Quiz deck Flashcards by Milla Tulonen

You are an internal auditor working with colleagues in a new start-up technology company launched by a venture capitalist partnership. The company has been in existence for just four months and governance, risk management and internal control frameworks are evolving.

Your chief audit executive (CAE) wants to help accelerate development of the company’s risk management framework and enhance its risk management maturity. To this end, your CAE wants you to organise and facilitate several risk identification and assessment workshops with different teams across the sales department.

You would typically expect to undertake risk workshop facilitation in which of the following types of internal audit engagements?

Select one:
A. Assurance
B. Compliance
C. Consulting

Consulting

How well did you know this?

Not at all

Perfectly

Seema knew very little about IT but thought it was an interesting area to learn about so she persuaded her manager to assign her an IT security audit to conduct on her own.

Which of the principles from the Code of Ethics is most likely to be breached in this situation?

Select one:
A. Integrity
B. Objectivity
C. Competency

C. Competency

How well did you know this?

Not at all

Perfectly

Which elements of the International Professional Practices Framework (IPPF) (2017 version) form part of mandatory guidance?

Select one:
A. Mission Statement, Core Principles, Definition, Code of Ethics, Standards, Implementation Guidance
B. Core Principles, Definition, Mission Statement, Code of Ethics, Standards
C. Code of Ethics, Core Principles, Definition, Standards

C. Code of Ethics, Core Principles, Definition, Standards

How well did you know this?

Not at all

Perfectly

Which of the following are typical consultancy engagements for the internal audit function?

Reviewing the risk management process
Control risk self assessment workshops
Project advice
Risk and control education seminars

Select one:
A. 1, 2 and 3
B. 2, 3 and 4
C. 1, 2, 3 and 4

B. 2, 3 and 4

How well did you know this?

Not at all

Perfectly

Which of the following would be good key indicators to support an internal audit activity’s demonstration of conformance with Core Principle 2?

The internal audit activity is provided solely by an in-house team with no supplementation from other source
The average number of hours training completed per internal auditor during each year
Percentage of team who have earned certifications or designations

Select one:
A. 1 and 2
B. 2 and 3
C. 1, 2 and 3

B. 2 and 3

How well did you know this?

Not at all

Perfectly

If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, which of the following is true?

Select one:
A. The proposed consulting engagement must be refused
B. The proposed consulting engagement can only be undertaken by another internal auditor who does not have any impairments
C. Disclosure must be made to the engagement client prior to accepting the engagement

C. Disclosure must be made to the engagement client prior to accepting the engagement

How well did you know this?

Not at all

Perfectly

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles must be present and operating effectively.

You are an internal auditor in a global entertainments company. Your internal audit department has recently had an external quality assessment (EQA). The review concluded that the internal audit department generally conformed to the IPPF as a whole, but faced some challenges in the area of cyber security and data analytics expertise.

The EQA team felt that this issue most affected the internal audit department’s demonstration of which Core Principle?

Select one:
A. Is appropriately positioned and adequately resourced
B. Demonstrates competence and due professional care
C. Promotes organisational improvement

B. Demonstrates competence and due professional care

How well did you know this?

Not at all

Perfectly

You are about to undertake a post-audit lessons learned brainstorm with a more junior colleague whom you worked with on a recently completed assurance engagement of debt management risk.

You are considering what competencies this assurance engagement allowed you to demonstrate.

Which of the following are valid knowledge areas within the Internal Audit Competency Framework:

Conduct
Environment
Execution
Leadership and Communication
Performance
Professionalism

Select one:
A. 1, 2, 4 and 6
B. 2, 4, 5 and 6
C. 1, 2, 3 and 6

B. 2, 4, 5 and 6

How well did you know this?

Not at all

Perfectly

What should internal audit aspire to deliver according to the IIA Mission Statement?

Select one:
A. Advice, assurance and insight
B. Advice, assurance and knowlege
C. Assurance, insight and objectivity

A. Advice, assurance and insight

How well did you know this?

Not at all

Perfectly

Which of the following would be good key indicators to support an internal audit activity’s demonstration of conformance with Core Principle 1?

No cases of disciplinary action against internal auditors relating to violations of the IIA Code of Ethics
Completion of the annual internal audit plan within the agreed budget
Internal audit team members have completed training in ethics

Select one:
A. 1 and 2
B. 1 and 3
C. 1, 2 and 3

B. 1 and 3

How well did you know this?

Not at all

Perfectly

Which action by you as an internal auditor is likely to be a violation of the IIA Code of Ethics?

Select one:
A. Accepting a small gift for your birthday from an audit client
B. Being a paid lecturer in internal auditing at a university
C. Owning and buying shares in the organisation you work for

A. Accepting a small gift for your birthday from an audit client

How well did you know this?

Not at all

Perfectly

Which of the following provide appropriate support for an internal audit activities demonstration of conformance with Core Principle 3?

Functional reporting to the board (or audit committee) is defined in the internal audit charter
When developing periodic plans, the chief audit executive does not consider the views of senior management
Internal auditors do not provide assurance over areas for which they previously had responsibility

Select one:
A. 1 and 2
B. 1 and 3
C. 1, 2 and 3

B. 1 and 3

How well did you know this?

Not at all

Perfectly

The Core Principles, taken as a whole articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles must be present and operating effectively.
The Core Principles apply to:

Select one:
A. internal audit functions and audit committees
B. internal audit functions and internal auditors
C. all audit functions, whether internal audit or external audit

B. internal audit functions and internal auditors

How well did you know this?

Not at all

Perfectly

You have been assisting your audit manager with the induction of a group of new entrants to your internal audit team. You have briefed them on the IPPF and its component parts. At the end of the day, one of the new entrants approaches you and says that they are struggling to remember a key reason for the Mission Statement to the IPPF.

You explain that a key reason for the Mission Statement is to:

Select one:
A. describe internal audit’s primary purpose and overarching goal
B. provide a clear, comprehensive and extensive description of what internal audit aspires to achieve within organisations
C. set out internal audit’s role in providing risk-based and objective assurance, advice and insight

A. describe internal audit’s primary purpose and overarching goal

How well did you know this?

Not at all

Perfectly

Which Standards address the characteristics of the organisations and individuals performing internal auditing services?

Select one:
A. Attribute Standards
B. Performance Standards
C. Attribute and Performance Standards

A. Attribute Standards

How well did you know this?

Not at all

Perfectly

An internet banking organisation has a high level of risk management maturity and is considered to have an ‘embedded’ approach to risk management.

Who is likely to provide the primary source of assurance that the risk management process is fit for purpose and financial risks are being managed in line with the board’s defined risk appetite?

Select one:
A. Audit committee
B. Executive management
C. Risk committee

B. Executive management

How well did you know this?

