be reached too easily—has little or no value. Evaluating the benchmarks set by clients in the organization is a service appropriate for internal auditors to provide.
For more information, refer to Section I, Chapter 2, Topic D
25
Which of the following audit tests should be performed by an internal auditor who is reviewing controls over user authentication procedures?
A. Reviewing how proper separation of duties is established using access control software
B. Reviewing procedures concerning revocation of inactive users
C. Verifying password masking at public data terminals
D. Verifing provisioning protocols
ANSWER: C
RATIONALE
Password masking procedures are directed at user authentication. User authentication involves validating that the person is who he or she claims to be, which includes controls to ensure that a valid password is known only by the intended person. Methods used to establish user privileges within the access control software are concerned with user access to applications. Procedures concerning revocation of inactive users are directed at identification. Inactive users should no longer be accepted. Provisioning involves assigning a user role-appropriate access. It is a separate issue from user authentication, because it presumes that the user has been authenticated.
For more information, refer to Section I, Chapter 2, Topic C
26
Which of the following is a consulting rather than assurance role for internal auditors?
A. Evaluating the effectiveness of controls and managing key risks
B. Teaching management about risk and control tools and techniques
C. Designing and evaluating risk management processes
D. Assessing and reporting on risks in a reliable manner
ANSWER: B
RATIONALE
Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools is a consulting role for internal auditors. The other items are all assurance roles.
For more information, refer to Section I, Chapter 2, Topic D
27
In designing a control self-assessment (CSA) workshop, which of the following elements merits the most serious attention?
A. Scheduling time for participants to review information and suggest improvements
B. Designing carefully worded yes-no questions to ensure the gathering of precise information
C. Carefully briefing management to be certain to get higher-level commitment to the process
D. Developing metrics to assess respondents' answers to pre-workshop questionnaires
ANSWER: A
RATIONALE
All of the answers identify valid concerns, but the essence of CSA is the involvement of staff and management with a sense of ownership to be active process participants. Their knowledge and experience in the process being discussed will enhance the opportunity for agreement on process improvement.
For more information, refer to Section I, Chapter 2, Topic C
28
A primary benefit of internal audit budgeting is
A. to provide a tool for accountability for IT support partners, independent contractors and other service providers.
B. to demonstrate conformance with internal audit Standards and other mandatory guidance elements promulgated by The IIA.
C. to provide evidence of internal audit management effectiveness for organizational senior leadership and the external auditors.
D. to allow for early identification of conflicts or issues so that situations can be addressed by audit management in a timely manner.
```
ANSWER: D
RATIONALE
Some of the main benefits of internal audit budgeting are:
Planning ahead,
Definite objectives,
Early warning system,
Coordination of activities,
Management awareness, and
Personnel motivation.
Internal audit budgeting is not an element of The IIA’s mandatory guidance. Internal audit budgeting does not provide evidence of audit management effectiveness. Internal audit budgeting is a tool for internal audit management, not outside partners.
```
For more information, refer to Section I, Chapter 1, Topic B
29
A chief audit executive (CAE) has to determine how an organization can be divided into auditable activities. Which of the following is an auditable activity?
A. Business units only
B. Procedures, systems, and accounts
C. Regulatory mandates, specific individuals, and internal controls over financial reporting (ICFR)
D. Departments only
ANSWER: B
RATIONALE
Procedures, systems, and accounts can all be auditable activities or auditable units. Business, units, departments, regulatory mandates, and ICFR could also be auditable, but specific individuals would not be singled out.
For more information, refer to Section I, Chapter 2, Topic A
30
The chief audit executive (CAE) for a city has just completed a quarterly meeting with the audit committee. The committee has expressed a major concern it would like the audit department to examine as part of its operational audits during the next year: Is the downsizing that the city has been going through resulting in right-sizing of staff for the city? The audit committee has suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the committee's concerns. In spite of all the arguments, the CAE decides to go ahead and perform a preliminary investigation in two areas to address the audit committee's concern. Which procedure would be appropriate in performing the preliminary investigation?
A. Interview executive management to determine whether or not criteria exist to determine the right size of departments.
B. Interview departmental managers to determine the approaches they would use to select the areas needing to be audited the most.
C. Develop a productivity ratio that can be used to gather objective information on employee morale.
D. Use risk analysis and select the two departments that would hold the largest risk of potential misstatement of account balances.
ANSWER: A
RATIONALE
If criteria exist to determine the right size of departments, this would form a baseline for the rest of the analysis. Misstatement of account balances is not the objective of the audit. More appropriately, the auditor should look for departments that have experienced large reductions in size.
For more information, refer to Section I, Chapter 2, Topic C
31
Internal auditors can evaluate the management function of planning (as opposed to organizing, directing, or monitoring) by determining
A. whether new standards of performance are established and disseminated when the old standards are inadequate or ineffective.
B. whether each management plan carries a means of measuring its success.
C. whether employee compensation is consistent with the organization's specifications for compensation ranges by employee grade.
D. what managers are responsible for and what they are authorized to do.
ANSWER: B
ATIONALE
Determining whether each plan carries a means of measuring its success is one way internal auditors facilitate the management function of planning. Determining what managers are responsible for and what they are authorized to do relates to the management function of organizing. Determining whether employee compensation is consistent relates to the management function of directing. Determining whether new standards of performance are established and disseminated when the old standards are ineffective relates to the management functions of directing and monitoring.
For more information, refer to Section I, Chapter 1, Topic A
32
It is essential to ensure that internal audit policies and procedures are
A. aligned with The IIA’s Global Technology Audit Guides (GTAG’s).
B. aligned with The IIA’s Implementation Guidance.
C. aligned with The IIA’s position paper “Three Lines of Defense.”
D. aligned with The IIA’s Code of Ethics
ANSWER: D
RATIONALE
As noted in Standard 2040, “Policies and Procedures,” internal audit policies and procedures should be aligned with The IIA’s mandatory guidance. The Code of Ethics is included in the mandatory guidance; all others are recommended guidance (but not mandatory).
For more information, refer to Section I, Chapter 1, Topic A
33
Which of the following statements describes an important role that the chief audit executive (CAE) plays with regard to external auditors?
A. The CAE generally selects and provides oversight of the external auditors.
B. The CAE is responsible for ensuring that the work of internal and external auditors is carried out in a coordinated, cost-effective manner.
C. The CAE reviews results of all external financial audits and assigns audit staff to design controls to prevent recurrence of problems identified in the external audits.
D. The CAE informs the external auditors of their responsibilities in regard to the Standards and The IIA's Code of Ethics and ensures compliance.
ANSWER: B
RATIONALE
The CAE is responsible for coordinating the work of internal and external auditors to avoid unnecessary (and costly) redundancy. The audit committee provides oversight of the external auditors, who are not responsible for abiding by the Standards and The IIA's Code of Ethics. Designing controls, as opposed to assessing them, may compromise the internal auditor's independence.
For more information, refer to Section I, Chapter 2, Topic E
34
Internal audit policies typically include guidance on
A. independence and objectivity.
B. communicating results of engagements.
C. preparing a risk-based audit plan.
D. monitoring and follow-up activities.
ANSWER: A
RATIONALE
Standard 2040, “Policies and Procedures,” specifically states that internal audit policies should include guidance on Independence and Objectivity. The other choices would be included in internal audit procedures (not policies).
For more information, refer to Section I, Chapter 1, Topic A
35
In which type of assurance engagement would an auditor focus on organizational targets, goals, or business objectives?
A. Quality audit engagement
B. Performance audit engagement
C. Financial audit engagement
D. Operational audit engagement
ANSWER: B
RATIONALE
In performance audit engagements, auditors focus on organizational targets, goals, or business objectives—key performance indicators (KPIs).
For more information, refer to Section I, Chapter 2, Topic C
36
A password is an example of
A. a data storage control.
B. a logical security control.
C. a physical security control.
D. a hazard control
ANSWER: B
RATIONALE
Passwords are a form of a logical security control. Logical security is electronic in nature, and it is designed to achieve the same results as physical controls. Passwords are the most common means of authenticating users. They limit access to computer systems and the information stored on them.
For more information, refer to Section I, Chapter 2, Topic C
37
A chief audit executive (CAE) performs an internal audit staff skills and experience analysis and then maps this analysis to requirements of her proposed risk-based plan. The output of this gap analysis will enable the CAE
A. to eliminate those engagements from the plan for which the audit activity lacks the necessary skills and experience.
B. to eliminate routine testing of internal controls over financial reporting for the external auditors in favor of other priorities.
C. to communicate the impact of identified resource limitations to senior management and the board.
D. to justify an increased internal audit activity budget in order to obtain lacking skills and experience to fulfill plan requirements.
ANSWER: C
RATIONALE
Standard 2020, “Communication and Approval,” states, “The chief audit executive must also communicate the impact of resource limitations.” Eliminating engagements from the proposed risk-based plan due to lack of skills and experience is inappropriate. While the analysis may support an increased audit activity budget, the standard requires communicating the impact of resource limitations. While eliminating external audit support activities may free up resources for other audit engagements, it is inappropriate for the CAE to unilaterally make the decision to do so. Standard 2020 requires communicating the impact of resource limitations.
For more information, refer to Section I, Chapter 3, Topic A
38
During the course of a business process review, an internal auditor may
A. oversee the implementation of recommended controls.
B. lead a system design team.
C. provide advice on appropriate controls during system design.
D. decide which controls to select.
ANSWER: C
RATIONALE
A business process review falls in the consulting category of engagements. During a consulting engagement (as in assurance engagements), an internal auditor cannot assume management responsibilities, make decisions, or execute transactions as if he or she were part of management. Providing advice is acceptable as long as there is a clear understanding that management has responsibility for accepting or rejecting the advice. The other responsibilities would significantly impair the auditor’s future ability to objectively evaluate the system.
For more information, refer to Section I, Chapter 2, Topic D
39
While conducting a risk assessment, internal auditors may use a number of criteria. Which would be considered subjective rather than objective?
A. Priority ranking of organizational objectives
B. Change in size of market share
C. Market value of oil futures the organization owns
D. Productivity ranked against industry benchmarks
ANSWER: A
RATIONALE
Measures of quality and significance are inherently subjective (or qualitative). Market share, market values of regularly traded derivatives such as futures, and benchmarks are all measurable quantitatively, so they can be considered objectively. (Although the importance of achieving a benchmark or a particular percentage of market share is subjective.)
For more information, refer to Section I, Chapter 2, Topic A
40
Which is a characteristic typical of a consulting engagement?
A. Results require mandatory reporting to a third party.
B. The internal auditor may assist in the design of corrective actions.
C. There are typically only three parties involved.
D. The scope of the audit is at the discretion of the internal auditor.
ANSWER: B
RATIONALE
Mandatory reporting to a third party is required in assurance engagements. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties:
The person or group offering the advice—the internal auditor
The person or group seeking and receiving the advice—the engagement client
For more information, refer to Section I, Chapter 2, Topic D
41
Internal audit staffing and workforce planning should primarily consider
A. the necessary experience, business knowledge and skill sets to perform the annual risk-based audit plan.
B. opportunities for auditor training, coaching and leadership.
C. using external service providers for cybersecurity and other highly technical audits.
D. regulatory examiner expectations of compliance and financial reporting audit skills.
ANSWER: A
RATIONALE
As noted in Standard 1210, “Proficiency,” the internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Performing the annual audit plan is the primary responsibility of the internal audit activity. While regulatory examiner expectations, the use of external service providers and opportunities for auditor training, coaching and leadership may also be considered in workforce planning, the requirements of the annual audit plan are the predominate consideration.
For more information, refer to Section I, Chapter 1, Topic B
42
If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should
A. reduce the scope of the audit, since the work has already been performed by the other department.
B. consider the work of the other department when assessing the function or process.
C. ignore the work of the other department and proceed with an independent audit.
D. yield the responsibility for assessing the function or process to the other department.
ANSWER: B
RATIONALE
Review and testing of the other department’s procedures may reduce necessary audit coverage of the function or process.
For more information, refer to Section I, Chapter 2, Topic E
43
The chief audit executive is least likely to have a primary role in
A. allocating budget audit hours among assigned staff.
B. updating the permanent files.
C. preparing the critique sheet for the audit.
D. reviewing workpapers.
ANSWER: B
RATIONALE
This is a task most likely performed by the audit staff. The others are common chief audit executive tasks.
For more information, refer to Section I, Chapter 1, Topic A
44
Risk assessment is a systematic process for assessing and integrating professional judgments about probable conditions and/or events. Which of the following statements correctly reflects the appropriate action for the chief audit executive (CAE) to take?
A. The CAE should generally assign audit priorities to activities with higher risks.
B. The CAE should restrict the number of sources of information used in the risk assessment process.
C. The risk assessment process should be conducted at least every three to five years.
D. Work schedule priorities should be established in order to lead the CAE in the risk assessment process.
ANSWER: A
RATIONALE
Performance Standard 2010 states, "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals."
For more information, refer to Section I, Chapter 2, Topic B
45
A small architectural firm is planning to remodel its offices. The project involves removing and adding walls to increase traffic flow, installation of new cubicles, and new decor. What type of contract listed is best for the firm?
A. Unit-price
B. Lump-sum
C. No-bid
D. Cost-plus
ANSWER: B
RATIONALE
Lump-sum contracts work well and are commonly used if the work required is uncomplicated and the work is completed as agreed upon. In these cases, there may be little reason for an audit of the contract.
For more information, refer to Section I, Chapter 2, Topic C
46
A security audit needs to evaluate risk exposures related to the organization's governance, operations, and information systems regarding
A. the reliability and integrity of internal auditing.
B. the financial instrument investment policy.
C. job safety.
D. the safeguarding of assets.
ANSWER: D
RATIONALE
Security audits primarily focus on governance, risks, and controls related to the safeguarding of assets and the reliability and integrity of financial and operational information.
For more information, refer to Section I, Chapter 2, Topic C
47
To improve audit efficiency, internal auditors can rely upon the work of external auditors that is
A. conducted in accordance with The IIA's Code of Ethics.
B. coordinated with internal audit activity.
C. performed after the internal audit engagement.
D. primarily concerned with operational objectives and activities.
ANSWER: B
RATIONALE
Coordinating internal and external audit work helps to prevent duplication in coverage, thereby improving internal audit efficiency. Internal auditing encompasses both financial and operational objectives and activities. Therefore, internal audit coverage could also be provided by external audit work, which includes primarily financial objectives and activities. External audit work is conducted in accordance with Generally Accepted Auditing Standards or other similar international standards.
For more information, refer to Section I, Chapter 2, Topic E
48
An audit of environmental controls, including regulatory compliance, has been concluded. Possible corrective actions are being discussed at a closing conference. The environmental manager states that funds are not available in this year's budget to make necessary changes and repairs to the hazardous waste storage yard. The deficiencies prevent management from complying with controls established to manage waste safely and to comply with regulations. The auditor should
A. accept temporary, but clearly incomplete, corrective action in order to improve the situation.
B. agree that corrective action may be postponed until funds can be provided in the following year's budget.
C. involve senior management in the decision.
D. insist that the changes and repairs be made, regardless of any apparent budget constraints.
ANSWER:
49
Two organizations agree to share data on store operations. The data reveals that three stores in company A are characterized by significantly lower gross margins, higher-than-average sales volume, and higher levels of employee bonuses. The three stores are part of a set of six that are managed by a relatively new section manager. The store managers of the three stores are also relatively new. What is the most likely cause of the observed data?
A. Promotional activities that offer large discounts coupled with the payment of commissions to employees who reach targeted sales goals
B. Fraudulent activity whereby goods are taken from the stores, thus resulting in the lower gross margins
C. Problems with employee training and employee ability to meet customer needs
D. Relative inexperience of the store managers, especially their offering bonuses that are reducing gross margins
ANSWER: A
RATIONALE
This is the one explanation that could be supported by all the data elements and would thus form a hypothesis for subsequent audit testing. For example, gross margins are lower, which means that the revenue per unit sold is less than at other stores, and this could be explained by the large discounts. (Note that the size of sales commissions would not affect the gross margin, since this is not part of the cost of goods sold.) The relative inexperience of the store managers might be a potential explanation for one store but is unlikely to occur at all three stores. Employee training might be a problem, but the data tends to contradict it. Sales are increasing, which would indicate customer satisfaction. There is not enough evidence to indicate that fraud might be present. In order for this hypothesis to hold true, there would have to be significant amounts of inventory shrinkage. This does not explain higher sales and bonuses.
For more information, refer to Section III, Chapter 2, Topic B
50
During an audit, which factor should the internal auditor consider more than the other options listed when determining the extent to which analytical procedures should be used?
A. Whether the area represents significant risk to objectives
B. The remaining available budget for such procedures
C. Precision with which the results of analytical audit procedures can be predicted
D. Availability of a suitable analytical procedure
ANSWER: A
RATIONALE
Analytical procedures take time and money to complete but may nevertheless be critical to audit testing. Therefore, additional procedures should be added only to areas that represent
significant risk, either because they relate to achievement of objectives or because they have special qualities such as complexity or vulnerability to failure. Once an area is determined to be important to test using analytical procedures, then the other considerations can take place, but lack of budget should not be a reason to avoid a procedure that is deemed necessary and relevant.
For more information, refer to Section III, Chapter 2, Topic D
51
Productivity statistics are provided quarterly to the board of directors. An auditor checks the ratios and other statistics in the four most recent reports. The auditor uses scratch paper and copies of the board reports to verify the accuracy of computations and compares the data used in the computations with supporting documents. The auditor writes a note describing his work for the working papers and then discards the scratch paper and report copies. The auditor's note states the following:
"The ratios and other statistics in the quarterly board reports were checked for the last four quarters, and appropriate supporting documents were examined. All amounts appear to be appropriate."
Which of the following is true of this situation?
