Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Certified Internal Auditor > Level 1 - Essentials of Internal Auditing > Flashcards

Level 1 - Essentials of Internal Auditing Flashcards

(125 cards)

Start Studying
1
Q

A specific objective of an audit of an organization’s expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. This objective would address which of the following primary objectives identified in the Standards?

I. Reliability and integrity of financial and operational information.
II. Compliance with laws, regulations, and contracts.
III. Effectiveness and efficiency of operations.
IV. Safeguarding of assets.

a. I and II only.
b. I and IV only.
c. I, II, and IV only.
d. II, III, and IV only.

A

b) I and IV only.

I. Correct. According to Standard 2130.A1: “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:
- Achievement of the organization’s strategic objectives;
- Reliability and integrity of financial and operational information;
- Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
- Compliance with laws, regulations, policies, procedures, and contracts.”
The specific engagement objective of determining if goods are charged to the appropriate account would address the objective regarding the reliability and integrity of information.

II. Incorrect. The specific engagement objective described does not address compliance.

III. Incorrect. The specific engagement objective described may address effectiveness of operations but does not address efficiency.

IV. Correct. The specific engagement objective of determining if all goods paid for have been received would address the objective regarding safeguarding of assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is “mandatory guidance” in The IIA’s IPPF?

I. Implementation Guidance.
II. Code of Ethics.
iII. The Core Principles for the Professional Practice of Internal Auditing.
IV. Standards.

a. I, II, and IV only.
b. II and IV only.
c. II, III, and IV only.
d. I, II, III, and IV.

A

c) II, III, and IV only

I. Incorrect. Implementation Guides are only recommended guidance; they are not mandatory guidance.

II. III, and IV. Correct. The IIA’s Code of Ethics, Core Principles for the Professional Practice of Internal Auditing, and the Standards are mandatory guidance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is a Core Principle for the Professional Practice of Internal Auditing?

a. Maintain confidentiality.
b. Promote an ethical culture in the internal audit profession.
c. Develop consistency in internal audit practices.
d. Is appropriately positioned and adequately resourced.

A

d)

a. Incorrect. This is a principle of The IIA’s Code of Ethics but not one of the Core Principles.

b. Incorrect. This is the purpose of The IIA’s Code of Ethics.

c. Incorrect. This is not a Core Principle, nor is it something even desirable across the internal audit profession, as practice will vary depending on organizational environment, culture, and level of maturity of the audit function.

d. Correct. This is one of the 10 Core Principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following types of IPPF guidance require(s) public exposure?

I. A new Implementation Guide.
II. A new standard.
III. A new Supplemental Guide for auditing cybersecurity.
IV. A new definition in the IPPF Glossary.

a. III only.
b. II and IV only.
c. II, III, and IV only.
d. I, II, III, and IV.

A

b) II and IV only

I. Incorrect. The Implementation Guides do not require public exposure prior to issuance; they only require internal IIA committee approval.

II. Correct. A new standard requires public exposure of 90 days.

III. Incorrect. Supplemental Guides do not require public exposure; they only require internal IIA committee approval.

IV) Correct. The Glossary is a part of the Standards. Thus, new definitions or changes to the definitions require 90-day public exposure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is a part of the Mission of Internal Audit?

a. Promoting an ethical culture in the profession of internal auditing.
b. Protecting organizational value.
c. Reducing the occurrence of fraud.
d. Respecting the value and ownership of information received and not disclosing information without appropriate authority.

A

b)

a. Incorrect. This is the purpose of the Code of Ethics.

b. Correct. The Mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

c. Incorrect. This is management’s responsibility. Internal audit evaluates the potential of fraud (Standard 2120.A2). Further, this is only one part of protecting organizational value.

d. Incorrect. This is the confidentiality principle from the Code of Ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not a role of the internal audit activity in best practice governance activities?

a. Support the board in enterprisewide risk assessment.
b. Ensure the timely implementation of audit recommendations.
c. Monitor compliance with the corporate code of conduct.
d. Discuss areas of significant risks.

A

b)

a. Incorrect. The internal audit activity performs this role. The board and management are responsible for the identification of an appropriate risk model and methodology.

b. Correct. It is the role of management to ensure the timely implementation of the audit recommendations. The internal audit activity is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit activity works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.

c. Incorrect. The internal audit activity should monitor compliance with the corporate code of conduct set by the board and management.

d. Incorrect. The internal audit activity is responsible for discussing significant financial, technical, and operational risks and exposures and the plans to minimize such risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is not true with regard to the internal audit charter?

a. It defines the authorities and responsibilities for the internal audit activity.
b. It specifies the minimum resources needed for the internal audit activity.
c. It provides a basis for evaluating the internal audit activity.
d. It should be approved by senior management and the board.

A

b)

a. Incorrect. The internal audit charter defines the necessary authorities and responsibilities.

b. Correct. The internal audit manual and annual audit plan help in determining the resource requirements.

c. Incorrect. The internal audit charter defines the role and responsibility of the internal audit activity and acts as a benchmark for evaluating the audit activity.

d. Incorrect. The internal audit charter should be approved by senior management and the board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is not a responsibility of the CAE?

a. To communicate the internal audit activity’s plans and resource requirements to senior management and the board for review and approval.
b. To coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication.
c. To oversee the establishment, administration, and assessment of the organization’s system of risk management processes.
d. To follow up on whether appropriate management actions have been taken on significant reported risks.

A

c)

a. Incorrect. This is a responsibility of the CAE, according to Standard 2020.

b. Incorrect. This is a responsibility of the CAE, according to Standard 2050.

c. Correct. This is the role of senior management and the board, not the CAE.

d. Incorrect. This is a responsibility of the CAE, according to Standard 2500.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The function of internal auditing, as related to internal financial reports, would be to:

a. Ensure compliance with reporting procedures.
b. Review the expenditure items and match each item with the expenses incurred.
c. Determine if there are any employees expending funds without authorization.
d. Identify inadequate controls that increase the likelihood of unauthorized expenditures.

A

d)

a. Incorrect. The Standards do not require internal auditors to ensure compliance with reporting procedures.

b. Incorrect. There is no expected match of funds flows with expense items in a single time period.

c. Incorrect. This would be a function of the personnel and/or finance departments.

d. Correct. Internal auditors are responsible for identifying inadequate controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In a well-developed management environment, the internal audit activity would:

a. Report the results of an audit engagement to line management as well as to senior management.
b. Conduct initial audits of new computer systems after they have begun operating.
c. Interface primarily with senior management, minimizing interactions with line managers who are the subjects of internal audit work.
d. Focus primarily on asset management and report results to the audit committee.

A

a)

a. Correct. In a well-developed management system, the internal audit activity is used to provide a more direct benefit to line operations by providing feedback to operating management as well as to senior management.

b. Incorrect. Emphasis should be placed on the audits of proposed products and systems. These early examinations could be used to determine the feasibility and/or desirability of changes before these changes are implemented.

c. Incorrect. The role of the internal auditor involves interfacing with management at the operating level as well as at the senior level.

d. Incorrect. Asset management would not be a primary focus of the internal audit activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A consulting activity appropriately performed by the internal audit activity is:

a. Designing systems of control.
b. Drafting procedures for systems of control.
c. Reviewing systems of control before implementation.
d. Installing systems of control.

A

c)

a. Incorrect. Designing systems is presumed to impair audit objectivity.

b. Incorrect. Drafting procedures for systems is presumed to impair independence.

c. Correct. Reviewing systems, even before implementation, is an activity appropriately performed by the internal audit activity and does not impair objectivity.

d. Incorrect. Installing systems of controls is presumed to impair independence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A performance audit engagement typically involves:

a. Review of financial statement information, including the appropriateness of various accounting treatments.
b. Tests of compliance with policies, procedures, laws, and regulations.
c. Appraisal of the environment and comparison against established criteria.
d. Evaluation of organizational and departmental structures, including assessment of process flows.

A

c)

a. Incorrect. Financial audit engagements involve review of financial information.

b. Incorrect. Compliance audit engagements involve examining control procedures and their compliance.

c. Correct. Performance audit engagements involve review of performance against set criteria.

d. Incorrect. Operational audit engagements involve reviewing organizational and departmental structures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Determination of cost savings is most likely to be an objective of:

a. Program audit engagements.
b. Financial audit engagements.
c. Compliance audit engagements.
d. Operational audit engagements.

A

d)

a. Incorrect. Program audit engagements address accomplishment of program objectives.

b. Incorrect. Financial auditing addresses accuracy of financial records.

c. Incorrect. Compliance auditing addresses compliance with requirements, including legal and regulatory requirements.

d. Correct. Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Senior management of an entity has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by:

a. A formal consulting engagement agreement.
b. An informal consulting engagement agreement.
c. A special consulting engagement agreement.
d. An emergency consulting engagement agreement.

A

a)

a. Correct. Such training should be planned and is continuous in nature. It should be subject to a consulting agreement that is formal and written to ensure that the needs and expectations of those that will be trained are recognized and satisfied.

b. Incorrect. This type of agreement applies more to routine tasks.

c. Incorrect. This type of agreement applies more to occasional, one-time special arrangements.

d. Incorrect. This type of agreement applies more to unplanned engagements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An auditor is reviewing an organization’s plan for developing a performance scorecard. Which of the following potential performance measures should the auditor recommend excluding from the performance scorecard?

a. Product innovation.
b. Market share.
c. Customer satisfaction.
d. Employee development.

A

a)

a. Correct. Innovations in the production of goods or services do not typically lend themselves to ongoing performance measurement.

b. Incorrect. Key results in market share track changes to the organization’s competitive position.

c. Incorrect. Key results in customer satisfaction help predict future sales.

d. Incorrect. Key results in employee development help predict the ability to attract and retain good employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When assessing the risk associated with an activity, an internal auditor should:

a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.