Not at all

Perfectly

What type of controls are risk management policies, risk management guidance and on-the-job risk training?

Select one:
A. Corrective
B. Directive
C. Preventive

B. Directive

How well did you know this?

Not at all

Perfectly

What should internal auditors do if significant control weaknesses are detected during an internal audit engagement and suspects that this is a red flag indicator that fraud has taken place?

Investigate other potential red flags which might suggest that fraudulent activity has taken place
Immediately commence a fraud investigation to ensure that no further damage is inflicted on the organisation
Approach the suspected perpetrators to alert them that an investigation is likely
Notify the appropriate authorities

Select one:
A. 1 and 2 only
B. 1, 2 and 3
C. 1 and 4 only

C. 1 and 4 only

How well did you know this?

Not at all

Perfectly

Which of the following are preventive controls?

Bank reconciliations
Exception reports
Obtaining and checking references for job applicants
Locks on doors

Select one:
A. 1 and 2
B. 2 and 3
C. 3 and 4

C. 3 and 4

How well did you know this?

Not at all

Perfectly

Which category of objectives within the COSO Internal Control Integrated Framework stipulates that in order to achieve its objectives an organisation should act in accordance with legislation?

Select one:
A. Compliance
B. Operations
C. Reporting

A. Compliance

How well did you know this?

Not at all

Perfectly

An internal auditor is conducting a review of a small accounting activity. After reviewing a number of transactions, she begins to suspect fraud is taking place in the accounts payable system. She makes some additional inquiries before escalating her findings.

Which of the following items that the internal auditor found can be categorised as ‘opportunities’ in the fraud triangle?

Select one:
A. Employee X, who is responsible for accounts payables, has only been taking short vacations of two or three consecutive days in the last year
B. The activity’s policies regarding vacations do not stipulate the minimum number of consecutive days employees should take for at least one of their annual vacations
C. Human resources has reprimanded employee X twice in the last six month for accessing online gambling sites from his work computer

B. The activity’s policies regarding vacations do not stipulate the minimum number of consecutive days employees should take for at least one of their annual vacations

How well did you know this?

Not at all

Perfectly

You have recently been appointed to a newly created risk officer role within a global organisation. The chief executive officer has tasked you with implementing a new enterprise-wide risk management framework. You meet with the chief audit executive to discuss internal audit’s role within the organisation.

Which of the following activities should internal audit not undertake in relation to the risk management framework?

Select one:
A. Using risk management techniques to implement internal auditing practices
B. Assessing identified risks and making decisions on risk response activities
C. Providing assurance on the effectiveness of the risk management framework, once implemented
D. Facilitating workshops with management to help the implementation of the framework

B. Assessing identified risks and making decisions on risk response activities

How well did you know this?

Not at all

Perfectly

A bank has an automated system for identifying accounts that have been inactive for a particular period of time.
What type of control is this?

Select one:
A. Corrective
B. Detective
C. Preventive

B. Detective

How well did you know this?

Not at all

Perfectly

King IV defines corporate governance as the exercise of ethical and effective leadership by the governing body towards the achievement of four governance outcomes.

Which are governance outcomes as set out in King IV?

Ethical culture
Good performance
Effective risk management
Legitimacy

Select one:
A. 1, 2 and 3 only
B. 1, 2 and 4 only
C. 1, 2, 3 and 4

B. 1, 2 and 4 only

How well did you know this?

Not at all

Perfectly

Which statement about risk is true? Select one: A. A problem or hazard which cannot affect the organisation's objectives is still a risk relevant to that organisation B. Risk appetite should only be set in relation to the organisation as a whole C. Multiplying the impact by the probability allows a single expected value of risk to be calculated

C. Multiplying the impact by the probability allows a single expected value of risk to be calculated

One of the strategic objectives of a fashion brand is to use only organic cotton in its cotton garments by 2020. During a strategic review, the brand finds that there is a potential long-term shortage of organic cotton putting its achievement of this strategic objective in jeopardy. The brand’s response is to work directly with its suppliers and support international NGOs to improve global organic cotton production. What type of risk response does this represent? Select one: A. Accept B. Reduce C. Share

B. Reduce

Which is the definition of risk assessment? Select one: A. The overall process of risk identification, risk analysis and risk evaluation. B. The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences. C. The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

A. The overall process of risk identification, risk analysis and risk evaluation.

What is inherent or gross risk? Select one: A. Status of risk that an organisation may face through the inadequate design or operation of its risk (treatment) responses. B. Status of risk taking into account any risk response that the organisation may already have in place. C. Status of risk without taking into account any risk response that the organisation may already have in place.

C. Status of risk without taking into account any risk response that the organisation may already have in place.

An internal auditor collects the following information during an engagement: • senior management’s statements on internal control • the organisation’s code of ethics • recruitment, induction and training policies • reporting lines Which component of internal control is being assessed? Select one: A. Control activities B. Control environment C. Risk assessment

B. Control environment

An airline improved their maintenance procedure to reduce the risk of accidents. However, there is still risk remaining in the process including a chance of human error such as skipping steps in the procedure. What is this remaining risk called? Select one: A. Control risk B. Inherent risk C. Residual risk

C. Residual risk

True or false? If our preliminary survey is ineffective, this increases the risk of an internal audit engagement that is poorly planned, poorly delivered and fails to add the value it should.

True.

Implementation Guide 2201 states: A preliminary survey could be a valuable tool to help internal auditors achieve a ____________________ of the area or process to be audited. What are the missing words? 1. sufficient understanding 2. comprehensive overview 3. risk-based assessment 4. walk-through

1. Sufficient understanding

True or false? There is a single way to successfully undertake a preliminary survey.

False. As with many aspects of internal auditing, there is no single way to successfully undertake a preliminary survey. These will vary depending upon the type, nature and complexity of the engagement

In a preliminary survey we select one or two transactions and follow them through the system, comparing how it works in practice to the existing documentation - procedure manuals, instructions, flowcharts - or to the results of discussions with the people involved. What is this process called? A. Process map B. Walk-through C. Observation D. Tick and turn

B. Walk-through

True or false? Engagement objectives and the scope are important to establish for many of the consultancy engagements we may agree to undertake.

True. Keyword - many, not all.

The IPPF defines engagement objectives as: ___________ developed by internal auditors that define intended engagement accomplishments. What are the missing words? A. broad statements B. derived from the scope C. evaluation criteria D. specific targets

A. broad statements

True or false? The engagement objectives should help us answer the question ‘what are the boundaries of the audit?’

False. That's the scope. Objectives help us answer "why are we auditing this activity?"

A clear engagement scope will help determine the boundaries of the internal audit engagement. It ought to clarify what activities we will examine during the engagement and: A. evaluation criteria B. exclusions C. key performance indicators D. objectives

B. exclusions

True or false? There is no set format for an internal audit checklist and it is largely down to individual preference how these are designed.