A. The auditor should have included the scratch paper in the workpapers.
B. Four quarters is not a large enough sample on which to base a conclusion.
C. The auditor's working papers are not sufficient to facilitate an efficient review of the auditor's work.
D. The auditor did not consider whether the information in the board report was compiled efficiently.
ANSWER: C
RATIONALE
It is not possible for a reviewer to check any of the auditor's work without obtaining additional copies of the quarterly reports and independently checking the computations. The review would be much more efficient if the auditor had included the board reports in the working papers and had used tick marks with explanations to show which computations were checked and describe what he did to verify the amounts used in the computations.
For more information, refer to Section III, Chapter 2, Topic E
52
Internal audit is conducting risk assessment in engagement planning. Management has already created an assessment of risk as part of an enterprise risk management framework. The internal audit function should do which of the following related to the management assessment?
A. Avoid using the management assessment because adopting it would hinder independence and objectivity.
B. Assess the reliability of the management assessment prior to adopting it.
C. Avoid using the management assessment because its objectives differ significantly from those of an audit risk assessment.
D. Adopt the management assessment without reservations to avoid duplication of effort.
ANSWER: B
RATIONALE
Implementation Guide 2210, “Engagement Objectives,” states, "It is helpful for internal auditors to determine whether a risk assessment was performed during the engagement's planning phase and to attain a thorough understanding of the risks of both the organization and the area or process under review. In addition, it is critical to understand the expectations of stakeholders including senior management and the board." The internal auditor also considers the reliability of management’s acceptance of risk.
For more information, refer to Section II, Chapter 1, Topic C
53
As a particular audit is being planned in a high-risk area, the chief audit executive determines that the available staff does not have the requisite skills to perform the assignment. The best course of action, consistent with the Standards for audit planning, would be to
A. consider using external resources to supplement the needed knowledge, skills, and disciplines and complete the assignment.
B. use the audit as a training opportunity and let the auditors learn as the audit is performed.
C. not perform the audit since the requisite skills are not available.
D. perform the audit but limit the scope in light of the skill deficiency.
ANSWER: A
RATIONALE
Proper planning includes documented determination of resources including consideration of supplementation (Performance Standard 2230).
For more information, refer to Section II, Chapter 1, Topic E
54
Difference estimation sampling is appropriate to use to extrapolate the dollar error in a population if
A. virtually no differences between the individual book values and the audited values exist.
B. a number of nonproportional differences between book values and audited values exist.
C. observed differences between book values and audited values are proportional to book values.
D. subsidiary ledger book balances for some individual inventory items are unknown.
ANSWER: B
RATIONALE
There must be a sufficient number of nonproportional errors to generate a reliable sample estimate.
For more information, refer to Section III, Chapter 1, Topic C
55
After partially completing an internal control review of the accounts payable department, an auditor suspects that some type of fraud has occurred. To ascertain whether the fraud is present, the best approach would be to use
A. probability-proportional-to-size sampling to select a sample of vouchers processed by the department during the past year.
B. simple random sampling to select a sample of vouchers processed by the department during the past year.
C. judgmental sampling to select a sample of vouchers processed by clerks identified by the department manager as acting suspiciously.
D. discovery sampling to select a sample of vouchers processed by the department during the past year.
ANSWER: D
RATIONALE
The purpose here is to determine whether any fraud has taken place rather than to estimate its overall frequency. Discovery sampling is designed specifically to do this.
For more information, refer to Section III, Chapter 1, Topic C
56
Of the following, which is the most efficient source for an auditor to use to evaluate a company's overall control system?
A. Narrative describing departmental history, activities, and forms use
B. Industry operating standards
C. Standard operating procedures
D. Flowchart
ANSWER: D
RATIONALE
Flowcharting is an efficient and comprehensive method of describing relatively complex activities, especially those involving several departments. Copies of procedures and related forms do not provide an efficient method of overviewing the processing activities. A narrative review covering the history and forms use of the department is not as efficient or comprehensive as flowcharting for communicating relevant information about controls. Industry standards do not provide a picture of existing practice for subsequent audit activity.
For more information, refer to Section III, Chapter 2, Topic C
57
Policies and procedures provide guidance to management and employees. An internal auditor in a multinational organization is preparing to perform an operational review of a senior management function. Should the auditor expect to find policies and procedures at this level?
A. Yes, all policies and procedures are developed by senior management.
B. No, senior management develops policies and procedures only for lower levels.
C. Yes, policies and procedures should be used throughout an organization's ranks.
D. No, only middle managers and below develop and use policies and procedures.
ANSWER: C
RATIONALE
Ensuring that the “tone at the top” reinforces rather than undermines process-level controls is an example of a key governance control at the entity level. One good way to ensure this occurs is for senior management to develop and adhere to a set of relevant policies and procedures.
For more information, refer to Section II, Chapter 1, Topic B
58
The chief audit executive (CAE) is responsible for sharing information and coordinating activities with other internal and external service providers to ensure proper coverage and minimize duplication of efforts. With the exception of the external auditors responsible for auditing the organization’s financial statements, which of the following coordination activities should be limited to internal assurance and consulting providers?
A. Access to audit programs, working papers, and management letters
B. Exchange of organizational charts
C. Common understanding of audit techniques, methods, and terminology
D. Copies of regulatory reports relevant to audit engagements
ANSWER: A
RATIONALE
Reviews conducted by internal assurance and consulting providers and the external auditors responsible for auditing the organization’s financial statements typically address areas and issues that are relevant to internal auditing’s scope of work.
For more information, refer to Section I, Chapter 2, Topic E
59
Following a negative performance evaluation by a supervisor, a staff auditor goes to the audit director to seek a change in the evaluation. The director is familiar with the auditor's performance and agrees with the evaluation. The director agrees to meet and discuss the situation. Which of the following is the best course of action for the director to take?
A. The director should meet privately with the employee and should tell the employee of his or her agreement with the performance evaluation, expressing interest in any additional facts the employee may wish to present.
B. The director should have the supervisor participate in the meeting so there is no misunderstanding about the facts.
C. The director should meet informally with the employee and should encourage a conversation in public by asking for the employee’s side of the issue and disclaiming any agreement with the supervisor.
D. The director should ask a human resources administrator to be present to ensure that improper statements are not made.
ANSWER: A
RATIONALE
A private conversation signals to the employee that the director is interested in what he or she has to say and will not be measuring his or her words against those of another. However, the director must establish a position and show support for the supervisor. There may be more than one valid viewpoint, but that does not necessarily mean that the employee's viewpoint is valid.
For more information, refer to Section III, Chapter 3, Topic A
60
Which is the most significant risk listed for an exit conference at the end of an audit engagement?
A. The audit client has little to say about the report and duly files it away for future reference.
B. Senior management is upset about the report and make a big deal out of it with affected middle management.
C. Just those people who attended the entrance conference attend the exit conference.
D. The audit client asks for clarification on many points and needs many misunderstandings to be resolved.
ANSWER: A
RATIONALE
Success in the exit conference phase is crucial, since audit reports are not meant to be filed with other seldom-read reference works but are intended instead to stimulate activity—or at the very least receive serious consideration.
For more information, refer to Section IV, Chapter 1, Topic E
61
An internal audit team completes an audit of a company's compliance with its lease-versus-purchase policy concerning company automobiles. The audit report notes that the basis for several decisions to lease rather than purchase automobiles was not documented and is not auditable. The report contains a recommendation that operating management ensure that such lease agreements not be executed without proper documentation of the basis for the decision to lease rather than buy. The internal auditors are about to perform follow-up work on this audit report. Senior management says they have decided to accept the risk involved in failure to document the basis for lease-versus-purchase decisions involving company automobiles. In such a case, what would be the auditors' reporting obligation?
A. The auditors should issue a follow-up report to management clearly stating the rationale for the recommendation that the basis for lease-versus-purchase decisions be properly documented.
B. The auditors have no further reporting responsibility.
C. The auditors should inform the external auditor and any responsible regulatory agency that no action has been taken on the finding in question.
D. Management's decision and the auditors' concern should be reported to the company's board of directors.
ANSWER: B
RATIONALE
When senior management has assumed such risk, reporting to the board is required only for significant findings. There is no indication that the failure to document several decisions is significant enough to report to the board.
For more information, refer to Section IV, Chapter 1, Topic F
62
The chief audit executive (CAE) believes that the proposed organizational budget will not enable the activity to perform planned risk management projects. What action should the CAE take?
A. Plan the annual audit schedule accordingly, performing as many risk management activities as possible within the budget.
A. Go around senior management and appeal directly to the board for the necessary budget.
C. Arrange to co-fund risk management projects with other functions.
D. Use time at a board meeting to educate senior management about the process and benefits of risk management.
ANSWER: D
RATIONALE
Interpretation of Standard 2000, “Managing the Internal Audit Activity,” notes that the internal audit activity adds value to the organization when it “contributes to the effectiveness and efficiency of governance, risk management, and control processes.” The CAE can effectively fulfill this role by educating the board and senior management on the benefits of risk management to the organization.
For more information, refer to Section I, Chapter 3, Topic C
63
Internal auditing is conducting an assurance audit of a regional office. The audit team does not suspect fraud, but it has found significant gaps in controls that could create opportunity for fraud (for example, allowing the same individual to send invoices and receive payments) and laxity in record keeping. Some documentation of expenses is missing, but the internal auditors have obtained documentation from vendors. Furniture appears to be missing. It may have been stolen, but it is equally possible that it was discarded. The audit team has completed a report listing the various issues, explaining the potential for loss and fraud that these issues have created and citing company policies and procedures. Management of the office responds to the report via email. It says that it believes the recommendations are unwarranted, that the report questions the honesty of loyal employees, and that implementation of the recommendations would be an unnecessary waste of the office's time. However, to satisfy concerns about invoicing and billing, the manager promises to review the paperwork weekly. What might be an appropriate time frame to schedule monitoring to evaluate management's response to the audit recommendations?
A. The recommendations should be implemented immediately because of their significance.
B. Given the minor nature of the problems, no deadline is required. Auditing can review the situation at its next regular engagement.
C. Management should ensure that the identified problems have been addressed within a specified time frame.
D. Management should ensure an adequate response to the identified shortcomings within 30 days.
ANSWER: C
RATIONALE
The findings do not require an urgent response, although auditing will want to monitor the response within the specified time frame. Many organizations focus on 90 days, but there is no specific statement in The IIA's Standards.
For more information, refer to Section IV, Chapter 2, Topic A
64
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which would be required as part of such an engagement?
A. Determining the existence of management expertise in proposed investments in sophisticated instruments
B. Determining whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations
C. Determining the nature of controls established by the board to monitor the risks in the investments
D. Determining if policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may make investments
ANSWER: D
RATIONALE
A key control for limiting risk in investments of any sort is to have a clear policy that prohibits use of certain instruments and permits use of other instruments. Although an audit of the adequacy of controls over investments in new financial instruments might be informational, there is no need to develop a comparison of investment returns with other organizations. Indeed, financial investment scandals have shown that such comparisons can be highly misleading because high returns can be due to taking on a high level of risk. Also, this is not a test of the adequacy of the controls. Management needs to have a reasonable understanding of the types of investments allowed under their investment policies, but expertise would be more suited to be a requirement for the individual investors. Management, not the board, establishes controls.
For more information, refer to Section II, Chapter 1, Topic C
65
An auditor is scheduled to audit payroll controls for a company that has recently outsourced its processing to an information service bureau. What action should the auditor take, considering the outsourcing decision?
A. Review only the controls over payments to the service bureau based on the contract.
B. Cancel the engagement because the processing is being performed outside of the organization.
C. Review the controls over payroll in both the company and the service bureau.
D. Review only the company's controls over data sent to and received from the service bureau.
ANSWER: C
RATIONALE
Controls at the service bureau and the user organization are both important to the control of the overall payroll function. Though the processing is being performed outside the organization, the external information service bureau is an extension of the organization's information systems. In fact, the risk may be higher, since an external organization controls part of the internal control environment. Also, the recent change increases the company's risk, as does the complexity of communicating between the organization and the service bureau.
For more information, refer to Section III, Chapter 2, Topic D
66
The internal auditor includes summaries in the workpapers for which of the following reasons?
A. To tie together groups of papers that bear upon a single point
B. To provide a place to state conclusions based on preceding detailed evidence
C. To conform to requirements in The IIA's Standards and Implementation Guides
D. To use in briefing senior management in place of the entire final report
ANSWER: A
RATIONALE
Workpaper summaries can draw together information from a group of papers and focus it on one point; they are not the place to develop conclusions and recommendations, though they would include them. Senior management receives the entire final report.
For more information, refer to Section III, Chapter 2, Topic E
67
Which of the following procedures would provide the most relevant evidence to determine the adequacy of an allowance for doubtful accounts receivable?
A. Analyzing the allowance through an aging of receivables and an analysis of current economic data
B. Confirming the receivables
C. Analyzing the following month's payments on the accounts receivable balances outstanding
D. Testing the controls over the write-off of accounts receivable to ensure that management approves all write-offs
ANSWER: A
RATIONALE
Aging of receivables provides direct, relevant evidence regarding the valuation of receivables and thus the allowance account.
For more information, refer to Section III, Chapter 2, Topic B
68
A chief audit executive (CAE) sets up a computerized spreadsheet to facilitate a risk assessment process involving a number of different divisions in the organization. The spreadsheet includes the following factors:
Pressure on divisional management to meet profit goals
Complexity of operations
Competence of divisional personnel
Dollar amount of subjectively influenced accounts in the division, such as accounts where management's judgment can affect the expense (for example, post-retirement benefits)
The CAE uses a group meeting of audit managers to reach a consensus on the competence of divisional personnel. Other factors are assessed as high, medium, or low by either the CAE or an audit manager who has audited the division. The CAE assigns a weight ranging from 0.5 to 1.0 to each factor and then computes a composite risk score. Which of the following statements is true of this risk assessment process?
A. The weighting is subjective and should have been determined through a process such as multiple regression analysis.
B. The risk analysis would not be appropriate because it mixes both quantitative and qualitative factors, thereby making expected values calculation impossible.
C. Using a subjective group consensus to assess personnel competence is appropriate.
D. Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk assessment process because the ratings are not quantifiable.
ANSWER: C
RATIONALE
Group consensus tends to eliminate the extreme judgments that might occur with a single evaluator and would be an acceptable method. In making judgments, risk analysis should consider all appropriate factors and need not be limited to quantitative or expected value calculations. It may include weightings such as high, medium, and low. In this case, subjective analysis is acceptable. It would be difficult to use multiple regression analysis to obtain a weighted average for the risk weighting model because no criterion value exists to determine the weightings.
For more information, refer to Section II, Chapter 1, Topic C
69
An internal auditor is explaining the use of a risk control matrix to an assurance engagement client. The client is skeptical of the matrix's value and believes that it will take an unreasonable amount of time to complete. Which of the following statements would be effective responses to this objection?
A. The information on the matrix helps focus attention on the conditions that pose the greatest risk to the business objectives.
B. Completing the matrix ensures that all the risks associated with each business objective will be identified and adequately addressed, including use of controls to mitigate each risk.
C. The risk control matrix helps to put an exact economic value on the risks faced by the area being audited, so the benefits will clearly outweigh the costs.
D. Completing the matrix requires little time and demonstrates commitment to the risk control philosophy.
ANSWER: A
RATIONALE
Generally, risk control matrices allow internal auditing and clients to identify risks associated with the clients' objectives and to prioritize those risks according to probability and significance. The risk control matrix is one of the processes for validating internal controls recommended in the Internal Control—Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Generally, a risk control matrix does not incorporate an analysis of the exact economic costs of each risk, and it cannot guarantee that all risks will necessarily be indentified, nor can it guarantee what the management responses will be. And while completing the risk control matrix is a lesson in the risk control approach and demonstrates awareness of the value of this approach to an organization, it will probably require a significant time investment.
For more information, refer to Section II, Chapter 1, Topic C
70
An internal auditor is conducting an operational audit of the information system department. Which of the following factors would the auditor give the most weight to in evaluating the effectiveness of the department?
A. It has a robust technical staff.
B. It uses leading-edge technology.
C. Its objectives and goals are consistent with the overall objectives of its organization.
D. It is given top priority in the budgeting process.
ANSWER: C
RATIONALE
The information systems department must be aware of where the organization is going in the future in order to adequately support it.
For more information, refer to Section II, Chapter 1, Topic A
71
During an operations audit, the internal auditor hears testimony from several staff members that a supervisor has developed a drinking problem in recent months. This has led to erratic and sometimes abusive behavior that has seriously reduced morale and affected staff performance. After hearing the same story several times and observing telltale signs of alcoholism in the supervisor, which of the following steps should the auditor take?
A. Talk to the supervisor to get his or her side of the story.
B. Treat the matter as confidential, personal information that should not be documented in the workpapers.
C. Advise the staff members who have complained to contact human resources.
D. Report the situation to senior management and suggest appropriate steps for them to take.
ANSWER: D
RATIONALE
The auditor should let senior management know that a situation is developing in which the manager's personal problem with drinking has affected his professional ethics, with consequences for staff morale and efficiency.
For more information, refer to Section I, Chapter 3, Topic B
72
Internal audit wants to assess management's opinion about a recently completed engagement. Which of the following would be the most effective and efficient way to accomplish this?
A. Conversational interviews with key players in the engagement
B. Series of yes/no questions where yes indicates approval and no indicates dissatisfaction with a performance-related statement
C. Mostly numerical ranking statements and space for additional qualifying comments
D. Focus group designed to explore attitudes and opinions regarding specific topics
ANSWER: C
RATIONALE
Ratings, rankings, or yes/no questions (sometimes called forced-choice questions) are simple to answer and score. Open comments or questions can reveal valuable insights. When used in combination in a questionnaire format, they can reasonably assess client perceptions.
For more information, refer to Section III, Chapter 1, Topic B
73
Which is a statistical process control (SPC) technique that has been developed for auditing rather than being part of a set of standard SPC techniques?
A. Dollar-unit sampling
B. Continuous auditing and feedback
C. Acceptance sampling
D. Quality control charts
ANSWER: A
RATIONALE
Dollar-unit sampling is a sampling technique that has been uniquely applied to auditing. It is not used in statistical process control. Acceptance sampling is a standard statistical process control technique. Quality control charts are an integral part of TQM approaches. Continuous monitoring and frequent feedback are two of the important elements of statistical process control.