A

b)

a. Incorrect. Determining how unacceptable risk should be managed is the role of management.

b. Correct. Assurance services involve the internal auditor’s objective assessment of management’s risk management activities and the degree to which they are effective.

c. Incorrect. Designing and updating the risk management process is the role of management.

d. Incorrect. Designing controls would impair the internal auditor’s independence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An auditor, nearly finished with an engagement, discovers that the director of marketing has a gambling habit. The gambling issue is not directly related to the existing engagement and there is pressure to complete the current engagement. The auditor notes the problem and forwards the information to the CAE but performs no further follow-up. The auditor’s actions would:

a. Be in violation of The IIA’s Code of Ethics for withholding meaningful information.
b. Be in violation of the Standards because the auditor did not properly follow up on a red flag that might indicate the existence of fraud.
c. Not be in violation of either The IIA’s Code of Ethics or Standards.
d. Both a. and b.

A

c)

a. Incorrect. The auditor is not withholding information because the information has been forwarded to the CAE. The information may be useful in a subsequent engagement in the marketing area.

b. Incorrect. The auditor has documented a red flag that may be important in a subsequent engagement. This does not violate the Standards.

c. Correct. There is no violation of either The IIA’s Code of Ethics or the Standards. See answers “a” and “b.”

d. Incorrect. See answers “a” and “b.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following would be permissible under The IIA’s Code of Ethics?

a. In response to a subpoena, an auditor appeared in a court of law and disclosed confidential, audit-related information that could potentially damage the auditor’s organization.
b. An auditor used audit-related information in a decision to buy stock issued by the employer corporation.
c. After praising an employee in a recent audit engagement communication, an auditor accepted a gift from the employee.
d. An auditor did not report significant observations about illegal activity to the board because management indicated that it would resolve the issue.

A

a)

a. Correct. Auditors must exhibit loyalty to the organization but must not be a party to any illegal activity. Thus, auditors must comply with legal subpoenas.

b. Incorrect. Rule of Conduct 3.2 prohibits auditors from using audit information for personal gain.

c. Incorrect. Rule of Conduct 2.2 prohibits auditors from accepting anything that might be presumed to impair the auditor’s professional judgment.

d. Incorrect. Rule of Conduct 1.3 prohibits auditors from knowingly being a party to any illegal or improper activity. Significant observations of illegal activity should be reported to the board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An internal auditor who encounters an ethical dilemma not explicitly addressed by The IIA’s Code of Ethics should always:

a. Seek counsel from an independent attorney to determine the personal consequences of potential actions.
b. Take action consistent with the principles embodied in The IIA’s Code of Ethics.
c. Seek the counsel of the audit committee before deciding on an action.
d. Act consistently with the employing organization’s code of ethics, even if such action would not be consistent with The IIA’s Code of Ethics.

A

b)

a. Incorrect. The auditor must act consistently with the spirit embodied in The IIA’s Code of Ethics. It would not be practical to seek the advice of legal counsel for all ethical decisions. Ethics is a moral and professional concept, not just a legal concept.

b. Correct. This is consistent with the concepts embodied in The IIA’s Code of Ethics.

c. Incorrect. It would not be practical to seek the audit committee’s advice for all potential dilemmas. Further, the advice might not be consistent with the profession’s standards.

d. Incorrect. If the organization’s standards are not consistent with, or as high as, the profession’s standards, the professional internal auditor should abide by the standards of the profession.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Audit committees are most likely to participate in the approval of:

a. Audit staff promotions and salary increases.
b. The internal audit report observations and recommendations.
c. Audit work schedules.
d. The appointment of the CAE.

A

d)

a. Incorrect. The company’s CAE is responsible for staff promotions.

b. Incorrect. The company’s CAE is responsible for approving internal audit reports.

c. Incorrect. This is a part of the internal audit activity’s planning function.

d. Correct. The independence of the internal audit activity is enhanced when the audit committee participates in naming the CAE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Organizational independence exists if the CAE reports <List> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List> without interference:</List></List>

List A
a. Administratively
b. Administratively
c. Functionally
d. Functionally

List B

a. controls the scope and performance of work and reporting of results.

b. approves the internal audit budget and risk-based internal audit plan.

c. controls the scope and performance of work and reporting of results.

d. approves the internal audit budget and risk-based internal audit plan.

A

a)

a. Correct. IIA Standard 1110 states that the CAE “must confirm to the board, at least annually, the organizational independence of the internal audit activity.” Organizational independence exists if the CAE: Reports functionally to the board, has direct and unrestricted access to the board, reports administratively to the CEO or a similar head of the organization, or reports administratively to some other organizational level so long as the internal audit activity controls the scope of work, performance of the work, and the reporting of results without interference.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The independence of the internal audit department may be impaired in which of the following situations?

a. The CAE reports functionally to the board of directors.
b. The internal audit department has unrestricted access to information, people, and records throughout the organization.
c. The CAE has an established reporting relationship with the audit committee.
d. The internal audit department has responsibility for the organization’s risk and compliance areas.

A

d)

a. Incorrect. Standard 1110 interpretation states: “Organizational independence is effectively achieved when the CAE reports functionally to the board.”

b. Incorrect.

c. Incorrect. According to IIA Practice Guide, Independence and Objectivity, direct and unrestricted access to the governing body allows the internal activity to be insulated from possible threats to independence.

d. Correct. The interpretation of Standard 1112 notes that organizational independence may be impaired or appear to be impaired if the CAE assumes roles/responsibilities outside of internal auditing. Standard 1112 states that if this occurs, safeguards must be in place to limit impairments to independence or objectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

To promote a positive image within an organization, a CAE planned to conduct assurance engagements that highlighted potential cost savings. Negative observations were to be omitted from the engagement’s final communications. Which action taken by the CAE would be considered a violation of the Standards?

I. The focus of the audit engagements was changed without modifying the charter or consulting the audit committee.
II. Negative observations were omitted from the engagement final communications.
III. Costs savings recommendations were highlighted in the engagement final communications.

a. I only.
b. I and II only.
c. I and III only.
d. II and III only.

A

b) I and II only

I. and II. Correct. The CAE dramatically changed the nature of the audit activity without consulting the audit committee or modifying the internal audit charter. Standard 1000 states that the purpose, authority, and responsibility of the internal audit activity must be formally defined in a charter. Standard 2400 requires that internal auditors communicate the engagement results. Standard 2420 states that communications must be accurate, objective, clear, concise, constructive, complete, and timely. The Interpretation further states that complete communications are lacking nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.

III.Incorrect. Highlighting potential costs savings is appropriate for an engagement final communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A scope limitation is a restriction placed upon the internal audit activity that precludes it from accomplishing its objectives and plans. When faced with a proposed scope limitation, the CAE should:

a. Refuse to perform the engagement until the scope limitation is removed.
b. Communicate the limitation and its potential effect, preferably in writing to the board.
c. Increase the frequency of engagements concerning the activity in question.
d. Assign more experienced personnel to the engagement.

A

b)

a. Incorrect. The engagement may be conducted under a scope limitation.

b. Correct. According to Standard 1130 - Impairment to Independence or Objectivity, impairments to organizational independence and individual objectivity may include scope limitations. The details of the impairment need to be disclosed, preferably in writing to the board.

c. Incorrect. A scope limitation does not necessarily require more frequent engagements.