True.

What can checklists be helpful for? A. Supporting administrative tasks, such as recording meeting bookings, organising travel arrangements and recording responses received to emails, questionnaires or surveys etc. B. Ensuring important activity or steps in the internal audit engagement does not get forgotten! C. Ensuring consistency across the internal audit team in how certain key activities, such as engagement planning, testing and reporting are managed, controlled and reviewed. D. Communicating engagement scope to the audit committee, board or regulator. E. Recording questions that we ask in internal audit interviews and the responses received from our interviewees.

A, B, C and E. We don't use checklists to communicate scope.

True or False? A key benefit of risk and control questionnaires is that they are relatively quick and easy to employ.

True.

What does the abbreviation ICQ' stand for? A. Interim Control Questions B. Internal Consulting Quiz C. Independent Compliance Query D. Internal Control Questionnaire

D. Internal Control Questionnaire It is a variation on the risk and control questionnaire.

True or false? A risk assessment is only for assurance engagements.

False, it is for both assurance and consultancy.

According to Standard 2210: The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with: A. management requests B. the organisation’s goals C. regulatory guidance

B. the organisation’s goals

True or false? An internal auditor creates a risk assessment for an upcoming engagement. Although he or she knows that the risk function recently produced a risk assessment for the exact same area, and that the chief audit executive used this assessment in creating the audit plan, the internal auditor cannot use it when creating his or her own assessment.

False, you can and should draw on any reliable, relevant risk assessments available from other assurance providers.

According to Standard 2230, the information used in and retained for an audit engagement must be _________________________ in order to draw sound conclusions. Which words are missing? A. represented in a heat map B. derived solely from internal sources C. sufficient, reliable, relevant, and useful

C. sufficient, reliable, relevant, and useful

True or false? If you have created a risk assessment, you do not need a risk and control matrix.

False. The risk assessment is essential but not sufficient. You must carry it through to your risk and control assessment or matrix in order to conduct your engagement.

True or false? The engagement work program is the same thing as the terms of reference.

False.

A chief audit executive sees that a high-priority assurance engagement requires rare specialist skills, unavailable in the internal audit team, the wider organisation or any co-sourced partners. The chief audit executive decides to use a renowned specialist to advise the team and help with testing for the duration of the audit. The chief audit executive mentions this in both the ToR and the engagement work program. Is the chief audit executive justified in doing this?

Yes.

Complete Standard 2200: Internal auditors must develop and document a plan for each engagement, including the engagement’s: A. unique reference number B. objectives, scope, timing, and resource allocations C. likely conclusions

B. objectives, scope, timing, and resource allocations

True or false? According to Standard 2240, both assurance and consultancy engagements require exactly the same type of plan and approval.

False.

True or false? Once created and approved, an engagement work program cannot be changed.

False.

True or false? A ToR is only necessary for assurance engagements.

False. A ToR is standard for both assurance and consultancy engagements.

Implementation Guide 2210 states: It is important for internal auditors to attain a thorough understanding of the _________________________ of the area or process under review, as well as its inputs and outputs. What words are missing? A. organisation chart and salary bands B. strategies, mission, and objectives C. senior managers

B. strategies, mission, and objectives

True or false? An internal auditor discovers a serious breach of Group policy, which could lead to significant financial loss and reputational damage to the organisation. However, it does not directly relate to the areas outlined in the scope section of the ToR so the internal auditor cannot mention or document it.

False. The internal auditor should notify the team leader immediately, so that internal audit can discuss with senior management how to document and resolve the problem.

Implementation Guide 2220 states: It is important for internal auditors to carefully consider the ________________________, as the scope must cover enough breadth to achieve the engagement objectives. What words are missing? A. boundaries of the engagement B. cost of the engagement C. sensitivities of senior managers

A. boundaries of the engagement

True or false? A planning memo is the draft version of the ToR.

False. The terms can be interchangeable; they refer to the same thing.

You are delivering on the job training to your internal audit team’s two new apprentices. You are covering the steps and stages in a risk based internal audit engagement and are discussing how to draw up an engagement plan. You explain that establishing a clear scope for the engagement is part of this process. You explain to the apprentices that the audit scope answers the following question(s): ``` What will we review? Why are we auditing this activity? What are the boundaries of the audit? How will we perform this audit engagement? Select one: ``` A. 1 and 2 B. 1 and 3 C. 3 and 4

B. 1 and 3

What are checklist helpful for? Supporting administrative tasks, such as recording meeting bookings, organising travel arrangements and recording responses received to emails, questionnaires or surveys etc Ensuring important activity or steps in the internal audit engagement do not get forgotten Ensuring consistency across the internal audit team in how certain key activities, such as engagement planning, testing and reporting are managed, controlled and reviewed Communicating engagement scope to the audit committee, board or regulator Recording questions that we ask in internal audit interviews and the responses received from our interviewees.

C. 1, 2, 3 and 5

Which of the following is an example of an engagement objective? Select one: A. Evaluate the timely payment of salaries and deductions based on mitigation of risks, adequacy of controls and compliance with financial policies and procedures B. Fulfill obligations to pay tax and salary related deductions to appropriate authorities in an accurate and timely way and in compliance with financial policies and procedures C. Implementing a system of internal control questionnaires to ensure appropriate controls are in place to maintain a robust system for salary payments

A. Evaluate the timely payment of salaries and deductions based on mitigation of risks, adequacy of controls and compliance with financial policies and procedures

You are an internal auditor working in a large, multinational insurance company and are undertaking an internal audit assurance engagement. This engagement is focused on your organisation's overarching internal control arrangements. You have decided to use the COSO Internal Control – Integrated Framework as the best practice that you will compare your organisation's approach with. As part of the scope of your engagement, you are considering the organisation's policies and procedures that help ensure that management directives are carried out. What element of the COSO Internal Control – Integrated Framework do these form a key component of? Select one: A. Control activities B. Control environment C. Information and communication

A. | Control activities

What is the process of describing and agreeing the boundaries of the work to be carried out during an engagement called? Select one: A. Objective-setting B. Resourcing C. Scoping

C. | Scoping

Which of the following is not required to be documented in an internal audit engagement plan? Select one: A. Objectives and scope of the engagement B. Resource allocation C. Sample sizes to be used

C. | Sample sizes to be used

A financial operational objective of an organisation is to minimise costs. Which of the following engagement objectives would best help an internal auditor determine how well this operating objective is being achieved? Select one: A. Evaluate controls are in place to ensure that policies in respect of entertainment expenses are followed B. Evaluate whether controls installed in systems are working to maximise efficiency of processes C. Validate the adequacy of quality control processes to ensure excellence in product and service delivery