For more information, refer to Section III, Chapter 1, Topic C
74
Management of a company is attempting to build a reputation as a world-class manufacturer of quality products. On which of the four costs of quality should the company spend the majority of its funds?
A. External failure costs
B. Appraisal costs
C. Internal failure costs
D. Prevention costs
ANSWER: D
RATIONALE
The firm would do well to spend the bulk of its funds on prevention through better product and process design and testing, supplier evaluation and training, employee training, and preventive maintenance—that is, preventing quality breakdowns before the product is produced.
For more information, refer to Section I, Chapter 2, Topic C
75
Should an internal auditor include statements acknowledging satisfactory performance when communicating engagement results?
A. Yes; it may improve the client's receptiveness to the audit findings and recommendations to address problems.
B. No; it is good practice in any engagement where notable performance exists, but satisfactory performance is by definition not noteworthy.
C. Yes; though not mandated, it demonstrates due diligence and objectivity.
D. Yes; the Standards mandate that communications should do so.
ANSWER: A
RATIONALE
Standard 2410.A2 states, "Internal auditors are encouraged to acknowledge satisfactory performance in engagement reports." This is the only place in the Standards where the word "encouraged" is used. Whether this is done and to what extent generally correlates with client expectations and the level of notable performance. If the auditor sets a tone of fairness and objectivity, the client is much more likely to be receptive to the findings and recommendations.
For more information, refer to Section IV, Chapter 1, Topic B
76
Identifying and documenting that the controls that management says are in place are really in place and evaluating whether these controls are well designed are often part of which of the following steps in a risk control matrix?
A. Identify the controls.
B. Evaluate the adequacy of controls.
C. Test the effectiveness of controls.
D. Identify risks to business objectives
ANSWER: B
RATIONALE
After identifying the controls that should be in place as part of developing a risk control matrix, the next step would be to evaluate the adequacy of controls. This step asks the question “Are the control processes for managing this risk well designed?” As part of this step, the internal auditor identifies and documents the controls that management says are in place and evaluates how well designed the controls are—if they are effective, efficient, and economical and are working the way they were designed to work. Testing the effectiveness of controls is a later step.
For more information, refer to Section II, Chapter 1, Topic C
77
As part of an internal audit, a benchmark must be established for the defect rate for an innovative new production process. The auditor can either use a large sample that is already available from other production processes in the same plant or draw a fresh sample from the new process. However, a fresh sample would be expensive, time-consuming, and much smaller in size. Which of the following is the best course of action for the auditor?
A. The auditor should accept this large historical sample because analyses based on it will have high statistical power.
B. The auditor should first determine how similar the new process is to the old process before deciding what to do.
C. The auditor should draw a fresh sample and combine it with the old sample.
D. The auditor should accept the historical sample but use nonparametric statistics to analyze it.
ANSWER: B
RATIONALE
The first question that should always be asked concerning the use of historical data is how representative the process that generated it is compared to the process currently under study.
For more information, refer to Section I, Chapter 2, Topic D
78
A new staff auditor is told to perform an audit in an area with which the auditor is not familiar. Because of time constraints, there is no supervision of the audit. The auditor is given the assignment because it represents a good learning experience, but the area is a little beyond the auditor's competence. Nonetheless, the auditor prepares comprehensive working papers and reports the results to management. Which of the following is true of this situation?
A. The audit department violated the Standards by hiring an auditor without proficiency in the area.
B. The chief audit executive has not violated the Code of Ethics since the Code does not address supervision.
C. The audit department violated the Standards by not providing adequate supervision.
D. The Standards and the Code of Ethics were followed by the audit department.
ANSWER: C
RATIONALE
Standard 2340 interpretation indicates that the "extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement."
For more information, refer to Section III, Chapter 3, Topic A
79
During a preliminary survey of the purchasing department, the internal auditor determines that there is no policy for the verification of miscellaneous cash receipts. Which of the following is an appropriate engagement objective for this purchasing audit?
A. To evaluate the accuracy of the classification of cash receipts
B. To review cash disbursement vouchers and perform attribute tests
C. To obtain information to support or disclaim indicators of fraud
D. To summarize the results of all compliance tests related to cash disbursements
ANSWER: A
RATIONALE
Audit engagement objectives answer the question “Why are we auditing this activity?” Objectives may be stated in various ways, but it should be clear what assurances the engagement will provide.
For more information, refer to Section II, Chapter 1, Topic A
80
During an operational audit, an auditor observes a large number of above-ground storage containers and a large amount of black emissions from a company smokestack. The organization has an environmental safety department. The audit engagement is not designed to consider environmental concerns. Which of the following would be the best course of audit action?
A. Document the observations and report them to the environmental safety department; determine if the response will be timely and follow up to determine if timely action has been taken.
B. Make a note to consider environmental risk concerns when developing the audit plan for the next year, but do not expand the scope of the existing audit since the budget and risk priorities are already set.
C. Inquire of local management as to the use of the storage tanks in order to determine if they are properly classified as an asset. Do not take action on the environmental issues, because the auditor is untrained in the area and such action is the responsibility of an already existing department.
D. Report the observations to the audit committee and seek their advice on whether the audit should be expanded for the environmental issues.
ANSWER: A
RATIONALE
The auditor cannot ignore information gathered during the course of an audit. Since environmental concerns present large risks to most organizations, the auditor should determine that the environmental safety department is aware of the concerns and is actively monitoring the potential exposure to the organization. Follow-up is necessary.
For more information, refer to Section I, Chapter 2, Topic E
81
In determining whether to conduct an audit of compliance with environmental regulations or a consulting engagement in the tax department, the chief audit executive should give the lowest weight to which of the following considerations?
A. The audit staff has more expertise in taxation than in environmental compliance, necessitating reliance on outside consultants for environmental audits.
B. Tax laws have recently changed in ways that may affect the organization's very substantial write-offs.
C. In the state where the organization is headquartered, a recently elected official campaigned on a promise to go after polluters in the organization's industry.
D. Management has expressed a desire for a tax audit.
ANSWER: A
RATIONALE
Available resources should not be a major consideration in this decision.
For more information, refer to Section I, Chapter 2, Topic B
82
After preliminary discussion, internal auditing and the engagement client decide that one audit objective should be to map the customer service process used in the organization's various customer service centers, identify variances in implementation of the process by center, and suggest ways in which the process might be improved. The most useful tool to gather information that will support this objective is
A. an internal control questionnaire.
B. a deployment flowchart.
C. a narrative description of the process.
D. a focus group interview.
ANSWER: A
RATIONALE
An internal control questionnaire (ICQ) can break a process down into its components, assess whether specific steps were performed, and allow for observations that might yield information about difficulties or inefficiencies at each step. The ICQ could help to provide information from each customer service center that could be used to identify different practices for improvement. A deployment flowchart is prescriptive rather than descriptive. A narrative description might establish the process but not necessarily variances or reasons for gaps. An interview might be used to establish the process and gather feedback on ways to improve it, but data based on observation is inherently more reliable than reported data.
For more information, refer to Section III, Chapter 1, Topic B
83
An internal auditor has completed an audit of an organization's activities and is ready to issue a report. However, the audit client disagrees with the internal auditor's conclusions. The auditor should
A. issue the audit report and state both the auditor's and audit client's positions and the reasons for the disagreement.
B. withhold the issuance of the audit report until agreement on the issues is obtained.
C. perform more work, with the audit client's concurrence, to resolve areas of disagreement, and delay the issuance of the report until agreement is reached.
D. issue the audit report without any reference to the client's opinion.
ANSWER: A
RATIONALE
Issuing the audit report with both positions would be consistent with Implementation Guide 2410. As long as the auditor is satisfied that the audit is completed, it would be inappropriate to delay the issuance of the audit report or expand its scope.
For more information, refer to Section IV, Chapter 1, Topic B
84
A chief audit executive (CAE) uses a risk assessment model to establish the annual audit plan. Which would be an appropriate action by the CAE?
A. Revising the risk assessment and audit priorities as warranted
B. Ensuring that the schedule of audit priorities remains unchanged
C. Employing only quantitative methods to determine risk weightings
D. Maintaining ongoing dialogue with management and the audit committee regarding which areas to audit
ANSWER: A
RATIONALE
It is a best practice for risk assessment to be a dynamic process, changing over time and as new information, business strategies, and risks are identified. Ongoing consultation with members of management and the audit committee is a way for the internal audit activity to obtain such information and stay attuned to organizational developments that may impact existing audit priorities. However, the related answer for ongoing communications is incorrect because internal auditors should determine the areas to audit independently from management. In order to accommodate such emerging priorities, the work schedule may need to be altered. Audit schedules will likely change regularly to meet the needs of the organization, particularly if based on an effective risk assessment process. The weighting of risk is both a quantitative and a qualitative (judgment) exercise.
For more information, refer to Section I, Chapter 2, Topic A
85
An internal auditor is auditing a division's accounts and is concerned that the division’s management may have shipped poor-quality merchandise in order to boost sales and profitability for the year and thereby boost the division manager's bonus. Furthermore, the auditor suspects that returned goods are being shipped to other customers as new products without defects being fully corrected. Which of the following audit procedures would be the least effective in determining whether such shipments took place?
A. Physically observing the shipping and receiving area for evidence of returned goods
B. Requiring the division to take a complete physical inventory at year end and observing the taking of the inventory
C. Interviewing customer service representatives regarding unusual amounts of customer complaints
D. Examining credit memos issued after year end for goods shipped before year end
ANSWER: B
RATIONALE
This would be the least effective, because the scenario also assumes that management is turning the goods back around by shipping them out again. If they were not doing this, then taking the physical inventory would lead to a situation where inventory on hand would exceed inventory stated on the books.
For more information, refer to Section I, Chapter 2, Topic C
86
A company has two manufacturing facilities. Each facility has two manufacturing processes and a separate packaging process. The processes are similar at both facilities. Raw materials used include aluminum, plastic pellets, various chemicals, and solvents. Pollution occurs at several operational stages, including raw materials handling and storage, process chemical use, finished goods handling, and disposal. Waste products produced during the manufacturing processes include several that are considered hazardous. The nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the treatment, storage, and disposal of all hazardous waste. Management is aware of the need for compliance with environmental laws. The company recently developed an environmental policy, which includes a statement that each employee is responsible for compliance with environmental laws. Management is evaluating the need for an environmental audit program. Which of the following should not be included as an overall program objective?
A. To evaluate waste minimization opportunities
B. To verify company compliance with all environmental laws
C. To conduct site assessments at both facilities
D. To evaluate whether management systems are adequate to minimize future environmental risks
ANSWER: C
RATIONALE
Conducting site assessments at both facilities would be performed during a specific audit, such as a compliance or transaction audit. The other answers are potential program objectives.
For more information, refer to Section II, Chapter 1, Topic A
87
An internal auditor has drafted an engagement work program for an assurance audit of a financial operations area and submitted it to the audit manager for review. They agree that some portions of the program will probably have to be changed later, and the manager believes that another objective should be added about evaluating the procedure used to place a monetary value on vacant land owned by the organization. The manager states that with the addition of the new objective and a few other specified revisions, the program looks acceptable. By the time the internal auditor has revised the work program, the manager has left to attend a series of meetings that will take several weeks. The internal auditor had planned the engagement schedule to start immediately, but, not having obtained written approval from the manager, the auditor revises the engagement schedule so that it can be initiated after the manager returns. Which aspect of this scenario is in violation of the Standards and/or its associated Implementation Guides?
A. Seeking approval from the client or senior management on the new objective
B. Waiting for documented approval to begin the engagement
C. Accepting a program that both the audit manager and the internal auditor know will have to be modified
D. Submitting the draft program to the audit manager for review and approval
ANSWER: A
RATIONALE
Internal auditors develop and obtain documented approval of work programs before commencing the internal audit engagement. The work program includes methodologies to be used per Implementation Guide 2240. Modifications to the work program as the engagement proceeds are to be expected. Obtaining input from the client or senior management regarding new objectives is an ongoing practice in many organizations, but seeking the approval of the client or senior management would violate auditor independence and objectivity.
For more information, refer to Section II, Chapter 1, Topic D
88
The internal audit function has been engaged to perform a consulting engagement with the order fulfillment area of an online retailer to define weaknesses in the workflow that might increase the amount of time between order receipt and customer delivery. During a preliminary survey of the area conducted to create a workflow diagram, the internal auditor notes that company recommendations designed to reduce injuries from repetitive stress have not been implemented. What is the best course of action for the internal auditor?
A. Alert the human resources department.
B. Discuss the matter with area management, but do not add it to the engagement objectives unless the client agrees to revise the project objective.
C. Add the probable risk to the engagement objectives since it represents considerable economic risk to the organization.
D. Document the condition in audit working papers, but do not report it to the client.
ANSWER: B
RATIONALE
Implementation Standard 2210.C1 states that the consulting audit engagement should address risks to the extent agreed upon by the client. If the client is willing to revise the agreement with internal auditing, assessing this new risk might be added as an objective. Since this is not an assurance engagement, the internal auditor should not include this risk without the client's agreement. However, the risk would be communicated informally to management as an area needing attention, and the observation would be documented in the audit working papers.
For more information, refer to Section II, Chapter 1, Topic C
89
A company has two manufacturing facilities. Each facility has two manufacturing processes and a separate packaging process. The processes are similar at both facilities. Raw materials used include aluminum, plastic pellets, various chemicals, and solvents. Pollution occurs at several operational stages, including raw materials handling and storage, process chemical use, finished goods handling, and disposal. Waste products produced during the manufacturing processes include several that are considered hazardous. The nonhazardous waste is transported to the local landfill. An outside waste vendor is used for the treatment, storage, and disposal of all hazardous waste. Management is aware of the need for compliance with environmental laws. The company recently developed an environmental policy, which includes a statement that each employee is responsible for compliance with environmental laws. Which is an engagement objective that would best ensure that some of the risks of using an outside hazardous waste vendor are considered?
A. Evaluate the vendor's processes for producing and retaining required documentation on hazardous material.
B. Create a checklist of all items that should be sent to the hazardous waste vendor and verify that all items are included for each pickup.
C. The engagement shall require the vendor to develop emergency response planning if no plan currently exists.
D. Identify and evaluate if the correct reports are given to the operational managers regarding hazardous waste preparation for pickup.
ANSWER: A
RATIONALE
The correct answer is an engagement objective related to compliance with applicable laws and regulations. The other answers are not really stated as objectives, nor are they as pertinent to risks related to the outside vendor as the correct answer.
For more information, refer to Section II, Chapter 1, Topic A
90
An internal auditor is preparing to conduct an assurance engagement with the organization's bidding and contracting function. The engagement plan has not yet been completed, but the internal auditor schedules a meeting with the management of the function to help develop a good working relationship and to request the function's help in preparing for the audit. The internal auditor prepares an agenda of items to review with management. Has the internal auditor proceeded correctly in this scenario?
A. No. While going over an agenda would normally be a best practice, the bidding and contracting function is highly prone to fraud and the necessary records need to be procured before the first meeting.
B. Yes. Meeting with the client before engagement planning has been completed will make the best use of the internal auditor's and the client's time and lead to development of a meaningful audit plan.
C. No. For an assurance engagement, clients should not be warned in advance of the first meeting.
D. No. The preliminary meeting with engagement clients should not be held until after the engagement plan has been completed.
ANSWER: B
RATIONALE
Typically, the preliminary meeting with the client will occur after an engagement plan has been drafted, but talking with the client before planning is complete would certainly be appropriate and efficient in developing a meaningful plan for the internal audit. In this way, the internal auditor and the client can refine objectives, the internal auditor can learn more about the client's expectations, and the client can begin to plan for information and resources internal auditing will need. Unless internal audits are being conducted for security reasons (e.g., cash counts, fraud investigations), it is appropriate to arrange client meetings in advance and to begin to build a cooperative relationship. A meeting agenda is entirely appropriate to make the best use of the meeting time.
For more information, refer to Section IV, Chapter 1, Topic A
91
The auditor has recognized that a problem exists because the organizational unit has been too narrow in its definition of goals. The goals of the unit focus on profits, but the overall organizational goals are much broader. The auditor also recognizes that the audit client will resist any recommendations about adopting broader goals. The best course of action would be to
A. identify the broader organizational goals and present a set of recommendations that attempt to meet both the organizational and audit client goals.
B. subtly mix the suggested solution with the problem definition so that the audit client will identify the solution apparently independently of the auditor.
C. avoid conflict and present only those goals that are consistent with the audit client's views since all others will be ignored.
D. report only the conditions found and leave the rest of the analysis to the audit clients.
ANSWER: A
RATIONALE
The auditor is responsible to the organization, not just the audit client, and should therefore report the problem to the audit client. Subtly mixing the suggested solution with the problem definition might be a strategy to get buy-in from the client, but it will not be suitable in every case and can easily be seen as manipulative.
For more information, refer to Section III, Chapter 2, Topic F
92
An organization provides credit cards to selected employees for business use. The credit card company provides a computer file of all transactions by employees of the organization. An auditor plans to use generalized audit software to select relevant transactions for testing. Which of the following would be readily identified using generalized audit software?
A. Fraudulent transactions in which the supplier is an employee's account
B. Transactions for specific cardholders that indicate collusion with the supplier
C. Suppliers used by each cardholder and the dollar value of transactions
D. High-dollar transactions that exceed market value for the type of purchase
ANSWER: C
RATIONALE
It is highly unlikely that the accounts payable system would contain sufficient evidence of fraudulent transactions. Generalized audit software could be used to explore red flags, but it would not identify them.
For more information, refer to Section III, Chapter 2, Topic A
93
Direct staff as a percentage of total staff is an example of which of the following categories of efficiency measures?
A. Operating ratios
B. Resource utilization rates
C. Productivity indexes
D. Productivity ratios
ANSWER: A
RATIONALE
Because operating ratios make data comparable, they can be used as performance indicators to assess the extent to which a business is meeting its objectives and/or mitigating identified risks. Direct staff as a percentage of total staff is an example of an operating ratio.