d. Incorrect. A scope limitation does not necessarily require more experienced personnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
The call center of an organization has requested that the internal audit department review procedures and controls during the implementation of a new process. The CAE should: a. Not accept the engagement because recommending controls would impair future objectivity regarding this operation. b. Not accept the engagement because internal audit activities are presumed to have expertise regarding accounting controls, not process controls. c. Accept the engagement but indicate to management that, because recommending controls impairs independence, future engagements in the area will be impaired. d. Accept the engagement because individual objectivity will not be impaired.
d) a. Incorrect. According to PA 1120-1, recommending controls will not adversely affect the internal auditor’s objectivity. The auditor’s objectivity is considered impaired if the auditor designs, installs, drafts procedures for, or operates such systems. b. Incorrect. The internal audit activity should be able to evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems (Standard 2120.A1). c. Incorrect. See answer “a.” Independence is not impaired by making control recommendations. d. Correct. Recommending standards of control for systems or reviewing procedures prior to implementation does not impair objectivity (PA 1120-1). Additionally, if the engagement is deemed to involve consulting services, objectivity is not required provided that any impairment thereof is disclosed to the client prior to acceptance of the engagement (Standard 1130.C2). See also IIA Practice Guide, Independence and Objectivity.
26
Which of the following actions would be a violation of auditor independence? a. Continuing on an audit assignment at a division for which the auditor will soon be responsible as the result of a promotion. b. Reducing the scope of an engagement due to budget restrictions. c. Participating on a taskforce that recommends standards of control for a new distribution system. d. Reviewing a purchasing agent’s contract drafts before their execution.
a) a. Correct. An auditor who has been promoted to an operating department should not continue on an audit of that department. The CAE should reassign auditors if a conflict of interest or bias may be reasonably inferred. b. Incorrect. Budget restrictions do not constitute a violation of an auditor’s independence. c. Incorrect. An auditor may recommend standards of control for new systems. However, designing, installing, or operating such systems might impair objectivity. d. Incorrect. An auditor may review contracts before their execution.
27
As part of a company-sponsored award program, an internal auditor was offered an award of significant monetary value by a division in recognition of the cost savings that resulted from the auditor’s recommendations. According to the International Professional Practices Framework, what is the most appropriate action for the auditor to take? a. Accept the gift because the engagement is already concluded and the report issued. b. Accept the award under the condition that any proceeds go to charity. c. Inform audit management and ask for direction on whether to accept the gift. d. Decline the gift and advise the division manager’s superior.
c) a. Incorrect. Audit management should always be informed concerning any such offers. b. Incorrect. Audit management should always be informed concerning any such offers. c. Correct. Audit management should be consulted for guidance. d. Incorrect. This could erode the audit activity’s relationship with the division in question. Audit management should first be informed and consulted for guidance.
28
A CIA, working as the director of purchasing, signs a contract to procure a large order from the supplier with the best price, quality, and performance. Shortly after signing the contract, the supplier presents the CIA with a gift of significant monetary value. Which of the following statements regarding the acceptance of the gift is correct? a. Acceptance of the gift would be prohibited only if it were non-customary. b. Acceptance of the gift would violate The IIA’s Code of Ethics and is prohibited for a CIA. c. Because the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by the organization’s code of conduct. d. Because the contract was signed before the gift was offered, acceptance of the gift would not violate either The IIA’s Code of Ethics or the organization’s code of conduct.
b) a. Incorrect. Acceptance of the gift could easily be presumed to have impaired independence and thus would not be acceptable. b. Correct. As long as an individual is a Certified Internal Auditor, he or she should be guided by the profession’s Code of Ethics in addition to the organization’s code of conduct. Rule of Conduct 2.2 of The IIA’s Code of Ethics would preclude such a gift because it could be presumed to have influenced the individual’s decision. c. Incorrect. See answer “b.” d. Incorrect. See answer “b.” Further, there is not sufficient information given to judge possible violations of the organization’s code of conduct. However, the action could easily be perceived as a kickback.
29
In which of the following situations would an auditor potentially lack objectivity? a. An auditor reviews the procedures for a new electronic data interchange connection to a major customer before it is implemented. b. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit activity. c. An auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits. d. A payroll accounting employee assists an auditor in verifying the physical inventory of small motors.
b) a. Incorrect. An internal auditor’s objectivity is not adversely affected when the auditor reviews procedures before they are implemented. b. Correct. Standard 1130A.1 states that persons transferred to the internal audit activity should not be assigned to audit those activities that they previously performed until at least one year has elapsed. c. Incorrect. An internal auditor’s objectivity is not adversely affected when the auditor recommends standards of control for systems before they are implemented. d. Incorrect. Use of staff from other areas to assist the internal auditor does not impair objectivity, especially when the staff is from outside the area being audited.
30
An internal auditor assigned to audit a vendor’s compliance with product quality standards is the brother of the vendor’s controller. The auditor should: a. Accept the assignment but avoid contact with the controller during fieldwork. b. Accept the assignment but disclose the relationship in the engagement final communication. c. Notify the vendor of the potential conflict of interest. d. Notify the CAE of the potential conflict of interest.
d) a. Incorrect. Even if the auditor avoided contact with the controller, there would still be the appearance of conflict of interest. b. Incorrect. Situations of potential conflict of interest or bias should be avoided, not merely disclosed. c. Incorrect. Conflicts of interest should be reported to the CAE, not the vendor or engagement client. d. Correct. Implementation Guide 1130 – Impairment to Independence or Objectivity states that internal auditors should report to internal audit management any situations in which a conflict of interest or bias is present or may reasonably be inferred.
31
The CAE has assigned an internal auditor to perform a year-end engagement to evaluate payroll records. The internal auditor has contacted the director of compensation and has been refused access to necessary documents. To avoid this problem: a. Access to records relevant to performance of engagements should be specified in the internal audit activity’s charter. b. Internal audit should be required to report to the CEO of the organization. c. By following the long-range planning process, access to all relevant records should be guaranteed. d. Audit committee approval should be required for all scope limitations.
a) a. Correct. The internal audit activity should have the support of management and the board in gaining cooperation from all engagement clients (PA 1110-1). Specific guidelines should be written in its charter authorizing access to records, personnel, and physical properties relevant to the performance of engagements (PA 1000-1). b. Incorrect. The internal audit activity need not report to a specific individual in the organization, although reporting administratively to the CEO is desirable and recommended. c. Incorrect. Following the long-rant planning process provides no guarantee of access. d. Incorrect. The internal audit activity should inform the board of any scope limitations, but its approval is not required.
32
A written charter approved by the board that formally defines the internal audit activity’s purpose, authority, and responsibility enhances its: a. Exercise of due professional care. b. Proficiency. c. Relationship with management. d. Independence.
d) a. Incorrect. Due professional care is an attribute of work performed. b. Incorrect. Proficiency is an attribute of the knowledge, skills, and other competencies possessed by internal auditors. c. Incorrect. The internal audit activity’s relationship with management is a function of professionalism and relates to a working relationship. d. Correct. According to PA 1100-1, objectivity and organization status are a means of achieving independence. Therefore, the charter should establish the internal audit activities status within the organization, authorize access to information relevant to engagements, and define the scope of the internal audit activities (PA 1000-1).
33
To avoid creating conflict between the CEO and the audit committee, the CAE should: a. Submit copies of all engagement communications to the CEO and audit committee. b. Strengthen independence through organizational status. c. Discuss all pending engagement communications with the CEO and the audit committee. d. Request board establishment of policies covering the internal audit activity’s relationship with the audit committee.
d) a. Incorrect. The CEO and audit committee most likely should receive summary reports. b. Incorrect. Independence is not sufficient to avert conflict unless reporting relationships are well defined. c. Incorrect. See answer “a.” d. Correct. To avoid conflict between the CEO and the audit committee, the CAE should request that the board establish policies covering the internal audit activity’s relationships with the audit committee. The CAE should have regular communication with the board, audit committee, or other appropriate governing authority. Additionally, the board should approve a charter that defines the purpose, authority, and responsibility of the internal audit activity.
34
Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of engagements. Which of the following best promotes independence? a. A policy that requires internal auditors to report to the CAE any situations in which a conflict of interest or bias on the part of the individual internal auditor is present or may reasonably be inferred. b. A policy that prevents the internal audit activity from recommending standards of control for systems that it evaluates. c. An organizational policy that allows engagements concerning sensitive operations to be outsourced. d. An organizational policy that prevents personnel transfers from operating activities to the internal audit activity.
a) a. Correct. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. Moreover, staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so. The CAE should periodically obtain from the internal audit staff information concerning potential conflicts of interest and bias, and internal auditors should report to the CAE any situations in which a conflict of interest or bias is present or may reasonably be inferred. The CAE should then reassign such auditors (PA 112-1 and PA 1130-1). b. Incorrect. Internal audit may recommend standards of control for systems that it evaluates. c. Incorrect. Outsourcing certain engagements does not promote the independence of the internal audit activity. d. Incorrect. Transfers from operating activities to the internal audit activity usually are permitted. However, transferees should not be assigned to engagements concerning activities they previously performed until a reasonable period of time has elapsed.
35
According to the International Professional Practices Framework, internal auditors should possess which of the following skills? I. Internal auditors should understand human relations and be skilled in dealing with people. II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices. III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance, and IT. IV. Internal auditors should be skilled in oral and written communication. a. II only. b. I and III only. c. III and IV only. d. I, II, and IV only.
d) I, II and IV only I, II, IV. Correct. Internal auditors are expected to be able to recognize good business practices, understand human relations, and be skilled in oral and written communications. III. Incorrect. Internal auditors are not expected to be experts in a wide variety of fields related to their audit responsibilities.
36
In selecting an instructional strategy for developing internal audit staff, a CAE should begin by reviewing: a. Organizational objectives. b. Learning content. c. Learners’ readiness. d. Budget constraints.
a) a. Correct. Without objectives, there is no direction to achieve the strategy. b. Incorrect. Without objective setting, content cannot be outlined. c. Incorrect. Learners’ readiness should be considered after determining objectives. d. Incorrect. Budget constraints should be considered later in the process.
37
When conducting a performance appraisal of an internal auditor who has been a below-average performer, it is not appropriate to: a. Notify the internal auditor of the upcoming appraisal several days in advance. b. Use objective, impartial language. c. Use generalizations. d. Document the appraisal.