B. | Evaluate whether controls installed in systems are working to maximise efficiency of processes

An audit committee has approved an internal audit plan that includes a review of the organisation’s financial control system. The newly appointed a new chief audit executive (CAE) is concerned that the existing internal audit team does not have the requisite skills and experience necessary but does not want to disappoint the chief executive officer (CEO) by declining to undertake the engagement. What should the CAE do to ensure conformance with the Standards? Select one: A. Restrict the scope of the review to cover the areas where the internal audit team have the appropriate skills B. Do not undertake the review due to the potential negative impact on the credibility of the internal audit team C. Source internal auditors with the appropriate skills to work alongside the existing team

C. | Source internal auditors with the appropriate skills to work alongside the existing team

Select the most appropriate words to complete Standard 2220: The established __________ must be sufficient to ____________the ____________ of the engagement. Select one: A. scope, satisfy, objectives B. engagement, realise, scope C. objectives, achieve, coverage

A. | scope, satisfy, objectives

According to Performance Standard 2230, resources allocated to an engagement must be appropriate and: Select one: A. adequate B. sufficient C. suitable

B. | sufficient

You are the lead internal auditor for the review of the payroll system. You have determined the scope of the engagement and stated the objectives. You have decided which risk areas and controls to focus on. You have determined that the scope encompasses the appropriate risks and controls and are content that the objectives set can be met. You know there are several tasks still to complete before the engagement plan is complete. What is the next step? Select one: A. Discuss and agree with the chief audit executive B. Set out the information-gathering strategy and guidance for the internal auditors C. Determine what skills are needed and their availability

B. | Set out the information-gathering strategy and guidance for the internal auditors

Over the last twenty years, data privacy and information security have become significant issues for every organisation. Whose responsibility is it to develop retention requirements for internal audit engagement records, regardless of the medium in which each record is stored? Select one: A. The chief audit executive B. The data protection guardian C. Legal counsel

A. | The chief audit executive

You are a chief audit executive putting an internal audit team together to deliver an engagement in an area of the business that is particularly challenging to review. What must you consider when putting the team together? 1. The priority of the engagement 2. The availability of internal auditors with the necessary knowledge and skills 3. Management’s objections to the engagement 4. The complexity of the engagement Select one: A. 1 and 4 B. 1, 2 and 4 C. 1, 2, 3 and 4

B. | 1, 2 and 4

Who is accountable for the proper supervision of audit engagements, including reviewing and approving work papers? Select one: A. The audit manager B. The chief audit executive C. The engagement lead

B. | The chief audit executive

When planning an assurance engagement, an internal auditor may obtain copies of any policies that are specific to the area being reviewed. The main purpose for doing so is least likely to be to enable the internal auditor to: Select one: A. consider the extent to which the policies contribute to the mitigation of key risks that are relevant to the engagement B. follow all of the requirements of the policies that are specific to the area being reviewed C. verify the extent to which management's policies are being complied with

B. | follow all of the requirements of the policies that are specific to the area being reviewed

When identifying information during engagement work, what are are the four standards that information should meet according to Standard 2310? ``` A. Applicable B. Comprehensive C. Relevant D. Reliable E. Sufficient F. Useful ```

C, D, E, F

True or false? Purchase orders are relevant evidence that inventory purchased from a supplier has been received.

False. A purchase order is evidence that the purchase has been authorised, not that it has been received.

Which of the following is described as: "Requesting a goods receipt note from the organisation's customer to check receipt of goods" A. Confirmation B. Inquiry C. Re-performance

A. Confirmation

Which of the following is described as: "Electronic survey to employees as part of a culture audit" A. Confirmation B. Inquiry C. Re-performance

B. Inquiry

Electronic survey to employees as part of a culture audit: "Calculate anew numerical data to ensure the accuracy of account balances" A. Confirmation B. Inquiry C. Re-performance

C. Re-performance

True or false? A key product development risk is that development activity is unsuccessful and leads nowhere, leading to unnecessary costs incurred, time and effort wasted.

True.

Having professional, experienced and qualified staff is a key control for which of the following common business processes? A. Human resources B. Logistics C. Procurement D. Product development

All of them.

True or false? Talent management is a common service delivered by many HR functions in organisations.

True.

Human resource management involves helping an organisation to ______ through its people. Which words would accurately complete the sentence? A. create value B. manage risk C. hire and fire D. increase market share

A. Create value

What do data retrieval analysis tools allow the internal auditor to do? A. Compare and match data on different files B. Select samples using defined criteria C. Test a whole population D. Understand the operation of a business operation

A, B, C. There is a limit to what CAATTs can do. Once the data has been retrieved and analysed, there is still a requirement for an internal auditor to interpret the information and draw conclusions. This process may then lead them to understand the operation of a business application. The tool itself cannot do this.

Which of the following are benefits of an internal audit activity investing in data analytics tools? A. Improved team efficiency, by allowing internal auditors to spend less time on data collection, preparation and formatting, but more time on added value activity such as data evaluation B. Enhanced fraud and error detection and speedier identification of other anomalies for further investigation C. Enhanced filtering of false negatives and false positives from test results D. Better scoped internal audits looking at material areas of risk, based upon initial use of data analytics as part of initial or preliminary research

All of them.

True or false? An internal auditor wants to know if an organisation has achieved its target of reducing waste and energy consumption. Trend analysis is more appropriate than variance analysis in gathering this information.

False. Variance analysis is used to compare actual and target performance so is more appropriate for this scenario. Trend analysis tracks changes in performance over time. So, in this scenario the internal auditor may use trend analysis to identify changes in waste and energy consumption over a period of time.This would indicate if consumption has increased or decreased.

True or false? An internal auditor wants to know if sales in a particular product line are declining. Trend analysis is more appropriate than variance analysis in gathering this information

True.

Which tool is based on the principle that a small number of factors are accountable for the largest share of a particular effect? A. Cause and effect B. Five whys C. Ishikawa diagram D. Pareto analysis

D. Pareto analysis suggests that a relatively small number of issues account for a disproportionate part of the total problem. Thus, by careful analysis, organisations can trace the biggest problems to a number of key issues. The main point is that organisations can apply limited resources to resolving those crucial root problems.

You are conducting some detailed analysis and evaluation in the final stage of your internal audit fieldwork into overtime over-payments and errors. When using the Ishikawa (fishbone) diagram, what is recorded at the head of the 'fish'? A. Desired outcome B. Main cause C. Problem

A. & C. The main cause is recorded in the diagram, but this is not placed at the head of the fish. It is usually on of the key bones of the fish, not its head. The problem or desired outcome is placed at the head.

Which is the best example of best in class benchmarking? A. Comparing a function's processes with another function with the organisation B. Comparing an organisation's processes with an ISO standard C. Comparing an organisation's processes with a competitor's

B. Comparing an organisation's processes with an ISO standard The first example is of internal benchmarking and the third an example of competitive benchmarking.