For more information, refer to Section III, Chapter 2, Topic D
94
Internal auditors have just completed a risk assessment. Which of the following features of the management program indicates minimal effectiveness and presents the opportunity for making significant improvement?
A. The focus on risk management is at an “acceptable” level.
B. Continuous monitoring and other independent monitoring are in place.
C. Regulations and standards are used to improve the business.
D. There is loose alignment of risk management processes to business goals and objectives.
ANSWER: D
RATIONALE
Appropriate business strategies should enable the organization to meet business goals and objectives. The loose linkage of risk management processes poses significant strategic risk.
For more information, refer to Section II, Chapter 1, Topic C
95
An auditor has been assigned to analyze the effectiveness of a set of rehabilitation programs. The programs have been in operation for ten years and have not been evaluated. The organization providing the program data asserts that the data is incomplete. The auditor should
A. trace a randomly chosen set of records to source files to assess the accuracy and completeness of the data provided.
B. perform the analysis anyway, assessing the effects of the incomplete data, but should include the scope limitation regarding data reliability in the audit report.
C. not perform the analysis.
D. postpone the analysis until the data is complete.
ANSWER: B
RATIONALE
After ten years, the program's effectiveness needs to be assessed. If the auditor assesses the effects of the incompleteness of the data as the auditor evaluates it and disclaims the reliability, he or she will provide readers with some assessment of effectiveness without misleading them about the interpretability of the data. Many times auditors need to work with imperfect data. As long as the auditor assesses the effects of the incomplete data and disclaims the reliability of the data clearly in the report, the analysis may prove useful without being misleading.
For more information, refer to Section III, Chapter 2, Topic F
96
If an internal auditor joins an IT audit in the field work phase to replace the previous internal auditor, what is his or her most effective and efficient method of preparing to contribute to the engagement?
A. Reviewing the workpapers and audit program
B. Repeating the work done by the auditor he or she is replacing
C. Reading the documentation of the hardware and software available from the client
D. Observing the workplace and interviewing IT personnel
ANSWER: A
RATIONALE
Workpapers should document all facets of the audit up to the time the new auditor steps in, and the audit program provides a complete description of the audit's objectives as well as all evidence gathered to date.
For more information, refer to Section III, Chapter 2, Topic E
97
In assessing organizational risk in a manufacturing environment, which of the following would have the most long-range impact on the organization?
A. Production scheduling
B. Advertising budget
C. Product quality
D. Inventory policy
ANSWER: C
RATIONALE
Product quality is a long-range planning topic because it affects market positioning. The other options are concerns, but they have less long-range impact than product quality.
For more information, refer to Section I, Chapter 2, Topic B
98
Internal auditing is planning an assurance audit of the transportation department of a large engineering firm. The firm owns and operates a fleet of cars and trucks of various sizes. One of the objectives for the audit is to evaluate the department's vehicle maintenance procedures to control economic losses associated with both insufficient and excessive maintenance. Which of the following tests would be the least effective way to test this engagement objective?
A. Interviewing service technicians to gather information about department maintenance procedures
B. Comparing department costs for selected procedures with industry standards
C. Comparing manufacturer maintenance guidelines with department procedures
D. Analyzing incidences of vehicle loss other than collisions
ANSWER: A
RATIONALE
The interview described in the question is an audit approach, not an audit test. It is not verifying that an adequate control is in place. The most relevant audit tests listed would be comparing department costs with industry standards to identify significant variances that might suggest inadequate or excessive controls, comparing manufacturer guidelines with department procedures to identify whether too much or too little maintenance is scheduled, and determining whether the non-collision loss of vehicles is due to lack of or improperly performed maintenance.
For more information, refer to Section II, Chapter 1, Topic D
99
In documenting the procedures used by several interacting departments, the internal auditor will most likely use
A. a horizontal (or systems) flowchart.
B. a vertical flowchart.
C. a Gantt chart.
D. an internal control questionnaire.
ANSWER: A
RATIONALE
A horizontal flowchart, also called a cross-functional flowchart, highlights the interaction between departments.
For more information, refer to Section III, Chapter 2, Topic C
100
An internal auditor finds a problem that is serious enough that it needs to be addressed immediately by management, but it is unrelated to the current audit engagement. What is the auditor's responsibility in communicating the information and following up on corrective actions?
A. The situation must be reported and documented to senior management or the audit board before the completion of the audit.
B. Once reported, the internal auditor has no responsibility to continue to monitor the situation until the problem is corrected.
C. Once a corrective action is performed, the auditor should add the problem to the risk map to ensure that it is audited as part of the regular rotation.
D. The internal auditor should tell the chief audit executive about it and recommend that an auditor be assigned to the matter quickly.
ANSWER: A
RATIONALE
If a situation is discovered that can affect an organization in a major way, the internal auditor is required by the Standards to report the problem immediately and help determine what corrective actions can be taken to resolve the issue. Once corrective actions have been taken, the internal auditor must verify that the problem no longer exists and document this in the findings.
For more information, refer to Section IV, Chapter 1, Topic C
101
Which of the following audit objectives would be appropriate in an audit of the efficient use of an organization's facilities?
A. To determine whether rates to lease office space for the organization are reasonable when compared to market lease rates.
B. To determine whether facilities are procured competitively.
C. To determine whether employees are satisfied with the allocation of office space among departments.
D. To determine whether the actual capacity is reasonable compared to the needed capacity.
ANSWER: D
RATIONALE
For manufacturing processes, the primary audit objective typically is to assess the efficiency of the manufacturing process itself: i.e., are an appropriate/correct number of products being produced at the correct level of quality for delivery to customers. The other considerations are not primary concerns of a manufacting process audit.
For more information, refer to Section II, Chapter 1, Topic A
102
An internal auditor suspects that high turnover may be caused by an oppressive work environment. To encourage staff members to confirm or refute this opinion, the auditor might best use which of the following tactics?
A. In an interview, ask staff members to talk about their work environment.
B. In an interview, ask staff members if they feel supported by their manager.
C. In an interview, ask staff members if they enjoy their work.
D. In a questionnaire, ask staff members to rate the work environment on a scale of 1 to 5.
ANSWER: A
RATIONALE
When you need people to open up and provide opinions and analysis, as in this situation, an open question such as "Tell me about your work environment" has the best chance of succeeding. Closed questions—questions that can be answered by yes, no, or a fact—are less likely to get people to open up. Questionnaires also provide less opportunity to open up, especially if staff feel threatened and therefore are unwilling to put an opinion in writing unless they are absolutely certain of anonymity. (In a difficult situation like this one, a variety of approaches may be necessary.)
For more information, refer to Section III, Chapter 1, Topic A
103
When an internal auditor encounters active opposition, as when auditees remain unconvinced of the auditor’s reasonably presented point of view, the most effective way to gain consensus is to
A. find a point of agreement by letting auditees explain their position again.
B. wait to reason with auditees late in the day when they may be more reasonable.
C. rely on logic and explain the auditor’s point again.
D. refer the matter to the auditees’ superior.
ANSWER: A
RATIONALE
Agreeing on some point can be an opening wedge to more productive discussions. Referring the matter to the auditees’ superior will only alienate the auditees. The internal auditor should also not wait and try to reason with the audit client at the end of the day, as a tired or distracted person is not a good audience for the auditor’s discussion. A closed mind does not accept logic; an open mind does. Just relying on logic and repeating the point of view won't be most effective.
For more information, refer to Section IV, Chapter 1, Topic D
104
During a daily briefing with internal audit staff assigned to an engagement, the lead auditor determines that the audit objectives are unattainable. What should the lead auditor do next?
A. Discontinue the audit activity.
B. Increase the schedule and/or add additional resources.
C. Report the information to the chief audit executive and client.
D. Plan to revise the audit scope.
ANSWER: C
RATIONALE
Implementation Guide 2410 provides guidance about interim communication criteria and indicates that interim reports are written or oral and may be transmitted formally or informally. Different formats are acceptable: a status meeting, a report, an e-mail, and the like. The guidance indicates interim reports are used to communicate information that requires immediate attention, to communicate a change in engagement scope for the activity under review, or to keep management informed of engagement progress when engagements extend over a long period. The use of interim reports does not diminish or eliminate the need for a final report.
For more information, refer to Section IV, Chapter 1, Topic C
105
Which of the following best describes the internal auditor's role regarding whether or not the organization's controls are in compliance with relevant laws and regulations?
A. The internal auditor should provide assurance to management that controls are in legal compliance with all relevant regulations and statutes.
B. The internal auditor should provide management with thorough documentation of the effectiveness of the organization's controls.
C. The internal auditor should provide external auditors with complete documentation of all controls, including those the external auditor will rely upon during the audit.
D. The internal auditor should implement controls and provide management with assurance that they conform to relevant legal requirements.
ANSWER: B
RATIONALE
The role of the internal auditor is to assist management by providing thorough documentation and evaluation of controls including their existence and effectiveness. Assuring regulators that the organization's controls are in compliance is management's job, with the advice of counsel. The auditor should act neither as a manager nor a lawyer.
For more information, refer to Section I, Chapter 3, Topic C
106
An audit of environmental controls, including regulatory compliance, has been concluded. Possible corrective actions are being discussed at a closing conference. The environmental manager states that funds are not available in this year's budget to make necessary changes and repairs to the hazardous waste storage yard. The deficiencies prevent management from complying with controls established to manage waste safely and to comply with regulations. The auditor should
A. insist that the changes and repairs be made, regardless of any apparent budget constraints.
B. agree that corrective action may be postponed until funds can be provided in the following year's budget.
C. accept temporary, but clearly incomplete, corrective action in order to improve the situation.
D. involve senior management in the decision.
ANSWER: D
RATIONALE
Complete and timely corrective action is needed, but funds appear not to be available. This situation poses a significant risk to the company, and senior management must participate in the decision. It is unlikely that senior management will choose to accept the risk of noncompliance for an extended period of time; funds may be available from another source not accessible to the environmental manager.
For more information, refer to Section IV, Chapter 1, Topic E
107
When considering the potential use of interviewing to gather audit evidence, auditors should be aware that interviews
A. should be corroborated by gathering objective data.
B. provide a systematic format to ensure audit coverage.
C. are more objective than questionnaires in gathering data.
D. are best suited to reaching audit conclusions.
ANSWER: A
RATIONALE
Evidence obtained by interviews should be corroborated. The other options do not correctly portray the characteristics of interviews.
For more information, refer to Section III, Chapter 1, Topic A
108
Internal auditing has identified risks for the safe handling, accidental release, and disposal of unused products or byproducts associated with the use of a specific toxic ingredient in a chemical plant and recommends development of a mitigation plan for the use of this ingredient. Instead, operations revises its manufacturing process to eliminate the need for the problematic ingredient. Which of the following describes the best response and rationale that the chief audit executive (CAE) might make?
A. The item should remain on internal audit's monitoring list until management provides a written response.
B. The CAE should report management's failure to implement its recommendation to senior management.
C. The CAE should remove the item from the activity's monitoring list because the recommendation is no longer relevant.
D. The CAE should remove the item from the activity's monitoring list but make a note to confirm the revision in the manufacturing process during the next audit.
ANSWER: D
RATIONALE
Since management has confirmed the elimination of the toxic ingredient during the audit, the recommendation is no longer relevant and it should be removed from the list of monitoring tasks. However, internal auditing should confirm that the solution has been implemented as operations described, probably during the next audit. In addition, the auditors might add this information in working papers so it could be reviewed prior to the next audit.
For more information, refer to Section IV, Chapter 2, Topic B
109
An internal auditor is interested in the processing accuracy of a sales invoice preparation system. The monetary amount of individual invoices is highly variable. The internal auditor has sound reasons for believing that the error rate in invoice processing is between 3% and 10% but has no idea of the monetary magnitude of the errors. In evaluating which specific approach to variables sampling to employ, the internal auditor should be aware that
A. either difference or ratio estimation will be more efficient than unstratified mean-per-unit estimation in this case.
B. neither difference nor ratio estimation is practical in this case unless an audit value and a book value exist for each item in the population.
C. with error rates in this range, there is little advantage to stratifying the population.
D. since the error magnitude is uncertain, stratified mean-per-unit estimation will perform poorly in this case.
ANSWER: A
RATIONALE
Ratio or difference estimation would be more efficient in this situation. Stratified mean-per-unit esimation would work here—the error magnitude is unimportant. The advantage of stratification is not dependent on error rates. Difference or ratio estimation does not require an audit value for every item in the population. If such values were available, there would be no need to sample at all.
For more information, refer to Section III, Chapter 1, Topic C
110
A new staff auditor, who has an undergraduate degree in psychology, suggests that a questionnaire be developed to examine bus driver attitudes toward departmental operations, overtime, number of hours/miles driven, etc. The internal audit department has never used questionnaires like this before. Should the chief audit executive approve the development and use of such a questionnaire?
A. No, audit work should be confined to objective data so that audit independence is not compromised.
B. No, the audit department does not have sufficient expertise in developing such questionnaires.
C. Yes, the data would be relevant to understanding the causes of accidents and breakdowns.
D. Yes, questionnaires are a more objective form of evidence gathering than observation and interviews.
ANSWER: C
RATIONALE
The use of questionnaires should be approved, as questionnaires provide relevant, objective data. If needed, auditing standards allow outside expertise to be used to develop the questionnaire. Objectivity is a secondary issue to relevancy.
For more information, refer to Section I, Chapter 2, Topic A
111
An organization uses electronic data interchange and online systems. Paper-based documents are not generated for purchase orders, receiving reports, or invoices. An auditor wishes to determine if invoices are paid only for goods received and at approved prices. Which of the following audit procedures would be most appropriate?
A. Taking a monetary-unit sample of accounts payable and then confirming the amounts directly with the vendors
B. Using a statistical sample of major vendors and then tracing the amounts paid to specific invoices
C. Using generalized audit software to select a sample of payments and then matching purchase order, invoice, and receiving reports stored on the computer using a common reference
D. Using generalized audit software to identify all receipts for a particular day and then tracing the receiving reports to checks issued
ANSWER: C
RATIONALE
Generalized audit software would help the auditor determine that all three pieces of data are appropriately matched before payment.
For more information, refer to Section III, Chapter 2, Topic A
112
Internal auditors often flowchart a control system and reference the flowchart to narrative descriptions of certain activities. This is an appropriate procedure to
A. gain the understanding necessary to test the effectiveness of the system.
B. document that the system meets international auditing requirements.
C. determine whether the system meets established management objectives.
D. gain knowledge of whether the system can be relied upon to produce accurate information.
ANSWER: A
RATIONALE
Flowcharting keyed to a narrative is employed by auditors to gain the understanding necessary to test the effectiveness of a system.
For more information, refer to Section III, Chapter 2, Topic C
113
Successful consultative communication in an internal audit is partially based on feedback from the individual being audited regarding the actions of auditors during the audit. The feedback
A. should go only to the auditors to help them improve their audit performance.
B. should go only to senior management as a means of reviewing the auditors.
C. will keep audit customers on the defensive regarding the auditors.
D. should go to both management and the auditors to ensure that business value is being added.
ANSWER: D
RATIONALE
Both management and auditors should be involved in improving the image of internal audit in the organization. Involving the individuals being audited should reduce conflict and defensiveness and make the audit more participative.
For more information, refer to Section III, Chapter 3, Topic A
114
Audit engagement programs testing internal controls should
A. reduce costly duplication of effort by ensuring that every aspect of an operation is examined.
B. be generalized in order to be usable at the various international locations of an organization.
C. be generalized to fit all situations without regard to departmental lines.
D. be tailored for the audit of each operation.
ANSWER: D
RATIONALE
A tailored program is more relevant to an operation than a generalized program. Every aspect of an operation need not be examined—only those aspects likely to conceal problems and difficulties.
For more information, refer to Section II, Chapter 1, Topic A
115
Inventory levels for a packing facility are controlled by the use of just-in-time techniques. If the auditor's objective is to evaluate ordering and stocking standards, which of the following procedures would be relevant?
A. Using audit software to compute the number of shipping crates used per day
B. Reviewing shipping records to ensure that the result is stable inventory levels throughout the year
C. Comparing actual stocking levels to industry averages
D. Reviewing sales records for defective returns
ANSWER: A
RATIONALE
Shipping requirements and timing would be recomputed to verify the just-in-time standards used for quality control. Sales adjustments would meet product quality objectives, not stocking standards. Actual stocking levels would meet the objective of achieving just-in-time standards, not establishing them. There are no industry averages for just-in-time (zero balance) techniques, and, rather than creating stable inventory levels throughout the year, the objective would be to have the minimum needed amounts of inventory, which could be zero.
For more information, refer to Section II, Chapter 1, Topic D
116
A corporation purchases a former rival, taking advantage of a sharp decrease in company value due to financial misstatements and publicity about conflicts of interest and bribery of public officials. The board of directors of the purchaser believes this will be a successful acquisition but is concerned about a pervasive atmosphere of unethical behavior in the purchased company. It directs the internal audit function to assess the controls related to ethical conduct currently in place, identify specific problem areas, and propose solutions. In its subsequent report, internal auditing recommends a complex series of steps that include the adoption of a code of ethics and company-wide education about the code and its implications for all employees. Auditing also recommends including ethical behavior as a hiring prerequisite and creating a committee for ethical conduct to collect and investigate charges of unethical behavior. A series of timetables are created for the various actions. Since many of the more ethically deficient senior managers have left, the remaining managers are open to auditing's recommendations. How should the internal auditors interact with the managers of the purchased company during their monitoring activities?
A. The role of the internal auditing activity is to deliver the decision of senior management and to ensure the implementation of its recommendations. This may necessitate a hostile relationship.
B. The internal auditors must maintain strict neutrality and objectivity, given the nature of the monitoring task.
C. The internal auditors should not communicate directly with the management of the purchased company, relying on senior management to communicate their needs and recommendations.