c) a. Incorrect. In a performance appraisal of a below-average performer, it is appropriate and advisable to notify the employee of the upcoming appraisal, use objective language, and document the appraisal. b. Incorrect. See answer “a.” c. Correct. It is not appropriate to use generalizations when giving a performance appraisal to a below-average performer. Rather, the evaluator must cite specific information and be prepared to support assertions with evidence. d. Incorrect. See answer “a.”
38
A CAE for a very small internal audit department has just received a request from management to perform an audit of an extremely complex area in which the CAE and the department have no expertise. The nature of the audit engagement is within the scope of internal audit activities. Management has expressed a desire to have the engagement conducted in the very near future because of the high level of risk involved. Which of the following responses by the CAE would be in violation of the Standards? a. Discuss with management the possibility of outsourcing the audit of this complex area. b. Add an outside consultant to the audit staff to assist in the performance of the audit engagement. c. Accept the audit engagement and begin immediately because it is a high-risk area. d. Discuss the timeline of the audit engagement with management to determine if there is sufficient time to develop appropriate expertise.
c) a. Incorrect. Outsourcing would be an appropriate response when auditors do not possess the needed background or skills and cannot develop such skills in a timely fashion. b. Incorrect. Adding a consultant would be an appropriate response when auditors do not possess the needed background or skills and cannot develop such skills in a timely fashion. c. Correct. Planning and executing the audit engagement without the appropriate background and skills would be in violation of Standard 1210. Standard 1210 requires that the internal audit department provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed. The auditors do not have such expertise. d. Incorrect. Determining whether there is sufficient time and ability to develop such skills would be an appropriate response. Internal auditors should be committed to lifelong learning; thus, it would not be unreasonable to have them expand their knowledge and skillset.
39
The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is unfamiliar with the accounting practices and software systems used in this country and this has slowed her work considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner? a. Align auditor skills and knowledge with area needs before making assignments. b. Allow more time in the schedule for the auditor to become more familiar with local practice and technology. c. Work more closely with the audit client to secure more support for the assigned auditor. d. Build enough slack into the schedule to deal with the types of problems that are likely to occur in a global project.
a) a. Correct. The most efficient way to manage this situation is to avoid it through better planning. In this case, the knowledge and skills of audit team members should have been considered before making assignments. The auditor in question might have been assigned to a different country, or might have been teamed with an auditor who is more familiar with the country’s practices and technology. The other suggestions are not efficient solutions. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
40
A CAE wants to build the strength of the function in the area of IT business continuity. The best way to accomplish this goal would be to: a. Ask management to include internal audit in debrief sessions after an IT loss of service. b. Provide consulting engagements on appropriate IT contingency plans. c. Conduct a business impact analysis (BIA) for a test function. d. Purchase software systems designed to assess IT risks.
a) a. Correct. The best path mentioned is to request that internal auditors be included in debriefing sessions after incidents. This would allow the internal audit staff to learn more about the IT risks specific to the organization, the recovery needs for business processes, and the strengths and weaknesses of different contingency plans. The function cannot perform IT contingency planning audits without more expertise in this area and more knowledge about the organization’s needs and goals. A BIA would provide a greater sense of risks, but not necessarily of controls. Software systems are useful assessment tools but would not provide organizational business continuity knowledge on their own. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
41
A CAE plans to make changes that may be perceived negatively by the audit staff. The best way to reduce resistance would be to: a. Develop the new approach fully before presenting it to the audit staff. b. Ask the CEO to approve the changes and have the CEO attend the departmental staff meeting when they are presented. c. Approach the staff with the general idea and involve them in the development of the changes. d. Get the internal audit activity’s clients to support the changes.
c) a. Incorrect. Developing the plan and then presenting it to the audit staff would not help reduce their resistance to change. b. Incorrect. Involving the CEO will not necessarily reduce the audit staff’s resistance to change. c. Correct. Involving the staff in the change from the beginning will reduce their resistance to change. d. Incorrect. Involving the internal audit activity’s clients will not necessarily reduce the audit staff’s resistance to change.
42
Of the following reasons for employees to resist a major change in organizational processes, which is least likely? a. Threat of loss of jobs. b. Required attendance at training classes. c. Breakup of existing workgroups. d. Imposition of new processes by senior management without prior discussion.
b) a. Incorrect. Real or imagined loss of jobs is a common reason for employees to resist any change. b. Correct. Employee training programs facilitate performing jobs in a new or different way. c. Incorrect. Members of workgroups often exert peer pressure on one another to resist change, especially if social relationships are changed. d. Incorrect. Lack of communication and discussion of the need for change threatens the status quo.
43
The internal audit activity has scheduled an engagement relating to a construction contract. One portion of this engagement will include comparing materials purchased with those specified in the engineering drawings. The internal audit activity does not have anyone on staff with sufficient expertise to complete this procedure. The CAE should: a. Delete the engagement from the schedule. b. Perform the entire engagement using current staff. c. Engage an engineering consultant to perform the comparison. d. Accept the contractor’s written representations.
c) a. Incorrect. The engagement is within the scope of the internal audit activity. b. Incorrect. Performing the engagement using current (unqualified) staff is inappropriate. c. Correct. According to Standard 1210, auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Since the internal audit activity does not have anyone with the necessary expertise, the hiring of an engineering consultant would be appropriate. d. Incorrect. Accepting the contractor’s representations without adequate testing is inappropriate.
44
What is the appropriate solution to resolve staff communication problems with engagement clients? a. Provide staff with sufficient training to enhance communication skills. b. Avoid unnecessary communication with engagement clients. c. Discuss communication problems with staff auditors. d. Meet with engagement clients to resolve communication problems.
a) a. Correct. According to PA 1210-1, internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations. b. Incorrect. The issue is the quality rather than the quantity of communication. c. Incorrect. Communication problems should be resolved through effective training. d. Incorrect. Meeting with engagement clients will not resolve problems caused by poor staff communication skills.
45
To ensure that due professional care has been taken at all times during an engagement, the internal auditor should always: a. Ensure that all financial information related to the audit is included in the audit plan and examined for nonconformance or irregularities. b. Ensure that all audit tests are fully documented. c. Consider the possibility of nonconformance or irregularities at all times during an engagement. d. Communicate any noncompliance or irregularity discovered during an engagement promptly to the audit committee.
c) a. Incorrect. The automatic inclusion of financial information in an audit does not guarantee that due professional care has been achieved for the audit as a whole. b. Incorrect. Keeping detailed working papers does not ensure that due professional care has been taken during the tests. c. Correct. Considering the possibility of nonconformance or material irregularities at all times during an engagement is the only way of demonstrating that due professional care has been taken in an internal audit assignment, according to Implementation Guide 1220 – Due Professional Care. d. Incorrect. Due professional care does not require that all instances of noncompliance or irregularity be reported to the audit committee.
46
An internal auditor has some suspicion, but no evidence, of potential misstatement of financial statements. The internal auditor has failed to exercise due professional care if (s)he: a. Identified potential ways in which a misstatement could occur and ranked the items for investigation. b. Informed the engagement manager of the suspicions and asked for advice on how to proceed. c. Did not test for possible misstatement because the engagement work program had already been approved by engagement management. d. Expanded the engagement work program, without the engagement client’s approval, to address the highest ranked ways in which a misstatement may have occurred.
c) a. Incorrect. Ranking the ways in which a misstatement could occur and seeking advice are consistent with the due professional care standard. b. Incorrect. See answer “a.” c. Correct. Due professional care requires the exercise of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Because engagement work programs are expected to be modified to reflect changing circumstances, the internal auditor would fail to exercise due professional care if he or she did not investigate a suspected misstatement solely because the engagement work program had already been approved. d. Incorrect. See answer “c.”
47
An internal auditor should exercise due professional care in performing assurance engagements. Due professional care includes: a. Establishing direct communication between the CAE and the board of directors. b. Evaluating established operating standards and determining whether those standards are acceptable and being met. c. Accumulating sufficient information so that the internal auditor can give absolute assurance that irregularities do not exist d. Establishing suitable criteria of education and experience for filling internal audit positions.
b) a. Incorrect. Such communication promotes the independence of the internal audit activity rather than the performance of engagements with due professional care. b. Correct. In the exercise of due professional care, an internal auditor should, among other things, consider the adequacy and effectiveness of risk management, control, and governance processes (Standard 1220. A1). Furthermore, adequate criteria are needed to evaluate controls. Thus, internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished (Standard 2120.A4). Internal auditors should evaluate the established operating targets and expectations and should determine whether those operating standards are acceptable and are being met (PA 2120.A4-1). c. Incorrect. Assurance procedures alone, even when performed with due professional care, cannot guarantee that all significant risks will be identified (Standard 1220.A2). d. Incorrect. Establishing suitable criteria of education and experience for filling internal audit positions pertains to proficiency, not due professional care.
48
Due professional care calls for: a. Detailed review of all transactions related to a particular function. b. Infallibility and extraordinary performance when the system of internal control is known to be weak. c. Consideration of the possibility of material irregularities during every engagement. d. Testing in sufficient detail to give absolute assurance that noncompliance does not exist.
c) a. Incorrect. Detailed reviews of all transactions are not required. b. Incorrect. Reasonable care and skill, not infallibility or extraordinary performance, are necessary. c. Correct. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the internal auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed reviews of all transactions. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever an internal auditor undertakes an internal audit assignment (PA 1220-1). d. Incorrect. Only reasonable, not absolute, assurance can be given.
49
A certified internal auditor performed an assurance engagement to review a department store’s cash function. Which of the following actions would be deemed lacking in due professional care? a. Organizational records were reviewed to determine whether all employees who handle cash receipts and disbursements were bonded. b. A flowchart of the entire cash function was developed, but only a sample of transactions was tested. c. The final engagement communication included a well-supported recommendation for the reduction in staff, although it was known that such a reduction would adversely affect morale. d. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.