What are the benefits for the internal auditor in using a flowchart with swim lanes? A. Identifies the parties involved in a process B. Helps map the risks and controls to particular entities or functions C. Saves time in creating workpapers by eliminating text D. May help define the scope of an engagement E. Helps estimate the number of tests that need to be performed during the fieldwork phase of the engagement

A, B & D The option C is incorrect as both map and text might be required. The option E is incorrect as there is no connected logic between a process map and a method for estimating the number of tests required. The number of tests required depends on the nature of risk and control, and the degree of assiduousness required in testing.

True or false? A spaghetti map is primarily used to record the movement of individuals, documents or transactions during the completion of a specific process.

True

Workflow analysis involves breaking down the ___________ of a workflow into its component steps and examining opportunities for ___________. Which words complete the sentence? A. controls / improved risk management B. performance / improvement C. stages / cost-cutting D. steps / efficiencies

True or false? Flow charts can be simple or very complex, drawn manually or by employing software applications.

True

What activities might an internal auditor use RACI diagrams for? A. To reliably record how long each activity takes in a process B. To systematically identify and record an organisation, department or team’s key business processes C. To clearly document the roles and responsibilities for any activity, process or group of activities D. To demonstrate excessive movement of an entity or entities through a process

True or false? The results from statistical sampling are more easily defended against bias than those from judgemental sampling methods.

True

True or false? Statistical sampling is generally only appropriate when the data population is small and data criteria unknown.

False. It's the opposite when population is large and data criteria is known.

True or false? Attribute sampling is more appropriate than monetary unit sampling when testing the occurrence of unauthorised purchase orders?

True Attribute sampling is used when the internal auditor is looking for a particular event, for example an unauthorised order, as in this example. Monetary unit sampling is only used to provide evidence of the value of the population.

Which of the following are non-financial performance indicators of customer satisfaction? A. Number of defective units shipped to customers as a percentage of the total number of products shipped B. Number of defects on each product line C. Number of customer complaints D. On-time delivery

A, C & D provide an indication of customer satisfaction. B relates to quality control or effectiveness in manufacturing processes.

The purpose of the balanced scorecard is best described as helping an organisation to: A. develop good customer relations B. mobilise employee skills for continuous improvements in processing capabilities, quality and response time C. introduce innovative products and services which are desired by target customers D. translate an organisation's strategy into a set of performance measures which help to implement that strategy

Which perspective in the balanced scorecard would manufacturing efficiency be categorised? A. Customer B. Financial C. Internal process D. Learning and growth

Which is a non-financial measure of internal processes? A. Increase in sales revenue in each of the markets the business sells to B. Percentage of sales which come from products introduced in the last three years C. Process yield (ie the proportion of resources inputs which result in good products) D. Staff turnover

C. The first two options would be categorised as financial, whilst the fourth would be categorised as learning and growth.

What is the missing word? Calculation and review of variances is an example of the concept of management by___________?

Exception. Management by exception is a management style whereby managers only take action when they see deviations from normal or expected outcomes. These deviations require management intervention – in the case of variance analysis, to either correct unfavourable variances, or to actively encourage favourable variances. In both situations, root cause analysis should also be completed to identify what is causing the variances.

True or false? Scenario planning focuses on financial outcomes.

False. Scenario planning takes financial outcomes into consideration, but its main focus is on planning how to react to a range of potential outcomes from a given strategy or decision.

Which of these descriptions is of vertical analysis? A. Compares items to a base year B. Shows relationships between variables C. Compares actual results to forecast results D. Compares items to a base figure

D. Compares items to a base figure

Which of these descriptions is of horizontal analysis? A. Compares items to a base year B. Shows relationships between variables C. Compares actual results to forecast results D. Compares items to a base figure

A. Compares items to a base year

Which of these descriptions is of variance analysis? A. Compares items to a base year B. Shows relationships between variables C. Compares actual results to forecast results D. Compares items to a base figure

C. Compares actual results to forecast results

Which of these descriptions is of sensitivity analysis? A. Compares items to a base year B. Shows relationships between variables C. Compares actual results to forecast results D. Compares items to a base figure

B. Shows relationships between variables

What do data retrieval and analysis tools allow the auditor to do? 1. Test a whole population 2. Select samples using defined criteria 3. Compare and match data on different files 4. Understand the operation of a business application Select one: A. 1, 2 and 3 B. 2, 3 and 4 C. 1, 2 and 4

You are conducting some detailed analysis and evaluation in the final stage of your internal audit fieldwork into overtime over-payments and errors. When using the cause and effect or fishbone diagram to help in analysing the potential factors that may affect a problem or desired outcome, what is recorded at the head of the 'fish'? Select one: A. Board of the organisation B. Level three effect C. Main cause D. Problem or desired outcome

Which flowcharting symbol is used to represent a printed document or report? A. | | B. Square with a wavy bottom line C. Italic square

Which of the following methods can be used when completing horizontal analysis? 1. Direct comparison 2. Variance comparison 3. Percentage comparison Select one: A. 1 and 2 B. 2 and 3 C. 1, 2 and 3

You are a trainee internal auditor and you have completed the initial testing programme for the review of the payment system. In one test you examined 50 payments to suppliers and found: - one case where the payment had been made too late to collect an early payment discount - seven cases part deliveries only from the same supplier had been received but payment had been made by the same payments clerk in each case for the complete order. You are very confident your sample is representative. What additional work do you need to do next before reaching conclusions and drafting your report findings? Select one: A. Retain the originals of documents and discuss the possibility of fraud with your team leader B. Select an additional sample of a further 50 invoices from a different period C. Check all other payments in the period covered by the audit made by the payment clerk who had made the payment too late to claim the discount

According to Standard 2310 information should meet four principles, of which three are sufficient, reliable and useful. What is the fourth? Select one: A. Adequate B. Relevant C.Significant

Which tool is most appropriate for helping an internal auditor to understand a unit's procedures in order to identify inefficiencies, ineffective tasks, and control weaknesses? Select one: A. Gantt chart B. Narrative description C. Process flowchart

Which of the following will increase an organisation’s leverage position: 1. Issuing common stock 2. Arranging a mortgage to purchase new premises 3. Paying a dividend to shareholders 4. Using a bank loan to purchase office furniture? Select one: A. 1 and 2 B. 3 and 4 C. 2 and 4

Which of the following will affect an organisation’s liquidity position? 1. Purchasing raw materials with cash 2. Purchasing raw materials on credit 3. Using a bank loan to purchase a new car 4. Paying utility bills 5. Paying employee salaries and wages Select one: A. 1, 2 and 3 B. 3, 4 and 5 C. 4 and 5