D. The internal auditors should create a cooperative atmosphere, inviting the managers to contribute to and collaborate on solutions.
ANSWER: D
RATIONALE
As with the initial engagement, monitoring will require a positive and supportive relationship between the organization and the auditors. Internal auditing will need cooperation to gather information and observe conditions. Recommendations will be more readily implemented in a less hostile and more open environment.
For more information, refer to Section IV, Chapter 2, Topic B
117
If an auditor is performing an engagement to determine an organization's achievement of management's safety-related goals, the auditor's conclusions might be framed as answers to which of the following questions?
A. What problems do you foresee based on our current condition?
B. How well are we doing in meeting our safety goals?
C. What specific safety measures did you inspect?
D. What can we do to improve our safety program?
ANSWER: B
RATIONALE
While all of the questions are legitimate and natural and might be addressed in a finding, the conclusion would offer an opinion in answer to a version of the question "How are we doing?"
For more information, refer to Section III, Chapter 2, Topic F
118
After conducting a risk-based assessment and establishing an audit schedule, with appropriate review and approval, the internal audit activity begins work on the high-priority audits. The auditors quickly discover that one of the assurance engagements will require more technical expertise than originally anticipated. Which of the following would be the most appropriate response of the chief audit executive?
A. Rely upon the technical expertise of staff members in the area being audited.
B. Cancel the engagement and inform the audit committee that it will be rescheduled when resources permit.
C. Continue with the engagement and schedule weekend or after-hours training sessions for the internal auditors initially assigned to the engagement.
D. Bring in technical help from an appropriate source, such as an independent consulting firm or a university.
ANSWER: D
RATIONALE
The most appropriate response is to acquire the expertise from an independent source. The least appropriate response is to drop scheduled engagements; they were selected because of their assessed risks.
For more information, refer to Section II, Chapter 1, Topic E
119
Senior management disagrees with the report of the chief audit executive (CAE) on the audit activity’s performance. Although the activity has completed all priority engagements in its annual plan, supported enterprise risk management objectives, and achieved high ratings on client surveys, senior management is disappointed that priority engagements have not included more performance audits that could make processes more cost-effective. What is the most likely reason for this situation?
A. The CAE is using the wrong key indicators in measuring the activity’s performance.
B. The CAE needs to spend more time educating senior management and the board about the role of internal audit.
C. Senior management does not particularly value the opinion of line management.
D. The CAE has been ineffective in reporting the value the activity delivers through its engagements.
ANSWER: A
RATIONALE
The CAE has not aligned key indicators in the activity’s performance measurement process with the organization’s strategic objectives. While the activity performs well, it is not focusing on some performance areas that are considered strategically important by senior management.
For more information, refer to Section I, Chapter 3, Topic D
120
In preparation for an external audit, an internal auditing activity has reviewed the company's financial statements. The internal audit team has discovered payments that suggest the presence of loans not listed on the company's ledger. Senior management argues that the amounts are minor and refuses to revise the financial statements. What should the chief audit executive (CAE) do?
A. Refer the matter to the board.
B. Include the findings in the quarterly report to senior management.
C. Seek advice from peers in other organizations.
D. Allow senior management additional time to support the minor nature of the discrepancies.
ANSWER: A
RATIONALE
As stated in Performance Standard 2600, "When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board." Confidentiality of the information must be maintained.
For more information, refer to Section IV, Chapter 1, Topic G
121
What does the following scatter diagram suggest?
(SCATTER DIAGRAM W/SALES REV AT Y AXIS AND TRAINING COST AT X AXIS)
A. Training costs do not affect sales revenue.
B. Several data points are incorrectly plotted.
C. Sales revenue is inversely related to training costs.
D. The training program is not effective.
ANSWER: A
RATIONALE
The scatter diagram suggests that training costs and sales revenue are not related. There is nothing to indicate incorrect data points in this graph.
For more information, refer to Section III, Chapter 2, Topic D
122
Corporate management has just implemented a policy that every department must downsize by immediately cutting 10% of its staff and budget. The chief audit executive (CAE) has reacted to these plans by notifying the audit managers that the time allocated for all jobs must be cut by 10%. Which of the following statements is true of the CAE's and the potential managers' actions?
A. The CAE should have reprioritized risks and cut out specific audit engagements rather than cutting 10% across the board.
B. The CAE's action should result in approximately the same amount of risk coverage as the previous audit plan but reduced by 10%.
C. Individual audit managers can attain 90% of the previously defined audit coverage by uniformly cutting audit procedures by 10%.
D. The CAE should have informed corporate management that they are not subject to this 10% cut in staff and budget.
ANSWER: A
RATIONALE
Reprioritizing risks and reducing audit engagements is the preferred response. This should enable the auditor to develop an optimum plan to cover the maximum amount of risk with the more limited resources. Cutting all jobs by 10% does not necessarily mean that the risks addressed will drop by 10%. A uniform 10% reduction in audit procedures or audit scope may result in gathering insufficient evidence across a number of audit areas.
For more information, refer to Section II, Chapter 1, Topic E
123
Behavioral research has established that most humans process information sequentially. As a consequence, the decision-making process often suffers from a "recency effect," where the most recent information is given disproportionate weight. Which is a way this tendency can be appropriately controlled in auditing?
A. Use expert systems to ensure the appropriate weighting of all important information.
B. Require the most important audit steps to be performed last.
C. Require auditors to document the evidence but not the reasoning process used in reaching audit conclusions.
D. Use expert systems to do independent reviews of results and conclusions.
ANSWER: A
RATIONALE
Expert systems are not subject to this type of human bias. Auditors should document both evidence and their reasoning process and their results, and conclusions should be independently reviewed by supervisors. Audit procedures are organized in a manner to achieve audit efficiency and to ensure that sufficient audit evidence is gathered. The results of intermediate steps may dictate changes in the rest of the audit, but the most important procedures are not designed to be performed last in most audit engagements.
For more information, refer to Section III, Chapter 2, Topic B
124
In a well-developed management environment, the internal audit activity would
A. focus primarily on asset management and report results to the audit committee.
B. report the results of an audit engagement to line management as well as senior management.
C. conduct initial audits of new computer systems after they have begun operating.
D. interface primarily with senior management, minimizing interactions with the line managers who are the subjects of internal audit work.
ANSWER: B
RATIONALE
In a well-developed management system, the internal auditing function is used to provide a more direct benefit to line operations by providing feedback to operating management as well as to senior management. Emphasis should be placed on the audits of proposed products and systems.
For more information, refer to Section I, Chapter 2, Topic C
125
While testing a division's compliance with company affirmative action policies, an auditor finds the following:
5% of the employees are from minority groups.
No one from a minority group has been hired in the past year. The most appropriate conclusion for the auditor to reach is that
A. with 5% of its employees from minority groups, the division is effectively complying.
B. insufficient evidence exists of compliance with affirmative action policies.
C. the division is violating the company's policies.
D. the company's policies cannot be audited and hence cannot be enforced.
ANSWER: B
RATIONALE
Without knowledge of guidelines for compliance, a reasonable conclusion cannot be reached. The fact that no minority has been hired this year is irrelevant without knowing the total hires for the period. An affirmative action policy is clearly auditable. You cannot say that the division is effectively complying, as this conclusion cannot be reached without knowledge of the actual company policy.
For more information, refer to Section III, Chapter 2, Topic B
126
he chief audit executive (CAE) performs both strategic and operational activities. An example of a strategic activity for which the CAE is responsible is
A. creating a risk-based audit plan.
B. developing a system to measure internal audit’s efficiency and effectiveness.
C. supervising assurance engagements.
D. staffing the internal audit function.
ANSWER: B
RATIONALE
The CAE’s strategic role is fulfilled by establishing relationships throughout the organization, understanding the role the activity plays in the organization, and ensuring that the activity can fulfill this role. Developing a system to measure internal audit’s effectiveness and efficiency is essential to the activity’s performance. The other tasks listed are operational in nature, actions taken to implement the activity’s strategic plan.
For more information, refer to Section I, Chapter 1, Topic A
127
While performing analytical procedures related to an audit of a social services agency of a government entity, the auditor notes that there is an unusually large increase in payments to individual recipients who are under the direction of a particular social worker in the agency. Which of the following audit procedures would be the best procedure to investigate this observation?
A. Use generalized audit software to sort payments to recipients by social worker, and then sort the payments by common addresses and names.
B. Use generalized audit software to take a random sample of recipients and investigate by sending confirmations to each recipient to determine if they had received proper payments.
C. Implement an integrated test facility and monitor transactions throughout the year to identify unusual items.
D. Implement the snapshot approach and tag transactions that are related to the social worker identified with the unusually large increases.
ANSWER: A
RATIONALE
This would be an efficient way to determine if there are any easily seen fraudulent patterns associated with the payments under the control of the social worker.
For more information, refer to Section III, Chapter 2, Topic A
128
When reviewing a report prepared by an internal auditor who has a personal friend employed in the area being audited, a chief audit executive's primary focus would be to ensure which of the following?
A. The report is easily understood and findings are presented in a logical manner.
B. The report is fair, impartial, and unbiased.
C. The report is clearly worded and avoids unnecessary detail, redundancy, and wordiness.
D. The report is free from errors and misstatements.
ANSWER: B
RATIONALE
According to Standard 2420, "Quality of Communications", states that communications should be accrurate and objective. That is: fair, impartial, and unbiased. The report should be the result of a fair-minded and balanced assessment of all relevant facts and circumstances, and should not take into consideration any personal bias the auditor may have. The report should avoid excessive praise and/or criticism, and should seek a constructive, balanced tone focused on (for example) solutions .
For more information, refer to Section IV, Chapter 1, Topic B
129
Which of the following would most likely be a key performance indicator for an internal audit activity?
A. Implementation of new audit computer software.
B. Audit expenditures compared to financial budgets.
C. Frequency of meetings with the board members.
D. Percent of required continuing education hours completed.
ANSWER: D
RATIONALE
Key performance indicators (KPIs) focus on "accomplishments or behaviors that are valued by the organization", and are valid indicators of performance (i.e., they measure the correct target). They must be understandable to the internal audit staff, who then use them to guide and improve their performance. Of the options, the percentage of completed continuing education hours is a measurable indicator of staff performance with a direct impact on their ability to perform their roles. The other options are not KPIs: expenditures-vs-budgets data would not take into consideration other variables or causation; implementation of new computer software is a recommendation; and the frequency of board meetings doesn't provide a measurement that can improve performance.
For more information, refer to Section I, Chapter 3, Topic D
130
When interviewing candidates for an internal auditing position, a manager prefers to ask questions about how the candidate handled challenges in his or her previous position. This is an example of
A. structured interviewing.
B. behavioral interviewing.
C. situational interviewing.
D. initial screening.
ANSWER: B
RATIONALE
This is an example of behavioral interviewing, trying to predict future job performance based on past behaviors. Situational interviewing is similar but is based on hypothetical questions such as “How would you handle the following situation?...”
For more information, refer to Section I, Chapter 1, Topic B
131
Management has requested an audit of promotional expenses. The sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes the cost may be too high. Which of the following engagement procedures would be the most useful to determine the effectiveness of the promotion?
A. Comparing product sales during the promotion period with sales during a prior promotion period that offered a substantial discount
B. Performing an analysis of marginal revenue and marginal cost for the promotion period, compared to the period before the promotion
C. Comparing the unit cost of the products sold before and during the promotion period
D. Performing a review of the sales department's incentives and bonuses for making sales
ANSWER: B
RATIONALE
Engagement procedures are the means to attain engagement objectives, so it is important to determine which procedures apply to which engagement objectives. The challenge is to address the effectiveness of the promotion, and the correct answer tests whether the benefits of the promotion outweigh the costs. Reviewing sales incentives and bonuses could be a good engagement procedure for a different audit objective. Comparing one sale to a different sale would not provide a good baseline for analysis. Instead, the promotion period should be compared to a nonpromotional period (perhaps in the same season if there is seasonality). There is no indication that the cost of the products sold has changed.
For more information, refer to Section II, Chapter 1, Topic D
132
The primary reason for having formal written audit reports is to
A. provide a formal means by which the external auditor assesses potential reliance on the internal audit activity.
B. document the corrective actions required of senior management.
C. provide an opportunity for engagement client response.
D. record observations and recommended courses of action.
ANSWER: D
RATIONALE
The primary reason for having a written final report is to record audit observations and recommendations. The report should present the purpose, scope, and results of an engagement. The other options are not the best responses for the following reasons: Clients should have an opportunity to respond before the report is written; internal auditors make recommendations—they do not submit requirements; and, where appropriate, external auditors would review workpapers to assess potential reliance on the internal audit activity.
For more information, refer to Section III, Chapter 2, Topic F
133
An auditor prepares questionnaires made up of a series of questions that use the same response categories: "strongly agree," "agree," "neither agree nor disagree," "disagree," "strongly disagree." The auditor mixes up the order of the questions for different respondents and sometimes reverses the orientation of the endpoints of the scale (e.g., "strongly agree" on the right and "strongly disagree" on the left). Is there a good reason for this type of questionnaire variation?
A. Yes, it can make it possible to get information about more than one population parameter using the same questions.
B. No, it will fail to eliminate intentional misrepresentations.
C. No, it creates variation and complexity where there should be uniformity and simplicity.
D. Yes, it can eliminate the effects of pattern response tendencies.
ANSWER: D
RATIONALE
There are many known effects of the sequence and format of questions. One method for dealing with unintentional bias is to use questionnaire variations that cause these biases to average out across the sample.
For more information, refer to Section III, Chapter 1, Topic B
134
An internal auditor is assigned to audit activities at a group of retail stores. In one store, the auditor notes an unusually high number of instances where there have been end-of-day discrepancies between store receipts and cash and credit card charges deposited. After examining employee time sheets and time cards, the auditor narrows suspicion to three employees: Jill, Ron, and Bill. Since this is a potentially serious charge, the auditor wants to confirm these suspicions and possibly narrow them even further by talking with the individuals. Which would be the most effective question when interviewing Jill?
A. How many times a day do you go into the cash register?
B. Tell me about any odd behavior you have observed with Ron or Bill involving the cash register.
C. Why would you do something like that?
D. Can you describe for me the different ways in which you might use the register in the course of your workday?
ANSWER: D
RATIONALE
The correct answer invites the employee to talk freely and may suggest other areas to explore. A question that can be answered with a brief factual statement does not open conversation, and a question that implies wrongdoing may close the conversation altogether. It would be inappropriate to imply wrongdoing, and any information gained would not be reliable or usable in a court of law.
For more information, refer to Section III, Chapter 1, Topic A
135
An auditor reviews and adapts a flowchart to understand the flow of information in the processing of cash receipts. Which is the auditor most likely to learn from analysis of the flowchart?
A. Specific control procedures to use, such as edit tests and batch control reconciliations
B. Good locations for potential segregation of duties
C. How to keep the process up-to-date for system changes
D. Details on computer processing of cash receipts, though it will be unable to show manual processing
ANSWER: B
RATIONALE
Flowcharts show segregation of duties and the transfer of data between different segments in the organization. They show the overall flow but do not identify the specific edit tests implemented. Flowcharts are generally not kept up-to-date for changes.
For more information, refer to Section III, Chapter 2, Topic C
136
Company A's audit director, who is a Certified Internal Auditor, faces an ethical dilemma. For an audit in process, persuasive evidence indicates that a top manager has been involved in insider trading. The extent and type of the trading is such that it would be considered fraudulent. However, the finding was encountered as a side issue of another audit and is not considered relevant to the current audit activity. Regarding this finding, which of the following is the audit director’s most appropriate action?
A. Continue work on the insider trading sufficient to conclusively establish whether fraudulent activity has taken place, and then report the findings to the chairperson of the audit committee.
B. Discontinue audit work associated with the potential insider trading and report the preliminary findings to the company's external legal counsel for their investigation. Report the legal counsel findings to management.
C. Discontinue audit work associated with the potential insider trading. Report the preliminary findings to the chairperson of the audit committee and recommend an investigation.
D. Continue audit work associated with the insider trading if it will not interfere with the existing audit work timing as it will show a high level of committment and work ethic.
ANSWER: C
RATIONALE
The audit director’s preliminary findings should be immediately reported to the audit committee, rather than to management, because the audit committee is considered to be one level above where the alleged fraud is taking place. The findings should not be reported to management since management might be involved. It would not be appropriate to engage external legal counsel. The Standards clearly indicate that the auditors report the suspected fraud to the appropriate levels of the organization to determine whether an investigation is undertaken. The auditors may not be in the best position to determine whether the trading is fraudulent and certainly are not in a position to report the information to government officials. The IIA's Code of Ethics also clearly indicates that auditors cannot be associated with any illegal or inappropriate behavior. Ignoring the findings would violate the code.
For more information, refer to Section IV, Chapter 1, Topic C
137
Management of an audited area agreed to take corrective action on a significant audit observation. According to IIA guidance, what should the chief audit executive (CAE) do if the corrective action is not taken within a reasonable time frame?
A. Include additional follow-up activity with the next scheduled audit of the function.
B. Allow line management to decide when to perform additional follow-up activity, as follow-up is line management's ultimate responsibility.
C. Conduct additional follow-up activity only if line management requests it, as line management has now expressed willingness to assume the risk of not taking corrective action.
D. Provide a follow-up report to senior management and the board regarding the uncorrected audit observation and its significance to operations
ANSWER: D
RATIONALE
According to Standard 2600, "Communicating the Acceptance of Risks," when the CAE "concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management." If the CAE determines that the issue has not been resolved after communicating with senior management, it is their responsibility to communicate the matter to the board, as well as reiterate concerns to senior management. In this new report, the CAE should identify the type of risk (financial, operational, compliance, etc.) as well as fully explain its significance to operations.
For more information, refer to Section IV, Chapter 1, Topic F
138
A internal auditor at a bank wants to determine whether all loans are supported by sufficient collateral, properly aged regarding current payments, and accurately categorized as current or noncurrent. What would be the best audit procedure to accomplish these objectives?