d) a. Incorrect. This review is a standard procedure. b. Incorrect. Sampling is permissible. Detailed reviews of all transactions are often not required or feasible. c. Incorrect. In exercising due professional care, internal auditors should be alert to inefficiency. d. Correct. Internal auditors do not guarantee the absence of fraud. They are responsible for exercising due professional care, which includes evaluating the risk management, control, and governance processes that prevent or detect fraud and being alert to the significant risks that might affect objectives, operations, or resources (Standards 1220.A1 and 1220.A2). However, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist (PA 1220-1).
50
The internal audit activity has recently experienced the departure of two internal auditors who cannot be immediately replaced due to budget constraints. Which of the following is the least desirable option for efficiently completing future engagements, given this reduction in resources? a. Using self-assessment questionnaires to address audit objectives. b. Employing IT in audit planning, sampling, and documentation. c. Eliminating consulting engagements from the engagement work schedule. d. Filling vacancies with personnel from operating departments that are not being audited.
c) a. Incorrect. Self-assessment questionnaires are a means of efficiently addressing the objectives of certain internal audits. b. Incorrect. Use of technology is an appropriate means of achieving efficiencies in audit execution. c. Correct. The audit schedule should only be reduced as a last resort once all other variable alternatives have been explored, including the request for additional resources. d. Incorrect. Using operating personnel with internal audit interest and corporate experience is an appropriate way to enhance internal audit resources.
51
Internal auditors are responsible for continuing their education in order to maintain their proficiency. Which of the following is correct regarding the continuing education requirements of the practicing internal auditor? a. Internal auditors are required to obtain 40 hours of continuing professional education each year and a minimum of 120 hours over a 3-year period. b. Certified internal auditors (CIAs) have formal requirements that must be met in order to continue as CIAs. c. Attendance as an officer or a committee member at formal IIA meetings does not meet the criteria of continuing professional development. d. In-house programs meet continuing professional education requirements only if they have been approved by The IIA.
b) a. Incorrect. The Standards do not state formal hour requirements for internal auditors. The intent of the Standards is to provide flexibility in meeting the requirements. b. Correct. Internal auditors should enhance their knowledge, skills, and other competencies through CPE (Standard 1230). To maintain the CIA designation, the CIA must commit to a formal program of CPE and report to the Certification Department of The IIA. c. Incorrect. Continuing education may be obtained by participation in professional societies. d. Incorrect. Prior approval by The IIA is not necessary for CPE courses.
52
In most organizations, the rapidly expanding scope of internal audit responsibilities requires continual training. What is the main purpose of such a training program? a. To comply with continuing education requirements of professional organizations. b. To use slack periods in engagement scheduling. c. To help individuals achieve personal career goals. d. To achieve both individual and organizational goals.
d) a. Incorrect. The CAE should establish a program for selecting and developing human resources, but compliance with continuing education requirements of professional organizations is not the primary purpose. b. Incorrect. Training can be conducted during slack periods, but this is not the primary objective. c. Incorrect. Both personal and IIA goals should be achieved. d. Correct. By being informed and staying current, internal auditors are better prepared to reach their personal goals. In addition, internal audit responsibilities are more readily discharged by auditors having the required knowledge, skills, and other competencies.
53
According to the Standards, internal auditors are responsible for continuing their education in order to: a. Satisfy the 40 hours per year of required continuing professional education. b. Maintain their proficiency. c. Practice internal auditing. d. Qualify for membership in The IIA.
b) a. Incorrect. Not specified in the Standards. b. Correct. According to PA 1230-1. c. Incorrect. CPE is not a requirement to practice internal auditing. d. Incorrect. CPE is not a requirement for membership.
54
Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity? I. Proper supervision. II. Proper training. III. Internal assessments. IV. External assessments. a. I, II, and III only. b. I, II, and IV only. c. I, III, and IV only. d. II, III, and IV only.
c) I, III, and IV only a. Correct. Quality assurance and improvement programs are designed to provide feedback on the effectiveness of an internal audit activity. A quality assurance and improvement program should include supervision, which provides day-to-day feedback. b. Incorrect. Proper training is important, but it does not provide feedback. c. Correct. A quality assurance and improvement program should include internal assessments. d. Correct. A quality assurance and improvement program should include external assessments.
55
Which of the following is part of an internal audit activity’s quality assurance and improvement program, rather than being included as part of the CAE’s other responsibilities? a. The CAE provides information about and access to internal audit workpapers to the external auditors to help them understand and determine the degree to which they may rely on the internal auditors’ work. b. Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity. c. Each individual internal auditor’s performance is appraised at least annually. d. Supervision of an internal auditor’s work is performed throughout each audit engagement.
d) a. Incorrect. This statement relates to the responsibility of the CAE to coordinate with external auditors (Standard 2050). b. Incorrect. A CAE’s responsibility to seek approval of a charter that establishes authority, purpose, and responsibility (Standard 1000 and related Implementation Guide 1000 – Purpose, Authority, and Responsibility) is not part of a quality assurance and improvement program. c. Incorrect. Individual performance appraisals are part of a CAE’s responsibility toward personnel management and development. d. Correct. Supervision is one method of ongoing review, which is part of the internal assessment aspect of a quality assurance and improvement program (Standard 1311 Interpretation).
56
What is the first step in establishing an effective internal audit performance measurement process? a. Define internal audit effectiveness. b. Interview key internal and external stakeholders. c. Align the internal audit process with performance measurement processes used throughout the organization. d. Propose specific measures of effectiveness and efficiency.
a) a. Correct. The first step is to define internal audit effectiveness, based on the Definition of Internal Auditing, the Code of Ethics, the Standards, existing charters, internal audit deliverables that the activity has agreed to produce, and internal consensus. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
57
Ordinarily, those conducting internal quality program assessments should report to: a. The board. b. The CAE. c. Senior management. d. The external auditors.
b) a. Incorrect. The CAE should periodically share the results of internal assessments with appropriate persons outside the internal audit activity, such as the board, senior management, and the external auditors. b. Correct. An internal audit activity capable of formally conducting internal assessments of its quality program should establish a reporting structure conducive to maintaining appropriate credibility and objectivity. Ordinarily, those assigned responsibility for conducting ongoing and periodic internal reviews should report to the CAE while performing the reviews and should communicate their results directly to the CAE (PA 1311-1). c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
58
According to the Standards, which of the following statements is correct regarding communication of quality assurance and improvement programs? a. The CAE determines the form and content of results communicated without seeking input from senior management or the board. b. The results of external assessments are communicated upon their completion. c. The results of periodic internal assessments are communicated at least monthly. d. The results of ongoing monitoring are communicated upon their completion.
b) a. Incorrect. The form, content, and frequency of communicating results of quality assessment and improvement programs is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and the CAE, as contained in the internal audit charter. b. Correct. According to Standard 1320, the results of external assessments should be communicated upon their completion. c. Incorrect. The results of periodic internal assessments are communicated upon their completion. d. Incorrect. The results of ongoing monitoring are communicated annually.
59
Internal auditors may report that their activities are conducted in accordance with the Standards only if: a. They demonstrate compliance with the Standards. b. An independent external assessment of the internal audit activity is conducted annually. c. Senior management or the board is accountable for implementing a quality program. d. External assessments of the internal audit activity are made by the external auditors.
a) a. Correct. According to Standard 1330-1, internal auditors may use the statement only if assessment of the quality improvement program demonstrates that the internal audit activity is in compliance with the Standards. b. Incorrect. An independent external assessment should be conducted at least once every five years (Standard 1330-1). c. Incorrect. The CAE is responsible for implementing a quality program (PA 1310-1). d. Incorrect. Quality assurance reviews should ordinarily not be conducted by the organization’s external audit firm, except when made under legislative mandate (PA 1312-1).
60
Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, instances may exist in which full compliance is not achieved. Which of the following situations would require disclosure to senior management and the board? a. The internal audit activity does not comply with the Standards. b. The internal auditors do not comply with the Code of Ethics. c. The internal audit activity does not comply with the Standards, or the internal auditors do not comply with the Code of Ethics. d. Noncompliance with the Standards or the Code of Ethics affects the overall operation of the internal audit activity.
d) a. Incorrect. See answer “d.” b. Incorrect. See answer “d.” c. Incorrect. See answer “d.” d. Correct. According to Standard 1340, when noncompliance affects the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.
61
The internal audit activity should contribute to the organization’s governance process by evaluating the processes through which: I. Ethics and values are promoted. II. Effective organizational performance management and accountability are ensured. III. Risk and control information is communicated. IV. Activities of the external and internal auditors and management are coordinated. a. I only. b. IV only. c. II and III only. d. I, II, III, and IV.
d) I, II, III, and IV a. Correct. Evaluating whether ethics and values are promoted would contribute to corporate governance, according to Standard 2110. b. Correct. Evaluating the effectiveness of organizational performance management and accountability would contribute to corporate governance, according to Standard 2110. c. Correct. Evaluating how risk and control information is communicated would contribute to corporate governance, according to Standard 2110. d. Correct. Evaluating the coordination of the external and internal auditors and management would contribute to corporate governance, according to Standard 2110.
62
An organization’s management perceives the need to make significant changes. Which of the following factors is management least likely to be able to change? a. The organization’s members. b. The organization’s structure. c. The organization’s environment. d. The organization’s technology.
c) a. Incorrect. Management is able to change the organization’s members. b. Incorrect. Management is able to change the organization’s structure. c. Correct. Environment is often determined by external forces outside the direct control of the organization. d. Incorrect. Management is able to change the organization’s technology.
63
All of the following are true statements as related to organizational governance except for: a. Governance is a set of independent processes and structures within an organization. b. Governance frameworks, models, and requirements vary according to organization type and jurisdiction. c. Effective governance within an organization is impacted by factors such as its size, complexity, and stakeholder structure. d. Governance structures are implemented by the board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives.
a) a. Correct. According to the definition of Governance as stated in the IPPF Glossary: Governance is the combination of processes and structures. b. Incorrect. This is a true statement according to the Implementation Guide for Standard 2110. c. Incorrect. This is a true statement according to the Implementation Guide for Standard 2110. d. Incorrect. This is a true statement according to the IPPF definition of Governance.
64