Which of the following is not a non-financial performance indicator of customer satisfaction? Select one: A. Number of defective units shipped to customers as a percentage of the total number of products shipped B. Number of defects on each product line C. Number of items delivered on time

You are planning an assurance engagement of the marketing function. Which of the following must you consider? 1. The objectives of the marketing function 2. The means by which the marketing function controls its performance 3. The significant risks to the marketing function’s objectives 4. The opportunities for making significant improvements to the marketing function’s governance, risk management, and control processes Select one: A. 1, 2 and 3 B. 1, 3 and 4 C. 1, 2, 3 and 4

``` During an internal audit engagement you have prepared the following RACI diagram: Role 1 - 2 - 3 - 4 - 5 - 6 Task 1 R - / - C - / - / - / Task 2 R - / - A - / - C - / Task 3 R - R - I - / - / - I Task 4 / - / - C - / - R - / Task 5 A - C - / - I - / - / Task 6 / - I - C - C - / - R ``` Which of the following statements is true? Select one: A. Role one is responsible for the riskiest activity B. The individual fulfilling role five implements the controls C. No individual has clear responsibility for task five

Which of the following is an activity ratio? Select one: A. Current ratio B. Gross profit margin C. Inventory turnover

What are compliance tests designed to establish? Select one: A. Controls are being applied as prescribed B. System or process works effectively C. Transactions examined are complete, accurate and timely

Which should be identified as a deficiency by an engagement supervisor who is reviewing working papers? Select one: A. A memorandum recorded in the working papers explained why the time budget for a part of the engagement was exceeded B. A draft communication concerning an engagement observation recorded in the working papers omitted the criteria used for evaluation C. A memorandum recorded in the working papers explained why an engagement work programme step was omitted

True or false? Engagement communications refer solely to the final audit report.

False

According to Standard 2420, communications must be accurate, objective, clear, concise, constructive, complete and: A. agreed beforehand with the client B. cost-effective C. timely

C. timely

A new chief audit executive wants to use the internal audit methodology they employed in their previous organisation, which was in a different country and sector. In the previous role, the chief audit executive and the function received an excellent EQA (external quality assessment) report from the IIA, particularly praising the methodology and communications. Is the chief audit executive right in thinking that he or she must import this methodology into the new organisation? Yes or no?

No because it needs to be specific and suitable for the organisation in question.

Which of the following media are permitted for internal audit engagement communications? A. Email B. Graphic representations such as storyboards or other visuals C. Powerpoint slides D. Word-processed documents

A, B, C, D | There's no prescribed or forbidden media as long as it meets the function's and client's needs and are appropriate.

True or false? The closeout meeting must include the draft internal audit report.

False. The report may be circulated before, during or after the meeting. It is for the internal audit function to decide what works best.

True or false? If you communicate regularly with the first line throughout an audit engagement, you are not required to communicate the results.

False

According to Standard 2410, final communication of engagement results must include applicable conclusions, as well as: A. a date for the next of the area B. a list of managers to blame C, applicable recommendations and/or action plans

A new chief audit executive believes that numbered ratings in reports may lead managers to quibble about specific numbers, rather than the substance of audit’s conclusions. He or she feels that heat maps or even clear descriptions would be more productive. Would the chief audit executive be justified in changing the report format without the audit committee’s permission? Yes or no?

Yes

Is it good practice for the executive summary of a report to contain the detailed findings? Yes/no?

No. The executive summary may refer concisely to specific findings that have contributed to an overall rating, but detailed findings should be in a separate section of the report.

According to the Standards, communications must include an engagement's: A. cost, duration and expected conclusions B. team members and relevant qualifications C. objectives, scope and results

According to Standard 2410 Criteria for communicating, communications must include the engagement's: 1. Objectives 2. Risks 3. Scope 4. Results Select one: A. 1, 3 and 4 B. 1, 2 and 3 C. 2, 3 and 4

You are planning an internal audit engagement that will cover business activity in different countries and decide to create a communications plan to assist. What should the plan not include? Select one: A. Types of communications internal audit will provide B. Distribution lists of stakeholders C. An undertaking that internal audit will at no point deviate from the plan

Following a particularly difficult finance audit, you are leading a closing meeting with the finance director and two of her direct reports (financial controller and head of management accounting). Three significant issues were noted during the audit and you have already informally agreed the findings with the financial controller and the head of management accounting. However, the finance director is rejecting the findings and the meeting conversation is becoming heated. Which of the following is the most appropriate course of action? Select one: A. Further explore the finance director’s objections and gain any relevant information from her that the two directs may not have been privy to during the audit B. Disagree with the finance director and inform her that the findings will be reported C. Explain that the findings have already been agreed with the directs and that this meeting is simply a formal wrap-up of the audit

During an assurance engagement, you discover a significant gap in the area’s risk and control framework. Although the particular gap is in an activity unrelated to your audit scope, it presents a major risk for the organisation. This gap may also affect the ability of staff in the area under review to perform controls effectively, even though your testing has not shown any failings so far. How should you approach this in your report? Select one: A. You pass it to the risk function and omit mentioning it in your report B. You mention this to the area’s senior managers and consider including it under ‘suggestions for improvement’, rather than as a finding C. You raise the matter immediately with senior managers in both internal audit and the first line, and include it as a finding in the report

You are the chief audit executive for a financial services organisation. It has come to your attention that a recent final engagement report that you approved contains an error. You have investigated the issue and identified that the error changes the results of the engagement and that the error changed the overall opinion provided for the engagement. As the chief audit executive, what is the most appropriate action for you to take? Select one: A. Communicate corrected information to all parties who received the original communication B. Ensure that the next engagement in this area takes account of the error C. Change the audit opinion on the engagement report and retain this for future reference

During fieldwork, a new internal auditor identifies the absence of segregation of duties in a number of key functions such as purchasing and stock control. There has never been a reported fraud at the office in question, but the internal auditor makes a series of recommendations to improve the weaknesses identified. When discussing the findings with the experienced and well respected manager of the satellite office, he brushes off the findings by accusing the internal auditor of making additional work where none is needed. You are reviewing the working papers and draft report in your role as the supervisor of this review and conclude: Select one: A. the findings are minor and should not be included in the draft report B. the findings are potential indicators of fraud and so should be included in the report with appropriate recommendations made to address the issues C. that although the findings are significant, you advise the internal auditor not to make formal recommendations but to advise the manager of the office to keep a close eye on the areas identified

What type of interview has the following objectives: - to arrive at a mutual understanding of the engagement findings and how they should be interpreted - to agree what actions should be taken based on the engagement findings? Select one: A.Preliminary meeting B.Fact-finding interview C.Post-audit close-out meeting