A. Select a block sample of all loans in excess of a specified dollar limit and determine if they are current and properly categorized. Then, for each loan approved, verify aging and categorization.
B. Use generalized audit software to read the total loan file, age the file by last payment due, and extract a statistical sample stratified by the current and aged population. Then examine each loan selected for proper collateralization and aging.
C. Select a sample of payments made on the loan portfolio and trace them to loans to see if the payments are properly applied. Then, for each loan identified, examine the loan application to determine that the loan has proper collateralization.
D. Select a discovery sample of all loan applications to determine whether each application contains a statement of collateral.
ANSWER: B
RATIONALE
This is the best procedure, because it takes a sample from the total loan file and tests it to determine that the loans are properly categorized as well as properly collateralized and aged.
For more information, refer to Section III, Chapter 2, Topic A
139
When presenting an audit finding, the recommendation for corrective action should be
A. the choice that is lowest in cost.
B. the choice that is the most technically correct.
C. the course of action the client will be most receptive to.
D. the best choice with the fewest unsatisfactory side effects.
ANSWER: D
RATIONALE
A recommendation for corrective action should be the best choice with the fewest unsatisfactory side effects. It should also point the way to continued efficacy. A recommendation for corrective action should not just be technically correct, lowest in cost, or what management wants to hear.
For more information, refer to Section IV, Chapter 1, Topic D
140
The chief audit executive (CAE) of a midsized internal auditing organization is concerned that management might outsource the internal auditing function. Therefore, the CAE adopts an aggressive program to promote the internal auditing department in the organization. The CAE plans to present the results to management and the audit committee and recommend modification of the internal audit charter after using the new program. The CAE pproposes a number of changes, and one is, in order to save time, the CAE no longer requires that a standard internal control questionnaire (ICQ) be completed for each audit. Would this change be a violation of the Standards?
A. Yes. Internal control should be evaluated in every audit, but the internal control questionnaire is not the mandated approach to evaluate the controls.
B. No. Auditors are not required to fill out internal control questionnaires on every audit.
C. Yes. Internal control should be evaluated on every audit engagement, and the internal control questionnaire is the most efficient method to do so.
D. No. Auditors may omit necessary procedures if there is a time constraint. It is a matter of audit judgment.
ANSWER: B
RATIONALE
Auditors are not required to perform control evaluations and certainly are not required to fill out standard internal control questionnaires. Internal control evaluations are not required on every audit. Auditors cannot omit necessary procedures because of time constraints.
For more information, refer to Section III, Chapter 1, Topic B
141
An auditor conducts an interview with a department supervisor. Whenever the auditor raises questions about certain types of claims, the supervisor becomes uncomfortable and nervous and changes the subject. The supervisor's answers are consistent with company policies and procedures. When documenting the interview, the auditor should
A. ignore the specific answers given in the interview, because they are self-serving.
B. document the supervisor's answers, noting the nature of the nonverbal communication.
C. conclude that the nonverbal communication is persuasive and that sufficient evidence exists to charge fraud against the supervisor.
D. not document the nonverbal communication, because it is subjective and is not corroborated.
ANSWER: B
RATIONALE
Auditors frequently encounter and act upon nonverbal communication. If the nonverbal communication affects the auditor's perception of the information gathered, it should be documented so that it can be considered as the audit proceeds.
For more information, refer to Section III, Chapter 1, Topic A
142
The internal audit department's responsibility for performing follow-up activities to ensure that corrective action has taken place for certain findings should be defined in the
A. engagement memo issued prior to each audit assignment.
B. purpose statement in applicable audit reports.
C. internal auditing department's written charter.
D. mission statement of the audit committee
ANSWER: C
RATIONALE
Responsibility for follow-up should be defined in the internal auditing department's written charter.
For more information, refer to Section IV, Chapter 2, Topic A
143
A follow-up review finds that a significant internal control weakness has not been corrected. The chief audit executive discusses this matter with senior management and is informed of management's willingness to accept the risk. The CAE should
A. assess the reasons why senior management has decided to accept the risk and inform the board of senior management's decision.
B. initiate a fraud investigation to determine if employees have taken advantage of the internal control weakness.
C. do nothing further, because management is responsible for deciding the appropriate action to be taken in response to reported engagement observations and recommendations.
D. inform senior management that the weakness must be corrected and schedule another follow-up review.
ANSWER: A
RATIONALE
Senior management may decide to accept a risk due to cost or other considerations. The chief audit executive needs to assess senior management's rationale and then inform the board of management's decision.
For more information, refer to Section IV, Chapter 1, Topic G
144
An internal auditor develops an agenda for a preliminary meeting with a client, which includes, among other items, the topics for discussion listed below. Which item is inappropriate for this meeting?
A. Explanation of the analytical processes internal auditing will use to establish benchmarks for assessing function activities
B. Names of those involved from internal auditing
C. Names of those involved from the audited function
D. Review and sign-off practices
ANSWER: A
RATIONALE
Establishing the names of those who will be involved both in internal auditing and in the audited function is necessary at the preliminary meeting stage. While the client should understand what reports will be generated and to whom they will be delivered, it is not necessary to discuss with the client processes developed by internal auditing to complete its work, such as specific analytical approaches. However, the client may be involved in reviewing and signing off on the results of testing (except when fraud is detected). Discussing this requirement is appropriate in this meeting.
For more information, refer to Section IV, Chapter 1, Topic A
145
When an audit is assigned, management asks the auditor to evaluate the appropriateness of using self-insurance to minimize risk to the organization. Given the scope of the audit requested by management, should the auditor engage an actuarial consultant to assist in the audit if these skills do not exist in staff?
A. Yes. An actuary is essential to determine whether the insurance premiums are reasonable.
B. No. The audit department is skilled in assessing controls, and insurance control concepts are not distinctly different from other control concepts.
C. No. It is a normal audit function to assess risk; this audit engagement is therefore not unique.
D. Yes. The actuary has skills not usually found among auditors to identify and quantify self-insurance risks.
ANSWER: D
RATIONALE
Management has explicitly asked the auditor to assess the risks that the organization has incurred by moving to self-insurance. Auditors normally do not have these abilities. If necessary, the audit staffing should be supplemented by consultants with technical expertise the audit department does not possess. Self insurance involves setting asside a pool of money to pay for risk events directly and so does not have any insurance premiums.
For more information, refer to Section II, Chapter 1, Topic E
146
Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The chief audit executive is concerned with the time pressure, since the internal audit department is heavily involved in a major legal compliance audit that the audit committee has requested. Which of the following factors would be considered the least important in deciding whether existing internal audit resources should be moved from the ongoing legal compliance audit to the management-requested division audit?
A. Potential for significant regulatory fines associated with the legal compliance audit
B. Financial audit of the division in question for the operational audit by the external auditor a year ago
C. Potential of fraud associated with the legal compliance audit
D. Increase in expenditures at the division for the past year
ANSWER: B
RATIONALE
The results of a financial audit would be the least relevant factor in prioritizing the auditor's tasks, because the financial audit will not resolve the question asked by management. Also, the financial audit took place prior to the recent problems.
For more information, refer to Section I, Chapter 3, Topic A
147
Sales representatives for a manufacturing company are reimbursed for 100% of their cellular telephone bills. Cellular telephone costs vary significantly from representative to representative and from month to month, complicating the budgeting and forecasting processes. Management has requested that the internal auditors develop a method for controlling these costs. Which of the following would most appropriately be included in the scope of the consulting project?
A. Business process review of procurement and payables routines
B. Control self-assessment involving sales representatives
C. Benchmarking with other cellular telephone users
D. Performance measurement and design of the budgeting and forecasting processes
ANSWER: A
RATIONALE
A business process review assesses the performance of administrative and financial processes, such as within procurement and payables. It considers process effectiveness and efficiency, including the presence of appropriate controls, to mitigate business risk. Because the objective is to control cellular phone costs, business process review is the appropriate tool to use in this area.
For more information, refer to Section I, Chapter 2, Topic D
148
A financial institution is overstating revenue by charging too much of each loan payment to interest income and too little to repayment of principal. Which of the following audit procedures would be least effective in detecting this error?
A. Using generalized audit software to take a random sample of loan payments made during the period, calculating the correct posting amounts, and tracing the postings that are made to the various accounts
B. Using test data and submitting interest payments for various loans in the test portfolio to determine if they are recorded correctly
C. Performing an analytical review by comparing interest income this period as a percentage of the loan portfolio with the interest income percentage for the prior period
D. Using an integrated test facility and submitting interest payments for various loans in the facility portfolio to determine if they are recorded correctly
ANSWER: C
RATIONALE
This would be the least effective procedure because:
It provides only a comparison with the past period and that past period may have been suffering from the same problem.
It is a global test.
For more information, refer to Section III, Chapter 2, Topic D
149
An auditor prepares a working paper that consists of a list of employee names and identification numbers as well as the following statement:
By matching random numbers with employee identification numbers, 40 employee personnel files were selected to verify that they contain all documents required by company policy 501. No exceptions were noted.
The auditor does not place any tick marks on this workpaper. Which of the following changes would improve the auditor's workpaper the most?
A. Removing employee names to protect their confidentiality
B. Using tick marks to show that each file was examined
C. Adding the rationale for the sample size used
D. Listing the actual documents examined for each employee
ANSWER: C
RATIONALE
The workpaper should specify the sampling risk and the confidence level or precision achieved by the sample or the method of determining the size of the sample.
For more information, refer to Section III, Chapter 2, Topic E
150
A sales department has been giving away expensive items in conjunction with new product sales to stimulate demand. The promotion seems successful, but management believes the cost may be too high and has asked for a review by the internal audit activity. Which of the following procedures would be the least useful to determine the effectiveness of the promotion?
A. Comparing the unit cost of the products sold before and during the promotion period
B. Comparing product sales during the promotion period with sales during a similar non-promotion period
C. Performing an analysis of marginal revenue and marginal cost for the promotion period, compared to the period before the promotion
D. Performing a review of the sales department’s benchmarks used to determine the success of promotions
ANSWER: A
RATIONALE
There is no indication that the cost of the products sold has changed. The challenge is to address the effectiveness of the promotion. The other options would provide useful information related to the effectiveness of the promotion.
For more information, refer to Section I, Chapter 2, Topic C
151
An auditor has to make a number of decisions when using attributes sampling. The term efficiency is used to describe anything that affects sample size; the term effectiveness is used to describe the likelihood that the statistical sample result will be an accurate estimate of the true population error rate. Assume that an auditor expects a control procedure failure rate of 0.5%. The auditor is making a decision on whether to use a 90% or a 95% confidence level and whether to set the tolerable control failure rate at 3% or 4%. Which of the following statements regarding the efficiency and effectiveness of an attribute sample is true?
A. Decreasing the confidence level to 90% and decreasing the tolerable control failure rate to 3% will result in both increased efficiency and effectiveness.
B. Increasing the confidence level to 95% will increase audit efficiency.
C. Decreasing the tolerable failure rate from 4% to 3% will increase audit efficiency.
D. Increasing the confidence level to 95% and decreasing the tolerable control failure rate to 3% will increase audit effectiveness.
ANSWER: D
Increasing the confidence level and decreasing the tolerable failure rate will result in a much larger sample size and will give the auditor a more precise estimate of the population parameters.
For more information, refer to Section III, Chapter 1, Topic C
152
Which of the following is an example of an internal audit engagement objective related to external non-financial reporting?
A. Confirm the accuracy and timeliness of subsidiary reporting for consolidated financial statement reporting.
B. Confirm the accuracy of number of compensated overtime hours, by product line, by quarter, for fiscal year end (FYE) 3/31/XX.
C. Validate the accuracy and timeliness of productivity reports for each key performance indicator, by manufacturing division.
D. Validate the accuracy and timeliness of quarterly U.S. Occupational Safety and Health Administration (OSHA) lost-time injury reports.
ANSWER: D
RATIONALE
An example of an internal audit engagement objective is to validate the accuracy and timeliness of OSHA lost-time injury reports, which would be an external non-financial regulatory compliance reporting requirement. Confirming the accuracy and timeliness of subsidiary reporting for consolidated financial statement reporting is an audit objective related to financial reporting. Validation and/or confirmation of accuracy and timeliness of productivity reports and/or the accuracy of compensated overtime hours for a fiscal year end are internal audit objectives related to internal non-financial reporting.
For more information, refer to Section II, Chapter 1, Topic A
153
What is a valid reason to omit some evidence from official audit communications related to an assurance engagement?
A. The evidence, while objective, required subjective analysis.
B. The information is irrelevant to the objectives. The Standards prohibit omission of any other type of evidence.
C. Legal counsel advises against disclosure due to privacy implications.
D. The evidence simply confirms that a control is operating correctly.
ANSWER: C
RATIONALE
In cases where an organization's internal records include private or sensitive information on individuals or other entities, the information is usually protected by confidentiality agreements and/or government regulations. When in doubt about privacy implications, the auditor should have legal counsel review the information before disclosing it as evidence in official audit communications, especially if there may have been potential privacy violations. This will balance the auditor’s need to disclose findings against the counsel’s legal requirement to defend the organization.
For more information, refer to Section I, Chapter 2, Topic C
154
When conducting research, which of the following is most important?
A. Using computer databases to find all relevant sources
B. Presenting only those facts that support the conclusion
C. Providing documentation of the reference sources
D. Presenting all contrary views to balance the opinion
ANSWER: C
RATIONALE
When doing any research, it is essential to clearly document the source of the material referenced so that others may reproduce the answer.
For more information, refer to Section III, Chapter 1, Topic A
155
Which of the following poses the greatest risk of external business relationships?
A. The external business partner’s lack of compliance metrics.
B. The external business partner’s lack of confidentiality standards.
C. The organization’s responsibility for the actions of its partners.
D. The external business partner’s inefficient business processes.
ANSWER: C
RATIONALE
An overarching risk of external business partners is that the organization will be held responsible for the actions of its partners and perhaps even of the partners of those partners (i.e., third tier supply chain). Contractual provisions can help transfer some of this risk, but other risks, such as reputation risk, cannot be transferred. Lack of confidentiality standards and/or compliance metrics and/or inefficient processes would not pose risk as significant as the organization being responsible for the actions of its partners.
For more information, refer to Section I, Chapter 2, Topic C
156
An auditor is conducting a survey of the perceptions and beliefs of employees concerning an organization's health-care plan. The best approach to selecting a sample would be to
A. focus on managers and supervisors because they can also reflect the opinions of the people in their departments.
B. use stratified sampling where the strata are defined by marital and family status, age, and salaried/hourly status.
C. use monetary-unit sampling according to employee salaries.
D. focus on people who are likely to respond so that a larger sample can be obtained.
ANSWER: B
RATIONALE
Because different employees probably have different situations, needs, and experiences, stratified sampling would best ensure that a representative sample would result.
For more information, refer to Section III, Chapter 1, Topic C
157
Reviewing an edit listing of payroll changes processed during each payroll cycle would most likely reveal
A. inaccurate payroll deductions.
B. labor hours charged to the wrong account in the cost reporting system.
C. undetected errors in the payroll rates of new employees.
D. a failure to offer employees an opportunity to contribute to their pension plan.
ANSWER: C
RATIONALE
A category such as a new employee would generate a payroll change. The other options are not applicable to a listing of payroll changes.
For more information, refer to Section I, Chapter 2, Topic C
158
Documented career path alternatives for every job description is an example of which type of control?
A. Corrective
B. Directive
C. Preventive
D. Detective
ANSWER: D
RATIONALE
Directive controls are proactive and encourage desirable events to occur, such as an organization’s employees aspiring to new roles and responsibilities, which can be communicated through career path alternatives.
For more information, refer to Section II, Chapter 1, Topic B
159
During a performance audit, an internal auditor notices that a new key performance indicator (KPI) intended to promote corporate social responsibility (CSR) policy objectives requires managers to gather extensive information from their staff, who are required to fill out a form on the organization's intranet each month. Parts of the form require estimations or judgment calls. Other parts require gathering lots of detailed information. The manager needs to do some additional steps to aggregate the information, and business unit leads do further aggregation. Top management is very pleased with the reports. Based on this information, what is the best question listed that the internal auditor can ask regarding this KPI?
A. Does this KPI create opportunity for fraud due to the need for estimation or judgment?
B. Does this KPI allow top managers to drill down into the details enough?
C. Does this KPI produce timely enough information?
D. Does this KPI consider the human factor sufficiently?
ANSWER: D
RATIONALE
When auditing KPIs in a performance audit, one question to ask is whether the KPIs include the human factor. In other words, will they create frustration or confusion for employees? This KPI appears to be very time-consuming for staff and even for managers. Monthly reporting on what is essentially a long-term issue may be too frequent; quarterly reporting might be a good recommendation to reduce frustration with this reporting requirement. While it does require estimation or judgment calls, the area of CSR is less likely to be prone to fraud risk, especially since no mention is made in the question of whether managers have compensation or other incentives tied to meeting this KPI.
For more information, refer to Section I, Chapter 2, Topic C
160
If the internal auditor believes the organization has risk exposure that is outside the organization’s risk appetite, the internal auditor should
A. discuss the matter with management and escalate to enterprise risk management and/or the legal department, if necessary.
B. discuss the matter with management and escalate to senior management and the board, if appropriate.
C. discuss the matter with the audit committee chair, who will directly address the issue with the chief executive officer.
D. discuss the matter with the audit committee chair, who will evaluate the issue according to his/her oversight responsibilities.
ANSWER: B
RATIONALE
According to The IIA’s Implementation Guidance for Standard 2060, “Reporting to Senior Management and the Board,” if the CAE believes that senior management has accepted a level of risk that the organization would consider unacceptable, the CAE should first discuss the matter with senior management. If the CAE and senior management cannot resolve the matter, the CAE should communicate the matter to the board. If such issues are too urgent to wait until a scheduled board meeting (e.g. a major fraud), the CAE would be well advised to make arrangements to communicate sooner.
For more information, refer to Section II, Chapter 1, Topic B
161
Which statement is true of engagement supervision?