In which of the following situations is the internal audit activity most likely to deliver added value to its organization? a. The board supports its verbal commitment to governance, risk management, and control with resources and direction. b. Historically, internal audit has refrained from forming relationships with other functional areas. c. The CAE has been with the organization less than one year but has significant knowledge of new, automated auditing techniques. d. Senior and line management are primarily interested in confirming the strength of existing controls.
a) a. Correct. For internal audit to add value to an organization, it must go beyond assessing present controls toward identifying root causes of problems and recommending solutions and changes. This will require support from the board and senior management in the form of example, resources, and direction. To add value, internal audit must have organizational knowledge and relationships. A new CAE would be less likely to have sufficient organizational and industry knowledge. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
65
An organization is changing to a quality assurance program that incorporates quality throughout the process. This is very different from its years of dependence on quality control at the end of the process. This type of change is a: a. Cultural change. b. Product change. c. Structural change. d. Organizational change.
a) a. Correct. This is a cultural change because it involves a change in attitudes and mindset. b. Incorrect. Product change is change in a product’s physical attributes and usefulness to customers. c. Incorrect. There is no change to systems and structures here. d. Incorrect. This is not an organizational change because it involves only quality assurance.
66
Company A has a formal corporate code of ethics while company B does not. The code of ethics covers such things as purchase agreement and relationships with vendors as well as many other issues to guide individual behavior within the company. Which of the following statements can be logically inferred? I. Company A exhibits a higher standard of ethical behavior than does company B. II. Company A has established objective criteria by which an employee’s actions can be evaluated. III. The absence of a formal corporate code of ethics in company B would prevent a successful audit of ethical behavior in that company. a. II only. b. III only. c. I and II only. d. II and III only.
a) II only I. Incorrect. The existence of a corporate code of ethics, by itself, does not ensure higher standards of ethical behavior. It must be complemented by follow-up policies and monitoring activities to ensure adherence to the code. II. Correct. A formalized corporate code of ethics presents objective criteria by which actions can be evaluated, and would thus serve as criteria against which activities could be evaluated. III. Incorrect. Standards that would influence individual actions can occur in places other than the corporate code of ethics. For example, there may be defined policies regarding purchasing activities that may serve the same purpose as a code of ethics. These policies also serve as criteria against which activities may be evaluated.
67
A review of an organizations’ code of conduct revealed that it contained comprehensive guidelines designed to inspire high levels of ethical behavior. The review also revealed that employees were knowledgeable of its provisions. However, some employees still did not comply with the code. What element should a code of conduct contain to enhance its effectiveness? a. Periodic review and acknowledgment by all employees. b. Employee involvement in its development. c. Public knowledge of its contents and purpose. d. Provisions for disciplinary action in the event of violations.
d) a. Incorrect. Periodic review and acknowledgment would ensure employee knowledge and acceptance of the code, which are not the issue. b. Incorrect. Employee involvement in development would encourage employee acceptance, which is not the issue. c. Incorrect. Public knowledge might affect the behavior of some individuals but not to the same extent as the perceived likelihood of sanctions for wrongdoing. d. Correct. Penalties for violations of a code of conduct should enhance its effectiveness. Some individuals will be deterred from misconduct if they expect it to be detected and punished.
68
The internal auditors must determine the applicable laws and regulations related to government grants and the related reporting requirements. Which of the following procedures would be the least effective in learning about the applicable laws and regulations? a. Make inquiries of the organization’s chief financial officer, legal counsel, or grant administrators. b. Review prior-year working papers and ask officials about changes. c. Review applicable grant agreements. d. Discuss the matter with the audit committee.
d) a. Incorrect. Making inquiries to these individuals are effective ways to learn about the applicable laws and regulations. b. Incorrect. This is an effective way to learn about the applicable laws and regulations. c. Incorrect. This is an effective way to learn about the applicable laws and regulations. d. Correct. Discussing the matter with the audit committee would not be helpful since they are not likely to know the applicable laws and regulations. The audit committee’s oversight activities do not provide specific expertise needed to help the internal auditors understand the applicable laws and regulations.
69
Which of the following actions best illustrates an organization’s commitment to corporate social responsibility (CSR)? a. Line managers are instructed to review and amend processes to align them with the organization’s CSR policy. b. CSR-related activities are reported only within the organization itself. c. CSR activities are audited only by third parties. d. The board of directors announces its adoption of the ISO framework on CSR.
a) a. Correct. Mere adoption of a CSR framework is not sufficient; an organization’s processes must be integrated into the framework. Results should be reported both within and outside the organization to meet the needs of various stakeholders, including regulatory groups. Internal audit may be involved in auditing the organization’s CSR programs, as long as it was not involved in creating the programs. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
70
The function of the chief risk officer (CRO) is most effective when he or she: a. Manages risk as a member of senior management. b. Shares the management of risk with line management. c. Shares the management of risk with the CAE. d. Monitors risk as part of the enterprise risk management team.
d) a. Incorrect. Senior management has an oversight role in risk management. b. Incorrect. The risk knowledge at the line level would be specific only to that area of the organization. c. Incorrect. The CAE is not responsible for managing risk. d. Correct. The chief risk officer is most effective when supported by a specific team with the necessary expertise and experience related to organizational risk.
71
Enterprise risk management: a. Guarantees achievement of organizational objectives. b. Requires establishment of risk and control activities by internal auditors. c. Involves the identification of events with negative impacts on organizational objectives. d. Includes selection of the best risk response for the organization.
c) a. Incorrect. Risk management processes cannot totally guarantee achievement of objectives. b. Incorrect. Involvement of internal auditors in establishing control activities would impair their independence and objectivity. c. Correct. This option falls within the framework of risk management. d. Incorrect. Enterprise risk management is concerned not with selecting the best risk response, but with selecting the risk response that falls within the enterprise’s risk appetite.
72
Which of the following represents the best risk assessment technique? a. Assessment of the risk levels for future events based on the extent of uncertainty of those events and their impact on achievement of long-term organizational goals. b. Assessment of inherent and control risks and their impact on the extent of financial misstatements. c. Assessment of the risk levels of current and future events, their effect on achievement of the organization’s objectives, and their underlying causes. d. Assessment of the risk levels of current and future events, their impact on the organization’s mission, and the potential for elimination of existing or possible risk factors.
c) a. Incorrect. This is not the best technique because it takes only a two-pronged approach to risk management (that is, event and impact). b. Incorrect. This is not the best technique because it does not take a comprehensive approach to risk management. c. Correct. This is the best response because it takes a comprehensive approach to risk management; it not only considers the event and the impact but also the causes. d. Incorrect. This option again takes a two-pronged approach and talks about elimination of risks instead of mitigation of risks.
73
In assessing organizational risk in a manufacturing environment, which of the following would have the most long-range impact on the organization? a. Production scheduling. b. Inventory policy. c. Product quality. d. Advertising budget.
c) a. Incorrect. This would seldom have a long-range impact. b. Incorrect. This would rarely be a long-range concern. c. Correct. This would be a long-range planning topic because it affects market positioning. d. Incorrect. This is certainly a concern, but it has less long-range impact than product quality.
74
A CAE is reviewing the following enterprise risk map: Remote Possible Likely Critical A B Major D Minor C Which of the following is the correct prioritization of risks considering limited resources in the internal audit activity? a. Risk B, Risk C, Risk A, Risk D. b. Risk A, Risk B, Risk C, Risk D. c. Risk D, Risk B, Risk C, Risk A. d. Risk B, Risk C, Risk D, Risk A.
c) a. Incorrect. Risk D would take precedence over risk A, as it has a higher probability of occurring despite the lower impact. b. Incorrect. This is the opposite of the correct order. c. Correct. This order ranks the risk by a combination of probability and impact. d. Incorrect. Risk D should be rated higher than risk C, due to probability and impact.
75
What is residual risk? a. Impact of risk. b. Risk that is under control. c. Risk that is not managed. d. Underlying risk in the environment.
c) a. Incorrect. The impact of risk is its consequence. b. Incorrect. Risk that is under control is managed risk. c. Correct. Residual risk is that risk left over after all controls and risk management techniques have been applied. d. Incorrect. The underlying risk is the absolute risk.
76
Nationalism, expropriation, and terrorism are best categorized as examples of: a. Economic risk. b. Political risk. c. Operational risk. d. Environmental risk.
b) a. Incorrect. Economic risk is the likelihood that economic mismanagement will cause changes in the country’s business environment that will hurt the profit and other goals of the company. b. Correct. Political risk is the likelihood that political forces will cause changes in the country’s business environment that will hurt the profit and other goals of the company. Nationalism, expropriation, and terrorism are all examples of political risk. c. Incorrect. Operational risk is uncertainty of nonfinancial events that may result in failure of the organization and related financial losses. d. Incorrect. Environmental risk is the uncertainty and severity of the impact of potential environmental hazards.
77
To minimize potential financial losses associated with physical assets, the assets should be insured in an amount that is: a. Supported by periodic appraisals. b. Determined by the board of directors. c. Automatically adjusted by an economic indicator such as the consumer price index. d. Equal to the book value of the individual assets.
a) a. Correct. The types and amounts of insurance should be supported by periodic appraisals. b. Incorrect. The determination of insurance coverage is not a function of the board of directors. c. Incorrect. The consumer price index generally does not provide an appropriate adjustment factor for fixed assets. d. Incorrect. Book values may not reflect the replacement or real value of an asset.
78
The activity of trading futures with the objective of reducing or controlling risk is called: a. Insuring. b. Hedging. c. Short-selling. d. Factoring.
b) a. Incorrect. Insuring is a risk management activity. b. Correct. Hedging is the use of future contracts to limit risk exposure on exchange rates. c. Incorrect. Short-selling refers to the sales of commodities or shares of stocks. d. Incorrect. Factoring applies to discounting of accounts receivable.
79
An internal audit team is performing a due diligence audit to assess plans for a potential merger/acquisition. Which of the following would be the least valid reason for a company to merge with or acquire another company? a. To diversify risk. b. To respond to government policy. c. To reduce labor costs. d. To increase stock prices.
d) a. Incorrect. Diversifying risk is a frequent reason for a company to merge with or acquire another company. b. Incorrect. Responding to government policy is a frequent reason for a company to merge with or acquire another company. c. Incorrect. Reducing labor costs is a frequent reason for a company to merge with or acquire another company. d. Correct. Increasing stock prices is not a frequent reason for a company to merge with or acquire another company because this effect could be achieved through other methods that directly benefit company performance.
80