You are performing an assurance engagement in an area that has a large budget, but also produces the highest returns for the organisation. During testing, you discover that some employees are not performing key controls, which could lead to regulatory censure. One of the organisation’s rivals recently paid a large fine to local regulators for a similar matter, while another lost its licence to operate. What recommendation should you make to the area’s senior managers? Select one: A. Fire the employees and hire new ones, who will do as they're told B. Re-train and supervise closely these employees, as they deserve a second chance C. Examine the training and supervision provided to all employees in the area; this will help managers not only correct the existing finding, but reduce the chances of it recurring

What are interim engagement reports most usefully employed to do? Select one: A. Communicate information that requires immediate attention B. Deliver the initial engagement findings to the client C. Provide an update on the progress of the engagement to the chief audit executive

You are reviewing the payroll system of an organisation. During the review you gather information that suggests overtime payments to a particular team are above the agreed limits. This information is not within the scope of the engagement. What is the most appropriate action for reporting your findings? Select one: A. In a written interim report to the payroll manager B. Informally to the human resources manager C. In a written interim report to the human resources manager

Which of the following components of the IPPF are mandatory? (Tick all that apply) A. Code of Ethics B. Core Principles C. Implementation guidance D. Standards

A, B, D

True or false? The Mission is part of the mandatory guidance.

False. Whilst the Mission is part of the IPPF, it does not fall within either the mandatory or recommended guidance.

Which of these IPPF components is described as: "What internal audit aspires to achieve within organisations."? A. Mission B. Definition C. Core Principles

A. Mission

Which of these IPPF components is described as: "Statement of fundamental purpose, nature and scope of internal auditing."? A. Mission B. Definition C. Core Principles

B. Definition

Which of these IPPF components is described as: "Fundamental to the way an internal audit function operates."? A. Mission B. Definition C. Core Principles

C. Core principles

What element of the IPPF does the following statement derive from: To enhance and protect organisational value by providing risk-based and objective assurance, advice and insight? A. Core Principles B. Definition C. Mission

C. Mission

Which statement is true? A. The Mission is part of the mandatory guidance. B. The Mission is part of the recommended guidance. C. The Mission is not included in the mandatory or recommended guidance.

Which of the following are Core Principles? A. Demonstrates integrity B. Demonstrates competence and due professional care C. Validates amounts in the financial statement D. Provides risk-based assurance

A, B, D

True or false? The Glossary provides definitions of words used within the Standards and is part of the recommended guidance within the IPPF.

False. The Glossary is part of the Standards and therefore falls within the mandatory guidance.

True or false? Following all the rules of conduct within the Code of Ethics will ensure conformance with the ethical principles.

False. The rules of conduct describe behaviour norms expected of internal auditors. The rules of conduct should be considered as examples in the application of the principles. It is therefore not sufficient to only follow the stated rules of conduct. As an internal auditor, you must ensure that you also apply the ethical principles in every aspect of your work.

Rule 2.1 states: Internal auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation. Background: Jim is performing an audit of the payroll function. Susan is the payroll manager. Jim and Susan have been dating for six months. Jim decided that he was not going to allow his relationship with Susan to influence his work in any way. True or false? Based on the scenario set out above, Jim has failed to conform with Code of Ethics Rule 2.1.

True.

Rule 2.2 states: Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment Background: Nishi is performing an audit of the buying department. The buying manager offered Nishi free hospitality tickets to a sporting event as they were surplus to requirements. Nishi accepted the tickets as they would be wasted otherwise, but resolved that she would not allow this to influence her work in any way. True or false? Nishi has failed to conform with Code of Ethics Rule 2.2.

True

Rule 3.2 states: Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation. Background: Ilze, an internal auditor at a large manufacturer, was involved in highly confidential due diligence work related to a potential merger. She believed the merger would benefit her organisation so she told her husband to buy some shares in it, but only after checking that this would not be illegal. True or false? Ilze has failed to conform with Code of Ethics Rule 3.2.

True.

Rule 4.1 states: Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and experience. Background: Po Kum knew very little about IT – but thought it was an interesting area to learn about so she persuaded her manager to assign her an IT security audit to conduct on her own. True or false? Po Kum’s actions could lead to a breach of Rule 4.1 of the Code of Ethics.

True

Which are valid purposes of the Standards? A. Guide adherence with the mandatory elements of the IPPF. B. Provide a framework for performing and promoting a broad range of value-added internal auditing services. C. Establish the basis for the evaluation of internal audit performance. D. Foster improved organisational processes and operations.

All of them.

The two main categories of Standards are: A. Assurance and Consultancy Standards B. Attribute and Performance Standards C. Performance and Implementation Standards D. Attribute and Implementation Standards

True or false? The chief audit executive is responsible for deciding whether the internal audit service should conform with the International Standards.

False, it is mandatory.

Background: All Standards include a statement of core requirements. Some have an interpretation to provide clarification. Many use words that are defined in the Glossary. True or false? All three components of the Standards (statements, interpretations, and Glossary meanings) are mandatory.

True

Which is the title to Standard no 2100?

Nature of work

Which is the title to Standard no 2200?

Engagement planning

Which is the title to Standard no 2300?

Performing the engagement

Which is the title to Standard no 2600?

Communicating the acceptance of risks

Practice guides are part of the: A. recommended guidance in the IPPF B. implementation guidance in the IPPF C. supplementary guidance in the IPPF

A & C Practice Guides are the main type of supplementary guidance. Supplementary guidance is one of the two categories of recommended guidance. Implementation guidance only contains implementation guides.

True or false? Implementation guides provide help with applying the Standards to conducting internal audit work. Implementation guides therefore relate to the Performance Standards and are not relevant to Attribute Standards.

False. There is an implementation guide to support each main Attribute and Performance Standard, although there are not separate guides for the Implementation Standards.

True or false? Supplemental guidance sits outside the IPPF.

False

True or false? Global Technology Audit Guides are for IT auditors and should not be used by auditors who do not have the required level of IT expertise.

False The Global Technology Audit Guides (GTAGs) are written in straightforward business language and may be helpful to all internal auditors where they are relevant to their work.

True or false? An internal audit charter can be a useful way to set out the role of an internal audit activity, but it is not mandatory.

False

True or false? The mandatory parts of the IPPF (Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing) can be taken as read and do not need explicit mention in the internal audit charter.

False, they must be recognised in the internal audit charter

Which of the following are examples of functional reporting to the board? Tick all that apply. Approving the: A. internal audit charter B. risk-based internal audit plan C. internal audit budget and resource plan D. remuneration of the chief audit executive

All of them. Standard 1110 notes that: Organisational independence is effectively achieved when the chief audit executive reports functionally to the board. It includes examples of functional reporting to the board, including all of the above examples.

True or false? The independence of internal audit activities is critical. A sufficiently high level of independence will guarantee that the objectivity requirements for internal audit activities are met.