A. The lead auditor has primary responsibility for supervision.
B. Specific activities are prescribed in the Standards.
C. The extent of supervision should be consistent regardless of the proficiency of the internal auditors.
D. The extent of supervision should not depend on the complexity of the engagement.
ANSWER: B
RATIONALE
Standard 2340 interpretation states that “the extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement.” The chief audit executive has overall responsibility, but he or she may delegate responsibility to appropriately experienced members of the internal audit activity. Implementation Guide 2340 offers several suggestions for what proper supervision might include.
For more information, refer to Section III, Chapter 3, Topic A
162
Which of the following soft controls is most essential to a cloud service provider’s customers and other stakeholders?
A. Shared values
B. Trust
C. Open communications
D. High expectations
ANSWER: B
RATIONALE
Trust is the most essential soft control to a cloud service provider’s (CSP) customers and stakeholders. Before scalability, access to new technologies, convenience, speed or any other advantages to the customer, the CSP is selling information security; customers must trust that their data won’t get lost, wiped, corrupted or stolen, both while the data is in transit and while it is "at rest" on the cloud servers. While other soft controls such as open communications, setting high performance expectations and having shared values may be advantageous, trust is most essential in the CSP industry.
For more information, refer to Section II, Chapter 1, Topic B
163
The auditor of a construction company that builds foundations for bridges and large buildings performs a review of the expense accounts for augers, which are used to drill holes in rocks to set the foundation for the buildings. During the review, the auditor notes that the expenses related to some of the auger accounts increased dramatically during the year. The auditor asks the construction manager about this, and the manager offers the explanation that the augers last two to three years and are expensed when purchased. Thus, the auditor should see a decrease in the expense accounts for these augers in the next year but an increase in the expenses of other augers. The auditor also finds out that the construction manager is responsible for the inventorying and receiving of the augers and is a part owner of a company that supplies augers to the company. The supplier was approved by the president of the company to improve the quality of equipment. Assume that the auditor did not find a satisfactory explanation for the results of the analytical procedures performed and has conducted the appropriate follow-up procedures. The audit of the area is otherwise complete. Which of the following would be the most appropriate action to take?
A. Expand audit procedures by observing the receipt of all augers during a reasonable period of time and trace the receipts to the appropriate accounts. Determine causes of any discrepancies.
B. Note the actions and follow up next year. Defer the reporting to management until a satisfactory explanation can be obtained.
C. Report the findings to the construction manager and insist that appropriate internal controls such as independent receiving reports be implemented. Follow up to see if the controls are properly implemented.
D. Report the findings, as they are, to management and recommend an investigation for possible irregularities.
ANSWER: D
RATIONALE
Results or relationships from applying analytical auditing procedures that are not sufficiently explained should be communicated to the appropriate levels of management.
For more information, refer to Section IV, Chapter 2, Topic B
164
A preformatted numeric data entry field in a user interface would be characterized as which of the following control types?
A. Processing, corrective, and passive control
B. Hybrid, input, and detective control
C. Application, input, and preventive control
D. Application, process-level, and active control
ANSWER: C
RATIONALE
Input controls verify the integrity of data as it is entered into a system and is a subset of application controls, which are process- or transaction-level controls specific to an application. Preventive controls are proactive and deter undesirable events from occurring, such as entering alpha characters as an abbreviation for a month, which could cause problems in the database. A preformatted numeric data entry field is an example of all three.
For more information, refer to Section II, Chapter 1, Topic B
165
Branch managers view the internal auditing function as a watchdog for top management. What is the best way for internal auditing to change this view to one that is more cooperative?
A. Increase focus on control responsibilities.
B. Increase solicitation of audit client concerns.
C. Increase technical skills.
D. Increase confidentiality of investigative audits to minimize fear.
ANSWER: B
RATIONALE
Two-way communication is important in fostering a cooperative relationship. Control has negative connotations and breeds antagonism with line personnel. Interpersonal skills are more important than technical skills in fostering a cooperative relationship.
For more information, refer to Section III, Chapter 3, Topic A
166
A company recently experienced substantially reduced net profit from sales of product line A, which is produced in a dedicated machine shop. The internal auditors have been assigned the task of determining the cause of the reduced net profit. As a first step, the in-charge auditor should
A. test material vouchers for validity.
B. evaluate the elements of cost and compare them to prior periods.
C. analyze scrap and surplus records.
D. compare production records with cost standards.
ANSWER: B
RATIONALE
Analysis of the elements of cost can point out problem areas. Testing material vouchers for validity would not be best, since material is only one element of cost. Comparing production records with cost standards would not be the auditor's first step, as there is no assurance that the standards are valid. Analyzing scrap and surplus records would point to only one element, production inefficiencies.
For more information, refer to Section I, Chapter 2, Topic C
167
Which of the following is a significant control weakness for a medical instruments company that outsources all component parts manufacturing and performs all warehousing, assembly, sales, and distribution activities internally?
A. Failure to require that direct manufacturing overhead be omitted from contract pricing
B. Failure to require that cost reimbursement (cost-plus) contracts are used
C. Failure to obtain and review SOC 1 and SOC 2 reports (SSAE 18) for all business partner manufacturers
D. Failure to monitor external business partner performance according to contractual requirements
ANSWER: D
RATIONALE
Management monitoring of external business partner performance according to contractual provisions (i.e. quality, timeliness, regulatory and/or ISO standards compliance, pricing, etc.) is an essential control activity to mitigate the risk of producing substandard products. SOC 1 (internal controls over financial reporting) and SOC 2 (data center security) reports relate to service provider organizations and are for use by customers of a contracted service, not manufacturing organizations. Unit-price or fixed-price contracts would more likely be used in this instance; cost reimbursement contracts would not likely be used. Manufacturing overhead may or may not be included in contract pricing; accepting the inclusion of this business partner cost would not be an internal control weakness to the organization.
For more information, refer to Section I, Chapter 2, Topic C
168
Internal auditing is planning to monitor the outcome of an engagement in which a broad array of recommendations regarding physical security were made. These changes will require redesign and renovation of the physical facilities and installation of electronic security systems. What information should be known by internal auditing in advance?
A. Alternate ways management could satisfactorily resolve the objective
B. Date by which internal auditing expects the recommendations to have been implemented
C. Criteria for an effective management response
D. Specific dates for subsequent monitoring visits
ANSWER: C
RATIONALE
In identifying how outcomes will be monitored, it is critical that management's planned dates be agreeable to internal auditing (internal auditing may have an idea of what they would consider reasonable, but management should provide the completion date) and that internal auditing believes that the activity by management will resolve the findings and address internal auditing's recommendations. Internal auditing may also anticipate what type of proof will satisfy compliance with the recommendations, whether visual inspection or written assurance. Given the complexity of the recommendations, internal auditing should work with management to develop a monitoring schedule that makes the best use of auditors' time but also ensures that progress is being made. If management decides that there are other ways to deal with the control issues, then internal auditing would agree that management is resolving the problems in the audit findings with activity that they believe will eliminate the risks. Management may come up with an innovative solution that internal auditing has not considered.
For more information, refer to Section IV, Chapter 2, Topic B
169
An internal auditor is performing a due diligence engagement in connection with the possible acquisition of a small business. An audit objective is to validate large customer accounts receivable balances. Which of the following is the most relevant and reliable audit evidence of the small business’s largest customer’s account receivable balance?
A. The detailed sales invoices which total to the account receivable balance, sent via an email attachment from the accounting manager directly to the internal auditor
B. An original reconciliation of the account receivable subsidiary ledger to the general ledger, certified by the controller and reviewed by the internal auditor
C. A positive confirmation of the customer’s balance, which matches the subsidiary ledger exactly, received directly by the internal auditor from the customer
D. A detailed cash receipt listing, accompanied by check copies, showing a payment on the account receivable made by the large customer
ANSWER: C
RATIONALE
The direct customer confirmation of the balance is reliable, as it comes from a credible source and the auditor obtained the evidence directly. This is also relevant to the audit objective to validate the account receivable balance. The detailed sales invoices totaling to the account receivable balance may be relevant, but are not reliable as they were sent via an email attachment and electronic documents may be falsified, forged or altered. A certified reconciliation is neither relevant to the audit objective nor is it reliable audit evidence to validate the account receivable balance. A subsequent payment from the customer is not relevant audit evidence to the audit objective, but may be reliable to evidence that the customer owes an account receivable of some amount.
For more information, refer to Section II, Chapter 1, Topic D
170
An audit of accounts payable finds that the individuals responsible for maintaining the vendor master file can also enter vendor invoices into the accounts payable system. During the exit conference, management agrees to correct this problem. When performing a follow-up engagement of accounts payable, the auditor should expect to find that management has
A. modified the accounts payable system to prevent individuals who maintain the vendor master file from entering invoices.
B. compared the vendor and employee master files to determine if any unauthorized vendors have been added to the vendor master file.
C. modified the access control system to prevent employees from both entering invoices and approving payments.
D. transferred the individuals who maintained the vendor master file to another department to ensure that responsibilities are appropriately segregated.
ANSWER: A
RATIONALE
This is the only option that will correct the deficiency identified during the audit. Transferring the employees is not necessary and would not resolve the control problem. Comparing vendor and employee master files may help detect prior problems, but it does not create a control to address future problems. Modifing the access control system for employees would not address the problem because it does not involve the vendor master file.
For more information, refer to Section IV, Chapter 2, Topic A
171
An audit of payment activities related to an accounts payable function identified no significant internal control weaknesses. However, accounts payable procedures related to vendor ACH payments (automated clearinghouse payments), which are housed in the organization’s policies and procedures intranet portal, needed updating. Which of the following is the most appropriate follow-up procedure for this issue?
A. An internal auditor should conduct a targeted follow-up review.
B. Schedule a follow-up engagement after allowing significant time for corrective action.
C. Fix responsibility for follow up with the process owner.
D. No follow-up is necessary since no significant internal control weaknesses were identified.
ANSWER: C
RATIONALE
Making the process owner responsible for following up minimizes the required schedule time and involvement of the internal auditor and may be structured by specifying a reporting frequency and by requiring written documentation on the action item. The process owner could simply notify internal audit when the procedures have been updated and an internal auditor could look at the intranet portal to verify the updates. A targeted follow-up review is typically for action items of high priority related to significant risks. A follow-up engagement is the most involved type of follow-up and may involve spending more time than needed on less-critical items; process owners could view this as being bureaucratic. A targeted follow-up review or follow-up engagement should not be necessary in this instance as the responsibility for procedures updates should lie with the process owner, with simple verification by the auditor. Limited follow-up, as described above, would be appropriate in this circumstance, even though no significant internal control weaknesses were identified.
For more information, refer to Section IV, Chapter 2, Topic B
172
Complete the following analogy: A/An _________ is to an internal audit as an agenda is to a department meeting.
A. audit report
B. working paper
C. engagement work program
D. engagement contract
ANSWER: C
RATIONALE
In the same manner that an agenda provides structure to a meeting, describes its scope, and demonstrates preparation and accountability by those planning the meeting, the engagement work program outlines the scope and process of the planned engagement so that management can review and approve its direction. The audit report, engagement contract, and working papers are documentation of the audit activity but are not related to the documented agenda for the audit.
For more information, refer to Section II, Chapter 1, Topic D
173
If a department's operating standards are vague and thus subject to interpretation, an auditor should
A. interpret the standards in their strictest sense, because standards are otherwise only minimum measures of acceptance.
B. omit any comments on standards and the department's performance in relationship to those standards, because such an analysis would be inappropriate.
C. seek agreement with the departmental manager as to the criteria needed to measure operating performance.
D. determine best practices in the area and use them as the standard.
ANSWER: C
RATIONALE
If the internal auditor finds that the area's standards are vague or the engagement objectives are unclear, time is usually spent working with operational management to develop appropriate ones. The auditor should first seek to gain an understanding with the departmental manager on the appropriate standards and how they are applied to the organization. If internal auditors must interpret standards, they should seek agreement with the engagement client. Best practices may produce overly high standards.
For more information, refer to Section II, Chapter 1, Topic A
174
Audit engagement programs testing internal controls should
A. be generalized to fit all situations without regard to departmental lines.
B. reduce costly duplication of effort by ensuring that every aspect of an operation is examined.
C. be tailored for the audit of each operation.
D. be generalized in order to be usable at the various international locations of an organization.
ANSWER: C
RATIONALE
A tailored program is more relevant to an operation than a generalized program. Every aspect of an operation need not be examined—only those aspects likely to conceal problems and difficulties.
For more information, refer to Section II, Chapter 1, Topic A
175
The internal audit activity has recently experienced the departure of two internal auditors who cannot be immediately replaced due to budget constraints. Which of the following is the least desirable option for efficiently completing future engagements, given this reduction in resources?
A. Using self-assessment questionnaires to address audit objectives
B. Filling vacancies with personnel from operating departments that are not being audited
C. Employing information technology in audit planning, sampling, and documentation
D. Eliminating consulting engagements from the engagement work schedule
ANSWER: D
RATIONALE
The audit schedule should be reduced only as a last resort once all other viable alternatives have been explored, including requesting additional resources. Self-assessment questionnaires are a means of efficiently addressing the objectives of certain internal audits. Use of technology is an appropriate means of achieving efficiencies in audit execution. Using operating personnel with internal audit interest and corporate experience is an appropriate way to enhance internal audit resources.
For more information, refer to Section II, Chapter 1, Topic E
176
Which engagement planning tool is general in nature and is used to ensure adequate audit coverage over time?
A. Audit activity’s budget
B. Engagement program
C. Audit activity’s charter
D. Long-range schedule
ANSWER: D
RATIONALE
The long-range schedule provides evidence of coverage of key functions at planned intervals. The charter is not really an engagement planning tool other than being an important input to abide by. The other options are limited in scope.
For more information, refer to Section II, Chapter 1, Topic E
177
Which of the following is an example of an adequate criterion for an internal audit?
A. Individually determined time ranges for department tasks
B. Level of employee job satisfaction
C. Living up to the spirit of travel booking principles
D. Management cooperation with audit procedure
ANSWER: B
RATIONALE
Audit criteria should provide benchmarks against which audit objectives can be measured; therefore, items like compliance rates and measures of performance or attitude would be reasonable criteria. Criteria may be generated internally if no meaningful external criteria exist to evaluate the objective, but each individual should not determine his or her own acceptable time ranges. While management cooperation may be measured, it is probably not aligned with an audit objective. Travel booking should have specific procedures that could be the subject of a criterion.
For more information, refer to Section II, Chapter 1, Topic A
178
A service company is currently experiencing significant downsizing and process reengineering. Its board of directors has redefined the business goals and established initiatives using internally developed technology to meet these goals. As a result, a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. The internal auditing staff is made up of the chief audit executive, two audit managers, and five staff auditors. Every staff auditor has a financial background. In the past, the primary focus of successful audit activities has been the service branches and the six regional division headquarters that support the branches. The division headquarters are the primary targets for possible elimination. The support functions—such as human resources, accounting, and purchasing—will be brought into the national headquarters, and technology will be enhanced to enable and augment these operations. Based on these changes and assuming that total audit resources remain the same, what activities should the internal auditing department perform to best serve the organization?
A. Increase audit time in systems development.
B. Increase audit time in service branches.
C. Increase audit time in functions being centralized.
D. Continue the allocation of audit time as before.
ANSWER: A
RATIONALE
Due to the focus on technology, audit time spent reviewing systems development should be increased. More testing of the same controls just because volume has increased is not a productive use of time. While a small incremental increase in audit time may be feasible, the benefit derived would be minimal. Changes to business goals, processes, and focus will also require proactive changes by the internal auditing department.
For more information, refer to Section II, Chapter 1, Topic E
179
The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is unfamiliar with the accounting practices and software systems used in this country and that this has slowed her work considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner?
A. By allowing more time in the schedule for the auditor to become familiar with local practice and technology
B. By building enough slack into the schedule to deal with the types of problems that are likely to occur in a global project
C. By aligning auditor skills and knowledge with area needs before making assignments
D. By working more closely with the audit client to secure support for the assigned auditor
ANSWER: C
RATIONALE
The most efficient way to manage this situation is to avoid it through better planning. In this case, the knowledge and skills of audit team members should have been considered before making assignments. The auditor in question might have been assigned to a different country or might have been teamed with an auditor more familiar with the country’s practices and technology. The other suggestions are not efficient solutions.
For more information, refer to Section II, Chapter 1, Topic E
180
Audit evidence is considered to be more persuasive if it is
A. known by an auditor's personal intuition rather than from third-party confirmation.
B. obtained under conditions of weak rather than strong controls.
C. obtained from an external rather than internal source, even if it does not pertain to an audit objective.
D. verified by written inquiry of a third party rather than by internally maintained documents.
ANSWER: D
RATIONALE
Written inquiry/confirmation obtained from outside third parties is more persuasive than internal company documents. An internal auditor's knowledge or observation of facts can be more persuasive than third-party confirmation because it is more likely to credible, but intuition, while it might help start up the right lines of inquiry, is not evidence in itself.
For more information, refer to Section II, Chapter 1, Topic D
181
An internal auditor is conducting a preliminary survey to prepare for an assurance audit of the information technology area in a financial services company. Area management has provided a list of probable risks and associated controls to assist internal auditing. In the course of conducting a physical survey of the offices, the internal auditor notices several places where terminal screens are easily visible to those outside the secure area. This risk has not been identified by the client. What should the internal auditor do?
A. Note the condition for discussion during the next regularly scheduled audit engagement.
B. Report the situation to senior management.
C. Refrain from assessing this risk since it is outside the engagement scope.
D. Incorporate this observed risk into the engagement objectives.
ANSWER: D
RATIONALE
According to Implementation Standard 2210.A2, the objectives of an assurance engagement should not be limited to entity risk assessment. Probable risk exposures must be considered when developing engagement objectives. If the client refuses to address an identified risk, internal auditing would be justified in bringing this matter to the attention of senior management.
For more information, refer to Section II, Chapter 1, Topic A
182
The internal audit activity of a large corporation has established its operating plan and budget for the coming year. The operating plan is restricted to the following categories: a prioritized listing of all engagements, staffing, a detailed expense budget, and the commencement date of each engagement. Which of the following best describes the major deficiency of this operating plan?
A. Knowledge, skills, and disciplines required to perform work are ignored.
B. Opportunities to achieve operating benefits are ignored.
C. Requests by management for special projects are not considered.
D. Measurability criteria and targeted dates of completion are not provided.
ANSWER: D
RATIONALE
The goals of the internal audit activity, as stated in specific operating plans and budgets, should include measurability criteria and targeted dates of accomplishment.
For more information, refer to Section II, Chapter 1, Topic E
183
New credit policies have been implemented in the automated order entry system to control collectability. These policies prevent entering any new sales order that would cause the customer's accounts receivable balance to exceed average sales for any two-month period in the prior 12-month period. Divisional sales management has compiled over a dozen examples that show decreased sales and delayed order entry. Division management contends that these examples are a direct result of the new credit policy constraints. Sales management's data and information provides
A. irrelevant argumentative information.
B. evidence that the new credit policy is not meeting the stated corporate objective to control the collectability of new sales volume.
C. feedback control data on the new corporate credit policy.
D. a statistically valid conclusion about the impact on customer goodwill concerning the credit policy.
ANSWER: C
RATIONALE
An advantage of feedback control is that managers can use the information on past performance to improve future performance. Because the argument is apparently supported in the data, the auditor should consider the sales management data relevant. The sales management data shows that automated controls have, in fact, been successful in meeting the stated objective. The data is not framed to present statistically valid information and is biased to show negative results.
For more information, refer to Section II, Chapter 1, Topic D
184
One of the objectives for an internal auditing consulting engagement is to evaluate training delivered to department supervisors. Which of the following would be a poor procedure to attain this objective?
A. Conducting interviews with recently hired or promoted supervisors
B. Analyzing organizational strategies and operational objectives
C. Surveying similar industries to establish benchmarks for training supervisors
D. Reviewing supervisor performance ratings for the past three years
ANSWER: D
RATIONALE
Reviewing performance ratings might indicate a need for training, but ratings by themselves will not deliver much useful information about specific training needs or the adequacy of current training. Ratings may also be affected by many factors not related to training, such as poor hiring choices. However, checking records to see whether training is being delivered, interviewing individuals to identify useful training topics, and comparing the organization's approach to training with that of similar organizations are all procedures that will yield useful information that will help internal auditing attain its engagement objective.
For more information, refer to Section II, Chapter 1, Topic D
185
The transportation department for a large manufacturing company maintains its vehicle inventory and maintenance records in a database on a stand-alone computer in the fleet supervisor's office. Which audit approach is most appropriate for evaluating the accuracy of the database information?
A. Simulating normal processing by using test programs
B. Submitting batches of test transactions through the current system and verifying with expected results
C. Using program tracing to show how and in what sequence program instructions are processed in the system
D. Verifying a sample of records extracted from the database with supporting documentation
ANSWER: D
RATIONALE
Verifying is the most common technique in testing the accuracy of information maintained by a system, whether manual or automated. Test decking of a database and simulating normal processing will test the program but not the accuracy of data in the database. Tracing would require that additional coding be inserted into the database system programs.
For more information, refer to Section II, Chapter 1, Topic D
186
Which of the following is a possible assurance engagement objective related to the purchasing function?
A. To ensure that goods received are properly reflected in purchasing records
B. To get external auditors to verify receiving reports
C. To run background checks on unauthorized vendors
D. To review and authorize purchases eligible for competitive bids
ANSWER: A
RATIONALE
Engagement objectives may be stated in various ways, but it should be clear what assurances internal audit will provide. If the audit is intended to consider potential unauthorized vendors, an appropriate objective might be to determine if vendors are authorized in accordance with management criteria. The other answers also make it unclear what internal auditing will provide or improperly create a task for external auditors.
For more information, refer to Section II, Chapter 1, Topic A
187
Which of the following is the best rationale for conducting a preliminary survey when preparing for an internal audit?
A. To demonstrate commitment and thoroughness to the client
B. To create the engagement objectives
C. To provide more specific information about the activity being audited that can help refine the audit testing
D. To provide a general level of familiarization with the activity for internal auditors who may not have worked in this area before
ANSWER: C
RATIONALE
Preliminary surveys are recommended to gain more detailed information about the activity that can be used to refine or clarify (rather than create) the objectives of both the engagement and the activity, the determination of the processes to be audited, the internal auditing resources that will be required to achieve these objectives, and the audit scope. A preliminary survey should provide more than a general familiarization. While a preliminary survey does demonstrate professionalism, this is not the most important rationale for conducting one.
For more information, refer to Section III, Chapter 1, Topic A
188
A typical purpose of the internal audit manual is
A. to provide guidance to internal auditors to support compliance with The IIA’s position papers.
B. to provide the audit committee with evaluation criteria for chief audit executive performance.
C. to coordinate roles and responsibilities within audit and in relation to other internal and external bodies.
D. to provide evidence of a well-controlled internal audit activity for regulatory authorities and external auditors.
ANSWER: C
RATIONALE
The purpose of the audit manual is, in general, to:
* Provide guidance that will support adherence to the profession’s code of ethics and professional standards,
* Define a high level of performance expectations for staff,
* Focus activity members on key objectives and values,
* Coordinate roles and responsibilities within audit and in relation to other internal and external bodies,
* Codify critical processes, and
* Provide the basis on which to evaluate the internal auditing activity’s performance.
An operating manual does not provide evidence of a well-controlled activity. Evaluation criteria for CAE performance is likely established through performance metrics and/or other action plans, goals and objectives. The IIA’s position papers are written for a broad audience of interested parties; the audit manual would support internal audit compliance with The IIA’s mandatory guidance such as the code of ethics and professional standards.
For more information, refer to Section I, Chapter 1, Topic A
189
Which is a realistic benefit of proper engagement supervision?
A. Proper focus on risks over adding value to the organization
B. Appropriate communication of doing the right things in the right way
C. Ability to right-size engagement scope during an engagement without approval delays
D. Stronger assurance about key control activities
ANSWER: B
RATIONALE
Supervision is a key part of an internal audit engagement. It helps ensure that all elements of the process are executed properly, but it does not necessarily enhance the assurance provided to management. Implementation Guide 2340 offers several suggestions for what proper supervision might include.
For more information, refer to Section III, Chapter 3, Topic A
190
Writing an audit program occurs at which stage of the audit process?
A. During the planning stage
B. At the end of each audit (The standard audit program is revised for the next audit to ensure coverage of noted problem areas.)
C. Subsequent to testing internal controls, to determine whether to rely on the controls or audit around them
D. As the audit is performed
ANSWER: A
RATIONALE
Planning must include writing the audit program (Implementation Standard 2201.A1).
For more information, refer to Section II, Chapter 1, Topic A
191
What is the highest level of approval that should be obtained for any significant changes to the internal audit activity plan of engagements?
A. Senior management
B. Chief audit executive
C. Board of directors
D. Chief executive officer
ANSWER: C
RATIONALE
The internal audit activity plan of engagements should be approved by the board and communicated to the audit committee. As indicated in Implementation Guide 2020, "Communication and Approval," significant interim changes should be submitted to the board for approval and information.
For more information, refer to Section I, Chapter 3, Topic A
192
Why is the initial client meeting for an environmental audit important?
A. It allows management to provide preliminary proof of regulatory compliance.
B. It helps the auditor to better understand general trends in recent audits.
C. It allows the auditor to explain the importance of continuous monitoring.
D. It provides a forum for rapport building for all parties.
ANSWER: D
RATIONALE
The first meeting often sets the tone for the upcoming internal audit. It provides a chance to discuss the purpose and approach of the audit as well as an opportunity for the internal auditor to gain insights into management in the area being audited. Handled professionally, the preliminary client contact can encourage positive, open communications for the duration of the engagement.
For more information, refer to Section IV, Chapter 1, Topic A
193
A new chief audit executive (CAE) needs to establish reporting protocols for the frequency of communicating significant risk and control issues to senior management and the board. To determine the frequency of reporting, the CAE should
A. collaborate with senior management and the board to establish appropriate reporting frequencies.
B. consider the past results of, and the timing and extent of planned external auditor testing.
C. consider resource constraints impacting internal audit communications of significant risk and control matters.
D. collaborate with compliance, risk management and other second line of defense leadership on their reporting protocols.
ANSWER: A
RATIONALE
The interpretation to Standard 2060, “Reporting to Senior Management and the Board” states, “the frequency and content of reporting are determined collaboratively by the chief audit executive, senior management, and the board.” External auditor testing would not impact the frequency of internal audit reporting. Resource constraints would not be a primary consideration for establishing protocols for the frequency of internal audit reporting. The frequency of independent internal audit reporting would not be impacted by second line of defense reporting protocols.
For more information, refer to Section I, Chapter 3, Topic B
194
Management has asked the auditor to recommend monitoring controls that could be established to provide timely oversight of the information systems contract. Which of the following would be the least effective monitoring control?
A. Requiring monthly internal reports summarizing overhead rates used in billings
B. Randomly investigating selected cost accounts throughout the year to determine if all the expenses are properly charged to the governmental unit
C. Using internal auditors to investigate the appropriateness of costs as part of a yearly audit of the outsourcer
D. Requiring monthly reports by the outsourcer of total costs billed and services rendered
ANSWER: C
RATIONALE
The audit activity of investigating costs is one of compliance auditing, not monitoring. The control procedure occurs only once a year and does not provide timely feedback for monitoring operations. A monitoring control is one that provides timely information to management as to whether an activity may be out of control.
For more information, refer to Section IV, Chapter 2, Topic B
195
Monetary-unit sampling is most useful when the internal auditor
A. expects to find several material errors in the sample.
B. is concerned with over-statements.
C. is testing the accounts payable balance.
D. cannot cumulatively arrange the population items.
ANSWER: B
RATIONALE
Overstated items have a greater chance of being included in a monetary-unit sample. Additionally, samples under this procedure include more of the "higher dollar" accounts because of the way the sample is conducted. Errors in these accounts are more likely to result in material misstatements and are thus more critical to the internal auditor.
For more information, refer to Section III, Chapter 1, Topic C
196
Which of the following is not typically included in a work program?
A. Objectives and scope of the engagement
B. Preliminary opinions
C. Procedures for preparing a draft engagement communication and soliciting feedback from process-level management
D. Specific tests that will be conducted
ANSWER: B
RATIONALE
A work program documents all the judgments and conclusions made during the planning phase and ensures that all engagement team members understand what has been completed and what remains to be performed. Opinions are the effects of the internal auditor’s observations and recommendations in the activities reviewed during the engagement; they are formulated when audit fieldwork is complete and are not used as a preliminary hypothesis for testing.
For more information, refer to Section II, Chapter 1, Topic D
197
When conducting an audit follow-up of a finding related to cash management routines, which of the following needs to be considered?
A. Whether benefits have accrued to the entity as a result of resolving the condition
B. Whether controls have been implemented to eliminate the possibility of a recurrence of the finding
C. Whether inherent risk has been eliminated as a result of resolution of the condition
D. Whether the steps being taken consider eliminating the use of cash as a payment option
ANSWER: A
RATIONALE
It is appropriate to assess whether steps being taken are resolving the condition, appropriate controls have been implemented to deter or detect the condition, and benefits have accrued to the entity. It is not necessary, however, to ensure that inherent risk has been eliminated. (This could be accomplished only by eliminating the use of cash, which is unrealistic.)
For more information, refer to Section IV, Chapter 2, Topic B
198
An audit committee should be designed to enhance the independence of both the internal and external audit functions and to insulate the audit functions from undue management pressures. Using these criteria, audit committees should be composed of
A. only external members of the board of directors or other similar oversight committees.
B. only members from the relevant outside regulatory agencies.
C. members from all important constituencies, specifically including representatives from banking, labor, regulatory agencies, shareholders, and officers.
D. M Ma rotating subcommittee of the board of directors.
ANSWER: A
RATIONALE
Audit committees should be made up of external members of the board of directors or other similar oversight committees.
For more information, refer to Section I, Chapter 2, Topic E
199
During a review of purchasing operations, an auditor finds that procedures in use do not agree with stated company procedures. However, audit tests reveal that the procedures in use represent an increase in efficiency and a decrease in processing time without a discernible decrease in control. The auditor should
A. report the change and suggest that the change in procedures be documented.
B. develop a flowchart of the new procedures and include it in the report to management.
C. report the lack of adherence to documented procedures as an operational deficiency.
D. suspend the completion of the engagement until the engagement client documents the new procedures.
ANSWER: A
RATIONALE
The auditor has identified a change in process that should be brought to the attention of management and documented.
For more information, refer to Section IV, Chapter 1, Topic E
200
An auditor completes work on a segment of an audit program. It is clear that a problem exists that will require a modification of the organization's distribution procedures. The audit client agrees and implements revised procedures. The internal auditor should
A. work with the client to develop and report on an appropriate recommendation.
B. report the problem and assume that management will take appropriate action.
C. indicate in the audit report that the audit client has determined and implemented corrective action.
D. research the problem and recommend in the audit report measures that should be taken.
ANSWER: C
RATIONALE
Crediting the audit client's determination and implementation of the corrective action will appeal to the audit client's esteem.
For more information, refer to Section IV, Chapter 1, Topic B
201
The COSO Enterprise Risk Management (ERM) and ISO 31000 frameworks
A. can both be characterized as periodic projects that should be performed at least annually.
B. are primarily distinguished by COSO ERM being principles-based and ISO 31000 being rules-based.
C. are primarily distinguished by ISO 31000 begin principles-based and COSO ERM being rules-based.
D. can both be characterized as ongoing processes that should be imbedded in day-to-day activities and decision making.
ANSWER: D
RATIONALE
Neither framework represents isolated, stand-alone concepts; enterprise risk management is not static. It is integrated into the development of strategy, the formulation of business objectives, and the implementation of those objectives through day-to-day decision making. Also, both frameworks are principles based; neither one is rules-based.
For more information, refer to Section I, Chapter 2, Topic B
202
An auditor is considering the potential sources of evidence regarding the effectiveness of a division's total quality management (TQM) program. Assume that all comparisons are for similar time periods and durations and current items are compared with similar items before the implementation of the TQM program. The least persuasive evidence would be a comparison over the two time periods of
A. manufacturing and distribution costs per unit.
B. customer returns.
C. employee morale.
D. scrap and rework costs.
ANSWER: C
RATIONALE
Employee morale is important and often is a side benefit of TQM programs. However, employee morale is not a sufficient reason to implement TQM. There should be some evidence of greater customer satisfaction or reduced costs.
For more information, refer to Section III, Chapter 2, Topic B
203
The chief audit executive for a city has just completed a quarterly meeting with the audit committee. The committee has expressed two major concerns it would like the audit department to examine as part of its operational audits during the next year:
* Is the downsizing that the city has been going through resulting in the right-sizing of staff for the city? The audit committee has suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the committee's concerns.
* Is the city making suboptimal long-range decisions in an effort to improve short-range cash flow? In particular, the audit committee has suggested that the internal audit department perform an operational audit of the transportation department, which is responsible for the operation of the city bus line.
During a meeting with staff auditors to discuss the possibility of doing such an audit, a staff member suggests that the department ought to gather some statistics on employee morale and potential changes in employee absenteeism. Another staff member asserts that such criteria are not important because they are not measurable and not relevant—only results are relevant. With respect to the debate, which of the following statements is true?
A. Job performance and results are more easily and accurately measured than employee morale, but objective tests can be created to measure morale.
B. Because employee absenteeism is more readily measurable than employee morale, the auditor should gather evidence only on absenteeism.
C. Absenteeism and employee morale cannot be objectively measured, but they should be subjectively assessed by auditor walkthroughs.
D. The audit should focus entirely on the objectives expressed by the committee's two major concerns and spend no time on morale or absenteeism since they are off subject.
ANSWER: A
RATIONALE
Performance and results are more easily identified and measured than a personal feeling such as morale. Objective tests are available to measure things like morale; such measures are not left merely to subjective evaluation from observation. Auditors do not gather only the most easily collected evidence. Ease of collection should not be the sole criterion of evidence selection.
For more information, refer to Section II, Chapter 1, Topic B
204
Which of the following is the best reason for the chief audit executive to consider the strategic plan in developing the annual audit plan?
A. To emphasize the importance of the internal audit function
B. To ensure that the internal audit plan supports the overall business objectives
C. To ensure that the internal audit plan will be approved by senior management
D. To make recommendations to improve the strategic plan
ANSWER: B
RATIONALE
Considering the strategic plan in the development of the internal audit plan will ensure that the audit objectives support the overall business objectives stated in the strategic plan.
For more information, refer to Section I, Chapter 2, Topic A
205
The costs of quality that are incurred to evaluate purchased materials, processes, products, and services to ensure conformance to specifications are referred to as
A. prevention costs.
B. external failure costs.
C. appraisal costs.
D. internal failure costs.
ANSWER: C
RATIONALE
Appraisal costs are those costs incurred incurred to evaluate purchased materials, processes, products, and services to ensure conformance to specifications These costs include inspecting and testing raw materials and work-in-process inventory.
For more information, refer to Section I, Chapter 2, Topic C
206
In planning internal audit engagements, internal auditors must consider
A. management requests related to the objectives of the engagement established by the internal auditor.
B. the significant risks to the activity’s objectives, resources, and operations.
C. the key controls over external financial reporting, for U.S. public companies.
D. the cost/benefit of performing a detailed engagement level risk assessment.
ANSWER: B
RATIONALE
According to standard 2201, “Planning Considerations,” in planning the engagement, internal auditors must consider the significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level. Internal auditors are not required to consider management requests related to engagements. Internal auditors are not required to consider key controls over reporting; engagement objectives may be primarily related to compliance, operational and or other business objectives. Internal auditors are not required to consider the cost/benefit of performing an engagement level risk assessment.
For more information, refer to Section II, Chapter 1, Topic C