According to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) enterprise risk management (ERM) model, the internal environment is the basis for all other components of ERM. All of the following are elements of an organization’s internal environment except: a. Setting organizational objectives. b. Establishing risk appetite. c. Assigning authority and responsibility. d. Having predominantly independent directors on the board.
a) a. Correct. Objective setting is one of the components of the eight interrelated components of the COSO ERM Model. The other components include: Internal Environment, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, and Monitoring. b. Incorrect. This is one of the elements of the internal environment. c. Incorrect. This is one of the elements of the internal environment. d. Incorrect. This is one of the elements of the internal environment.
81
The Three Lines of Defense model provides an effective way to enhance communications on risk management and control by clarifying essential roles and duties. According to this model, which of the following would be considered the first line of defense? a. Operating management. b. Senior management. c. Risk management function. d. Internal audit activity.
a) a. Correct. According to IIA Position Paper, Three Lines of Defense in Effective Risk Management and Control, operational management is the first line of defense. Operation management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. b. Incorrect. Senior management along with the governing bodies are the primary stakeholders served by the “lines.” c. Incorrect. The risk management and compliance functions operate as the second line of defense. The responsibility of this line is to help build and/or monitor the first line of defense controls to ensure that the first line is properly designed, in place, and operating as intended. d. Incorrect. The internal audit activity is the third line of defense providing comprehensive assurance to the governing body and senior management based on the highest level of independence and objectivity within the organization.
82
Under the Three Lines of Defense model, the purpose of the risk management and compliance functions within an organization can include all of the follow except: a. Maintaining effective internal controls. b. Identifying known and emerging risks. c. Providing guidance and training on risk management processes. d. Providing risk management frameworks.
a) a. Correct. According to IIA Position Paper, Three Lines of Defense in Effective Risk Management and Control, operating management (first line of defense) is responsible for maintaining effective internal controls. b. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions. c. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions. d. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions.
83
Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing governance, risk management, and control processes? a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives. b. To ensure that weaknesses in the internal control system are corrected. c. To provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically. d. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated.
c) a. Incorrect. This is a purpose of audit planning. b. Incorrect. Correcting control weaknesses is a function of management, not of the internal auditor. c. Correct. This is the purpose stated in the Definition of Internal Auditing. d. Incorrect. This is a basic objective from a financial accounting and auditing perspective, but it is not broad enough to cover the internal auditor’s entire purpose for review.
84
When conducting risk assessment in engagement planning and management has already created an assessment of risk as part of an enterprise risk management (ERM) framework, internal auditors should do which of the following related to this management assessment? a. Assess its reliability prior to adopting it. b. Adopt it without reservations to avoid duplication of effort. c. Avoid using it because adopting it would hinder independence and objectivity. d. Avoid using it because its objectives differ significantly from that of an audit risk assessment.
a) a. Correct. Practice Advisory 2210.A1-1, Risk Assessment in Engagement Planning, states that, “Internal auditors consider management’s assessment of risks relevant to the activity under review. The internal auditor also considers the reliability of management’s assessment of risk…” b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
85
According to the Standards, what is the role of internal audit as it relates to risk management? a. Determine the risk appetite of the organization. b. Evaluate the effectiveness of the risk management process. c. Communicate relevant risk information to the appropriate people within the organization. d. Identify and assess significant risks within the organization.
b) a. Incorrect. According to Standard 2120 – Risk Management, this is one of the areas that internal audit would assess in determining the effectiveness of risk management processes. b. Correct. According to Standard 2120, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
86
Which of the following roles within the risk management framework might properly belong to the internal audit function, depending on the organization? a. Managing and coordinating the risk management process. b. Setting the organization’s risk appetite. c. Directing the IT function to implement specific risk controls. d. Championing risk controls even though they may not be cost-effective.
a) a. Correct. Internal audit’s involvement in the organization’s risk management framework may range from non-involvement to the full involvement implied in managing and coordinating the risk management process. Even this role, however, does not allow internal audit to perform managerial responsibilities in this area, such as setting the organization’s risk appetite or implementation control strategies. Cost-effectiveness should be a major consideration in selecting controls. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
87
The requirement that purchases be made from suppliers on an approved vendor list is an example of a: a. Preventive control. b. Detective control. c. Corrective control. d. Monitoring control.
a) a. Correct. Preventive controls are actions taken before the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers. b. Incorrect. A detective control is a control that identifies errors after they have occurred. c. Incorrect. Corrective controls correct the problems identified by detective controls. d. Incorrect. Monitoring controls are designed to ensure the quality of the control system’s performance over time.
88
An internal auditor’s organization allows programmers to make minor fixes to software applications without performing regression testing to ensure that changes have corrected problems without introducing new ones due to shortages in staff required to perform these procedures. The auditor’s review of records shows that some minor fixes in the past have introduced new errors, and some of these resulted in customer complaints. At which level is this control failure occurring? a. Entity-level management-oversight controls. b. Entity-level governance controls. c. Process-level controls. d. Transaction-level controls.
a) a. Correct. Entity-level controls at the management-oversight level include IT general controls related to testing standards. These are not entity-level governance controls because those provide oversight at a higher level, such as setting a privacy policy. Testing standards are neither process-level nor transaction-level controls because testing standards can be applied to most if not all information systems in general, which is part of the definition of IT general controls. b. Incorrect. See answer “a.” c. Incorrect. See answer “a.” d. Incorrect. See answer “a.”
89
A password is an example of: a. A physical control. b. An edit control. c. A digital control. d. An access control.
d) a. Incorrect. Physical controls limit access to an area and do not include passwords. b. Incorrect. Edit controls test the validity of data. c. Incorrect. Digital controls are examples of physical controls. d. Correct. Passwords are a form of access controls because they limit access to computer systems and the information stored on them.
90
The marketing department for a major retailer assigns separate product managers for each product line. Product managers are responsible for ordering products and determining retail pricing. Each product manager’s purchasing budget is set by the marketing manager. Products are delivered to a central distribution center where goods are segregated for distribution to the company’s 52 department stores. Because receipts are recorded at the distribution center, the company does not maintain a receiving function at each store. Product managers are evaluated on a combination of sales and gross profit generated from their product lines. Many products are seasonal and individual store managers can require that seasonal products be removed to make space for the next season’s products. Which of the following is a control deficiency in this situation? a. The store manager can require items to be removed, thus affecting the potential performance evaluation of individual product managers. b. The product manager negotiates the purchase price and sets the selling price. c. Evaluating product managers by total gross profit generated by product line will lead to dysfunctional behavior. d. There is no receiving function located at individual stores.
d) a. Incorrect. Goods are seasonal and store space is limited. This constraint is consistent with maximizing revenue and profitability for the organization. b. Incorrect. The product manager is evaluated based on sales and gross profit; thus, there is no conflict with performing both of these duties. c. Incorrect. Evaluating the product managers on gross profit and budgeted sales attaches responsibility to the manager. d. Correct. There is the possibility that goods could be diverted from the distribution center and not delivered to the appropriate retail store.
91
The marketing department for a major retailer assigns separate product managers for each product line. Product managers are responsible for ordering products and determining retail pricing. Each product manager’s purchasing budget is set by the marketing manager. Products are delivered to a central distribution center where goods are segregated for distribution to the company’s 52 department stores. Because receipts are recorded at the distribution center, the company does not maintain a receiving function at each store. Product managers are evaluated on a combination of sales and gross profit generated from their product lines. Many products are seasonal and individual store managers can require that seasonal products be removed to make space for the next season’s products. Requests for purchases beyond those initially budgeted must be approved by the marketing manager. This procedure: I. Should provide for the most efficient allocation of scarce organizational resources. II. Is a detective control procedure. III. Is unnecessary because each product manager is evaluated on profit generated. a. I only. b. III only. c. II and III only. d. I, II, and III.
a) I only I. Correct. The organization has two scarce resources to allocate: (a) its purchasing budget (constrained by financing ability), and (b) space available in retail stores. Thus, there is a need for a mechanism to allocate these two scarce resources to maximize the overall return to the organization. This is the proper mechanism. II. Incorrect. This is a preventive control, not a detective control. III. Incorrect. The gross profit evaluation is effective in evaluating the manager but does not address the two major constraints identified in statement I.
92
All of the following would be part of a factory’s control system to prevent release of wastewater that does not meet discharge standards except: a. Performing chemical analysis of the water before discharge for components specified in the permit. b. Specifying (by policy, training, and advisory signs) which substances may be disposed of via sinks and floor drains within the factory. c. Periodically flushing sinks and floor drains with a large volume of clean water to ensure pollutants are sufficiently diluted. d. Establishing a preventive maintenance program for the factory’s pretreatment system.
93
The control that would most likely ensure that payroll checks are written only for authorized amounts is to: 1. Conduct periodic floor verification of employees on the payroll. 2. Require the return of undelivered checks to the cashier. 3. Require supervisory approval of employee timecards. 4. Periodically witness the distribution of payroll checks.
94
Which of the following controls would prevent the ordering of quantities in excess of an organization’s needs? a. Review of all purchase requisitions by a supervisor in the user department before submitting them to the purchasing department. b. Automatic reorder by the purchasing department when low inventory level is indicated by the system. c. A policy requiring review of the purchase orders before receiving a new shipment. d. A policy requiring agreement of the receiving report and packing slip before storage of new receipts.
95
Which of the following observations by an auditor is most likely to indicate the existence of control weaknesses over safeguarding of assets? I. A service department location is not well suited to allow for adequate service to other units. II. Employees hired for sensitive positions are not subjected to background checks. III. Managers do not have access to reports that profile overall performance in relation to other benchmarked organizations. IV. Management has not taken corrective action to resolve past engagement observations related to inventory controls. a. I and II only. b. I and IV only. c. II and III only. d. II and IV only.
96