False Although they are related and high-level independence supports objectivity, independence is not sufficient to guarantee that all of the objectivity requirements will be met.

If the chief audit executive’s main reporting line is to the finance director this may impair independence because: A. the primary role of internal audit is to verify the accuracy of the financial statements B. the primary role of internal audit is to provide assurance regarding financial controls C. the internal audit activity may review some activities for the the financial director is responsible for D. the finance director may be a member of the board

Which of the following statements are true? A. Internal audit should operate to the highest level of ethical and professional competencies to ensure consistent and accurate assurance delivery. B. Every professional internal auditor and internal audit activity should follow and conform to the IIA’s International Professional Practices Framework (IPPF). C. Internal audit should operate under a charter that adopts the IPPF, and stakeholders should expect and accept nothing less. D. Stakeholders should require the internal audit activity maintain a Quality Assurance and Improvement Program (QAIP) and demand regular external quality-assurance reviews.

All of them.

True or false? Conformance with the IPPF helps ensure internal auditing is conducted based upon sound ethical principles.

True

Who might benefit from internal audit conformance with the IPPF? ``` A. Boards and governing bodies B. Audit committees C. Management D. External stakeholder E. Internal stakeholders ```

All of them.

True or false? Risk is the possibility of an event occurring that threatens the achievement of objectives.

False. Risk is possibility of an event occurring that will have an impact on the achievement of objectives. This impact can be a threat but it can also be an opportunity. The latter is often referred to as 'upside risk.'

What term is deﬁned as ‘the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria’? A. Objective-setting B. Risk assessment C. Risk evaluation D. Risk identification

What term is used to describe a risk that does not take into account any response that the organisation may put in place? A. Gross B. Net C. Residual D. Retained

Which risk response is this a description of? "Take no action to affect likelihood or impact"

Which risk response is this a description of? Terminate the activities that give rise to risk

Avoid

Which risk response is this a description of? Take action to treat the impact or likelihood or both

Reduce

Which risk response is this a description of? Treat the impact or likelihood or both by transferring or sharing a portion of the risk.

Which line of defence is HR part of?

First line

Which line of defence is IA part of?

Third line

Which line of defence is legislative compliance part of?

Second line

True or false? The COSO risk management framework places greater emphasis on controls than ISO31000:2018.

True This statement is largely true. COSO has an internal control framework as well as a risk management one. The former is aligned with COSO's risk management framework.

Which three areas form ISO 31000:2018? ``` A. Audit B. Conformance C. Framework D. Principles E. Processes ```

C, D, E. The ISO 31000:2018 standard comprises the three components - principles, framework and processes. In addition, there are a further two related standards: ISO Guide 73 Risk management - vocabulary IEC 31010 Risk management - risk assessment techniques.

Which activities are core internal audit roles in risk management? A. Developing the risk management strategy for the board's approval B. Evaluating the risk management process C. Giving assurance on the risk management process D. Implementing risk responses on management's behalf E. Taking decisions on risk responses

B, C

Standard 2120 Risk Management states: The internal audit activity must evaluate the ________ and contribute to the improvement of risk management processes. What text is missing? ``` A. effectiveness B. efficiency C. risk appetite D. risk impact E. risk responses ```

An assessment of risk maturity finds that risk management and internal control is fully embedded into the organisations' processes and systems. What is the level of the organisation's risk maturity? A. Defined B. Managed C. Optimised D. Repeatable

Which are elements of the control environment? A. Assignment of authority and responsibility B. Integrity and ethical values C. Organisational structure

All of them.

Statement In our team, we have several control processes for supplier procurement. **All these controls are set out in a process manual, which we update annually, in line with Group Policy.** #We require three bids for each project,# and ++the bid process is split between three people: one to post the announcement, one to process the bids as they come in, and one to make a recommendation to senior management.++ Because of this segregation of duties, we don’t require team members to declare any conflicts of interest – the segregation of duties ensures this won’t arise. If there is a problem, &&we rely on people using the whistleblowing hotline to flag it.&& //We would then stop using that supplier.// Which option is TRUE? A. There is one of each type of control process in this statement: ** is directive, # is directive and preventive, ++ preventive, && detective and // corrective. B. A sound control must have all four types of control process. C. There are too many controls here.

Statement In our team, we have several control processes for supplier procurement. All these controls are set out in a process manual, which we update annually, in line with Group Policy. We require three bids for each project, and the bid process is split between three people: one to post the announcement, one to process the bids as they come in, and one to make a recommendation to senior management. Because of this segregation of duties, we don’t require team members to declare any conflicts of interest – the segregation of duties ensures this won’t arise. If there is a problem, we rely on people using the whistleblowing hotline to flag it. We would then stop using that supplier. Which option is TRUE? A. All the controls listed are both adequate and effective. B. All the controls listed are inadequate. C. This statement contains inadequate controls.

C. The first three controls highlighted appear adequate. However, not requiring team members to declare conflicts of interest is a serious gap, and relying on a whistleblowing hotline (detective control) alone is not good enough. Furthermore, while not using the supplier again seems to be an adequate corrective control, it may raise fresh problems. If the team stops using the supplier on mere suspicion of conflict of interest, the supplier may have grounds to take legal action. And, if there is not conflict of interest but the supplier is dropped anyway, the organisation may have unnecessarily lost the best supplier to meet its needs. The first option is incorrect – the controls are not all adequate, and we don’t know if those that are adequate are effective. We would need further information – testing results – to determine effectiveness. The second option is incorrect – some of the controls appear adequate.

What type of control is variance analysis? A. Automated control B. Hard control C. Passive control D. Soft control

B. Hard controls are quantitative and objective. A comparison of budget and actual figures through the process of variance analysis identifies how well an organisation is performing against targets. Budgets often use monetary and numerical targets. Automated and passive control is incorrect. Automated and passive controls work without human intervention such as a warning within a computer system which might indicate that an expense heading has exceeded a specific level. Soft controls are qualitative and subjective; this is incorrect.

Which component of the COSO Internal Control framework is described as "Demonstrates a commitment to integrity and ethical values."?

Control environment

Which component of the COSO Internal Control framework is described as "Selects general control activities over technology to support achievement of objectives."?

Control activities

Which component of the COSO Internal Control framework is described as "Assesses changes that could significantly affect the system of internal control."?

Risk assessment

Organisations must comply with laws and regulations including company law, tax law and environmental protection regulations. What category of internal control objectives does this requirement form part of? A. Operations B. Reporting C. Compliance

What is the title of Standard 1000?

Purpose, Authority and Responsibility

What is the title of Standard 1100?

Independence & Objectivity

What is the title of Standard 1200?

Proficiency and due professional care

What is the title of Standard 1300?

QA & Improvement program