A control likely to prevent purchasing agents from favoring specific suppliers is: a. Requiring management’s review of a monthly report of the total spent by each buyer. b. Requiring buyers to adhere to detailed material specifications. c. Rotating buyer assignments periodically. d. Monitoring the number of orders placed by each buyer.
97
Which of the following would minimize defects in finished goods caused by poor quality raw materials? a. Documented procedures for the proper handling of work-in-process inventory. b. Required material specifications for all purchases. c. Timely follow-up on all unfavorable usage variances. d. Determination of the amount of spoilage at the end of the manufacturing process.
98
Appropriate internal control for a multinational corporation’s branch office that has a monetary transfer unit requires that: a. The individual who initiates wire transfers not reconcile the bank statement. b. The branch manager receives all wire transfers. c. Foreign currency rates are computed separately by two different employees. d. Corporate management approves the hiring of monetary transfer unit employees.
99
Which of the following hiring procedures provides the most control over the accuracy of information submitted on an employment application? a. Applicants are required to submit unofficial copies of their transcripts along with the application as verification of their educational credentials. b. The hiring organization calls the last place of employment for each finalist to verify the employment length and position held. c. Letters of recommendation that attest to the applicant’s character must be mailed directly to the hiring organization rather than being submitted by the applicant. d. Applicants are required to sign that the information on the application is true and correct as a confirmation of the truth of the information in the application.
100
Several years ago a senior member in the accounting area developed a software application that automates a simple, yet time-saving task. Over time, the application has been adopted by other users in accounting, and these other users have encouraged the original author to maintain the application, adapting it as needed when new systems are introduced. Which of the following controls for this situation would be most effective and efficient? a. Ensure complete, accurate, and updated documentation of the application. b. Recommend that the application be replaced by a commercially developed product. c. Recommend policy changes that freeze further adoption and work on the software. d. Analyze the application to ensure that it is, in fact, the most efficient solution to the work problem.
101
Which of the following factors is least essential to a successful control self-assessment workshop? a. Voting technology. b. Facilitation training. c. Prior planning. d. Group dynamics.
102
Which phrase best describes a control-based control self-assessment process? a. Evaluating, updating, and streamlining selected control processes. b. Examining how well controls are working in managing key risks. c. Analyzing the gap between control design and control frameworks. d. Determining the cost-effectiveness of controls.
103
An adequate system of internal controls is most likely to detect an irregularity perpetrated by a: a. Group of employees in collusion. b. Single employee. c. Group of managers in collusion. d. Single manager.
104
Which of the following would not be considered a condition that indicates a higher likelihood of fraud? a. Management has delegated the authority to make purchases under a certain dollar limit to subordinates. b. An individual has held the same cash-handling job for an extended period without any rotation of duties. c. An individual handling marketable securities is responsible for making the purchases, recording the purchases, and reporting any discrepancies and gains or losses to senior management. d. The assignment of responsibility and accountability in the accounts receivable department is not clear.
105
Which of the following best describes an auditor’s responsibility after noting some indicators of fraud? a. Expand activities to determine whether an investigation is warranted. b. Report the possibility of fraud to senior management and ask how to proceed. c. Consult with external legal counsel to determine the course of action to be taken. d. Report the matter to the audit committee and request funding for outside specialists to help investigate the possible fraud.
106
If internal auditors know the definition of fraud from the Standards as well as the definition from “Managing the Business Risk of Fraud, A Practical Guide” by The IIA, American Institute of Certified Public Accountants (AICPA), and Association of Certified Fraud Examiners (ACFE), what else is needed to understand fraud? a. The legal definition of fraud in relevant jurisdictions. b. Nothing else is needed; they are in conformance with the Standards for understanding fraud. c. Formal training in fraud investigations to develop the necessary expertise. d. Sufficient knowledge of fraud to declare when fraud is occurring.
107
The most common motivation for management fraud is the existence of: a. Vices, such as a gambling habit. b. Job dissatisfaction. c. Financial pressures on the organization. d. The challenge of committing the perfect crime.
108
Which of the following is most likely to be considered an indication of possible fraud? a. The replacement of the management team after a hostile takeover. b. Rapid turnover of the organization’s financial executives. c. Rapid expansion into new markets. d. A government audit of the organization’s tax returns.
109
Which of the following would indicate that fraud may be taking place in a marketing department? a. There is no documentation for some large expenditures made to a new vendor. b. A manager appears to be living a lifestyle that is in excess of what could be provided by a marketing manager’s salary. c. The control environment can best be described as “very loose.” However, this attitude is justified by management on the grounds that it is needed for creativity. d. All of the above.
110
The manager of a production line has the authority to order and receive replacement parts for all machinery that require periodic maintenance. The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier and the money was divided between the manager and the family member. Which of the following tests would best assist the auditor in deciding whether to investigate this anonymous tip further? 1. Comparison of the current quarter’s maintenance expense with prior-period activity. 2. Physical inventory testing of replacement parts for existence and valuation. 3. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items replaced. 4. Review of a test sample of parts invoices for proper authorization and receipt.
111
The manager of a production line has the authority to order and receive replacement parts for all machinery that require periodic maintenance. The internal auditor received an anonymous tip that the manager ordered substantially more parts than were necessary from a family member in the parts supply business. The unneeded parts were never delivered. Instead, the manager processed receiving documents and charged the parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier and the money was divided between the manager and the family member. Which of the following internal controls would have most likely prevented this fraud from occurring? a. Establishing predefined spending levels for all vendors during the bidding process. b. Segregating the receiving function from the authorization of parts purchases. c. Comparing the bill of lading for replacement parts to the approved purchase order. d. Using the company’s inventory system to match quantities requested with quantities received.
112
Which of the following control procedures would be the least effective in preventing frauds in which purchase orders are issued to fictitious vendors? a. Require that all purchases be made from an authorized vendor list maintained independently of the individual placing the purchase order. b. Require that only preapproved vendors be paid for purchases, based on actual production. c. Require contracts with all major vendors from whom production components are purchased. d. Require that total purchases from all vendors for a month not exceed the total budgeted purchases for that month.
113
An auditor for a major retail company suspects that inventory fraud is occurring at three stores that have high cost of goods sold. Which of the following audit activities would provide the most persuasive evidence that fraud is occurring? a. Use an integrated test facility (ITF) to compare individual sales transactions with test transactions submitted through the ITF. Investigate all differences. b. Interview the three individual store managers to determine if their explanations about the observed differences are the same, and then compare their explanations to that of the section manager. c. Schedule a surprise inventory audit to include a physical inventory. Investigate areas of inventory shrinkage. d. Select a sample of individual store prices and compare them with the sales entered on the cash register for the same items.
114
Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset? a. Debit expenses and credit the asset. b. Debit the asset and credit another asset account. c. Debit revenue and credit the asset. d. Debit another asset account and credit the asset.
115
Questions used to interrogate individuals suspected of fraud should: a. Adhere to a predetermined order. b. Cover more than one subject or topic. c. Move from the general to the specific. d. Direct the individual to a desired answer.
116
If an internal auditor is interviewing three individuals, one of whom is suspected of committing a fraud, which of the following is the least effective approach? a. Ask each individual to prepare a written statement explaining his or her actions. b. Take the role of one seeking the truth. c. Listen carefully to what each interviewee has to say. d. Attempt to get the suspected individual to confess.
117
When interviewing an individual suspected of a fraud, the interviewer should: a. Ensure the suspect’s supervisor is present during the interview. b. Lock the door to ensure no one will interrupt the interview. c. Pay attention to the wording choices of the suspect. d. Ask if the suspect committed the fraud.
118
A CAE suspects that several employees have used desktop computers for personal gain. In conducting an investigation, the primary reason that the CAE chose to engage a forensic information systems auditor rather than using the organization’s information systems auditor is that a forensic information systems auditor would possess: a. Knowledge of the computing system that would enable a more comprehensive assessment of the computer use and abuse. b. Knowledge of what constitutes evidence acceptable in a court of law. c. Superior analytical skills that would facilitate the identification of computer abuse. d. Superior documentation and organization skills that would facilitate in the presentation of findings to senior management and the board.
119
When using a rational decision-making process, the next step after defining the problem is: a. Developing alternative solutions. b. Identifying acceptable levels of risk. c. Recognizing the gap between reality and expectations. d. Confirming hypotheses.
120
Which of the following is the best approach for obtaining feedback from engagement clients on the quality of internal audit work? a. Ask questions during the exit interviews and send copies of the documented responses to the clients. b. Call engagement clients after the exit interviews and send copies of the documented responses to the clients. c. Distribute questionnaires to selected engagement clients shortly before preparing the internal audit annual activity report. d. Provide questionnaires to engagement clients at the beginning of each engagement and request that the clients complete and return them after the engagements.
121
An auditor is considering developing a questionnaire to research employee attitudes toward control procedures. Which of the following represents the least important criteria in designing the questionnaire? a. Questions should be worded to ensure a valid interpretation by the respondents. b. Questions should be reliably worded so that they measure what was intended to be measured. c. The length of the questionnaire should be minimized to increase the response rate. d. Questions should be worded such that a “No” answer indicates a problem.
122
Determining that engagement objectives have been met is ultimately the responsibility of the: a. Internal auditor. b. Audit committee. c. Internal audit supervisor. d. CAE.
123
According to the International Professional Practices Framework, which of the following is part of the minimum requirements for an engagement final communication? I. Background information. II. Objectives of the engagement. III. Engagement scope. IV. Results of the engagement. V. Summaries. a. I, II, and III only. b. I, III, and V only. c. II, III, and IV only. d. II, IV, and V only.
124
When determining staffing to be assigned to an audit, the internal audit director should consider all of the following except: a. Training needs of internal auditors. b. Time since the last audit of the area. c. Available audit staff. d. Complexity of the audit assignment.
125
One of the challenges of enterprise risk management (ERM) in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas. b. Employees in these structures are inherently less risk averse. c. Managers have less incentive to implement and monitor controls. d. Effective controls are more difficult to design and consistent application is more difficult to achieve across the organization.

Certified Internal Auditor (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions