Chapter 1

Question 1

Form 10-K

Answer 1

A Form 10-K is an annual report required by the U.S. Securities and Exchange Commission (SEC), that gives a comprehensive summary of a company’s financial performance. Although similarly named, the annual report on Form 10-K is distinct from the often glossy “annual report to shareholders,” which a company must send to its shareholders when it holds an annual meeting to elect directors (though some companies combine the annual report and the 10-K into one document). The 10-K includes information such as company history, organizational structure, executive compensation, equity, subsidiaries, and audited financial statements, among other information.

Question 2

According to the 17 COSO control principles, change management primarily relates to which fundamental component of internal control:
	A. 	Control activities.
	B. 	Control environment.
	C. 	Risk assessment.
	D. 	Monitoring.

Answer 2

C. Risk assessment.

According to the COSO principles, risk assessment primarily relates to organizational objectives, risk assessment, fraud, and change management.

Question 3

This fundamental component of internal control is the core or foundation of any system of internal control.

A. Control activities.
B. Control environment.
C. Information and communication.
D. Risk assessment.

Answer 3

B. Control environment.

The control environment is, “…the core or foundation of any system of internal control.”

Question 4

This component of internal control concerns testing the system and its data.
A. Control activities.
B. Control environment
C. Monitoring.
D. Risk assessment.

Answer 4

C. Monitoring.

Monitoring ensures the ongoing reliability of information by monitoring and testing the system and its data.

Question 5

According to the 17 COSO control principles, risk reduction primarily relates to which fundamental component of internal control:

A.Control activities.
B.Control environment.
C.Risk assessment.
D.Monitoring.

Answer 5

A.Control activities.

According to the COSO principles, control activities primarily relate to risk reduction, technology controls, and policies.

Question 6

Strategic, operations, reporting, and compliance objectives are a part of which of the following models of internal control?
	A.  	COBIT.
	B.  	COSO.
	C.  	COSO ERM.
	D.  	All of the above.

Answer 6

C. COSO ERM.

This answer is correct because strategic, operations, reporting, and compliance objectives are part of this model.

Question 7

Which component of the COSO ERM framework is concerned with management's decision to avoid, accept, reduce, or share risk and to develop a set of actions to align risk with the entity's risk preferences?
	A.  	Control activities.
	B.  	Event identification.
	C.  	Risk assessment.
	D.  	Risk response.

Answer 7

D. Risk response.

Risk response does include management’s decision to avoid, accept, reduce, or share risk and to develop a set of actions to align risk with the entity’s risk preferences.

Question 8

Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?
	A.  	Control environment.
	B.  	Risk assessment.
	C.  	Information and communication.
	D.  	Monitoring.

Answer 8

D. Monitoring.

Monitoring is the core, underlying control component in the COSO ERM model. Its position at the foundation is not accidental and reflects the importance of monitoring to achieving strong internal control and effective risk management. Ensuring that internal controls continue to operate effectively is the primary purpose of monitoring.

Question 9

Which of the following is not a major step in the COSO model of control monitoring?
A. Establish a foundation for monitoring.
B. Establish a baseline of an internal control known to be effective.
C. Design and execute monitoring procedures.
D. Assess and report control evaluation results.

Answer 9

B. Establish a baseline of an internal control known to be effective.

Establishing a baseline of known control effectiveness is part of the process of establishing a foundation for monitoring. Hence, it is a sub-activity, rather than a major step, in the COSO model of control monitoring.

Question 10

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

A. Control baseline.
B. Change identification.
C. Change management.
D. Control revalidation/update.

Answer 10

B. Change identification.

Change Identification is the monitoring for change process that would include ongoing and separate evaluations intended to identify and address changes in internal control effectiveness.

Question 11

Which of the following is not a major step in the COSO model of control monitoring?

A. Establish a foundation for monitoring.
B. Establish a baseline of an internal control known to be effective.
C. Design and execute monitoring procedures.
D. Assess and report control evaluation results.

Answer 11

B. Establish a baseline of an internal control known to be effective.

Establishing a baseline of known control effectiveness is part of the process of establishing a foundation for monitoring. Hence, it is a sub-activity, rather than a major step, in the COSO model of control monitoring.

Question 12

What term identifies the guidance in the International Standards for the Professional Practice of Internal Auditing that distinguishes between requirements for “assurance” services and “consulting” services?
A. Implementation standards.
B. Attribute Standards.
C. Performance Standards.
D. Interpretations of the International Standards.

Answer 12

A. Implementation standards.

Implementation Standards differentiate the requirements applicable to “assurance” activities from those applicable to “consulting” activities within the Attribute and Performance Standards.

Question 13

The Performance Standards focus on seven primary themes around which the remaining Performance Standards are organized. Each of the following key words or phrases is associated with these seven primary themes except
A. Purpose, authority, and responsibility.
B. Managing the internal audit activity.
C. Nature of Work.
D. Engagement Planning.

Answer 13

A. Purpose, authority, and responsibility.

“Purpose, Authority, and Responsibility” is associated with the Attribute Standards, specifically Standard 1000.

Question 14

What term is used in the IIA's International Standards to identify the person responsible for managing an organization's internal audit activity?
	A.  	Director of internal auditing.
	B.  	Vice President, Internal Auditing.
	C.  	Certified Internal Auditor.
	D.  	Chief Audit Executive.

Answer 14

D. Chief Audit Executive.

Attribute Standard 1000 makes the first of numerous references in the Attribute Standards to the “chief audit executive.”

Question 15

The IIA's Definition of Internal Auditing specifically mentions each of the following terms among the organizational objectives to be improved by internal auditing except
	A.  	cost of capital.
	B.  	risk management.
	C.  	control.
	D.  	governance.

Answer 15

A. cost of capital.

The Definition of Internal Auditing includes the following sentence: “It (Internal Auditing) helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” There is no reference to “cost of capital,” which is normally associated with financial reporting and external auditing.

Question 16

Adjustment from gross national product (GNP) to net national product (NNP) would require which one of the following?
A. Deducting depreciation from the GNP.
B. Deducting investment from the GNP.
C. Adding depreciation to GNP.
D. Adding investment to GNP.

Answer 16

A. Deducting depreciation from the GNP.

Net National Product, like Gross National Product, measures the total output of all goods and services produced worldwide using the economic resources of U.S. entities, but does not include an amount (output value) for depreciation. Thus, depreciation would be deducted from GNP to derive NNP.

Question 17

Which of the following graphs shows the maximum combination of goods and services that can be produced at a given time, if all available resources are used efficiently?
	A.  	Aggregate demand curve.
	B.  	Aggregate supply curve.
	C.  	Productive-possibility curve.
	D.  	Indifference curve.

Answer 17

C. Productive-possibility curve.

A productive-possibility curve measures the maximum amount of various goods and services an economy can produce at a given time with available technology and efficient use of all available resources.

Question 18

Assuming a conventional supply curve, which one of the following factors will not cause a shift in the aggregate supply curve for a good?
A. An increase in the availability of input resources.
B. Technological developments that increase production efficiency.
C. An increase in the selling price of the good.
D. A decrease in the cost of input resources.

Answer 18

C. An increase in the selling price of the good.

An increase in the selling price of a good would not shift a conventional supply curve. A change in price (alone) is reflected by movement along a given supply curve, not by a shift in the supply curve.

Question 19

Public company audit committees must contain which of the following?
A. A majority of independent directors.
B. An accounting expert.
C. A financial expert.
D. A legal expert.

Answer 19

C. A financial expert.

SOX requires that every audit committee of a public company have at least one “financial expert” with (a) an understanding of GAAP and financial statements; (b) experience in preparing or auditing F/S; (c) experience with internal auditing controls; and (d) an understanding of audit committee functions.

Question 20

Dan provided original information to authorities regarding a securities fraud in his company. It led the SEC to impose penalties of $2 million. Which of the following is most likely to be Dan’s award under Dodd-Frank?

A.  	$50,000.
B.  	$150,000.
C.  	$350,000.
D.  	$750,000.

Answer 20

C. $350,000.

This amount is within the range of mandatory awards, between 10% and 30% of sanctions imposed.

Question 21

Which of the following did Dodd-Frank do regarding a whistleblower’s right to sue for retaliation accorded by SOX?
A. It extended the time to file a complaint with OSHA from 90 days to 180 days.
B. It extended the right to sue to whistleblowing employees of private subsidiaries controlled by public companies.
C. It granted whistleblowers the right to a jury trial in retaliation cases that are properly filed in federal court..
D. All of the above.

Answer 21

D. All of the above.

Question 22

audit committee

Answer 22

An audit committee is an operating committee of a company’s board of directors that is in charge of overseeing financial reporting and disclosure. All U.S. publicly-traded companies must maintain a qualified audit committee in order to be listed on a stock exchange.

Question 23

Which of the following is an example of a detective control?
A. Use of pre-formatted screens for data entry.
B. Comparison of data entry totals to batch control totals.
C. Restricting access to the computer operations center to data-processing staff only.
D. Employing a file librarian to maintain custody of the program and data files.

Answer 23

B. Comparison of data entry totals to batch control totals.

Reconciliation of data entry totals with batch control totals will detect errors made by the data entry clerks.

Question 24

Milo Corp. maintains daily backups of its accounting system in a fireproof vault in the file library. Weekly, monthly, and annual backups are stored in a secure, fireproof vault at an off-site location.

Maintenance of the backup files is an example of
	A.  	a detective control.
	B.  	a feedback control.
	C.  	a corrective control.
	D.  	a preventive control.

Answer 24

C. a corrective control.

Corrective controls allow the user to recover from a problem once it has been identified.

Question 25

Controls in the information technology area are classified into the categories of preventive, detective, and corrective. Which of the following is a preventive control?
	A.  	Contingency planning.
	B.  	Hash total.
	C.  	Echo check.
	D.  	Access control software.

Answer 25

D. Access control software.

Question 26

According to the 17 COSO control principles, addressing control deficiencies primarily relates to which fundamental component of internal control:
	A.  	Control activities.
	B.  	Control environment.
	C.  	Information and communication.
	D.  	Monitoring.

Answer 26

D. Monitoring.

According to the COSO principles, monitoring primarily relates to establishing ongoing and periodic evaluations, and addressing control deficiencies.

Question 27

One of the Rules of Conduct in the IIA’s Code of Ethics states, “Internal auditors shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing.” To which Principle of the Code of Ethics does this Rule of Conduct relate?

A.  	Integrity.
B.  	Objectivity.
C.  	Confidentiality.
D.  	Competency.

Answer 27

D. Competency.

That particular Rule of Conduct is designated Rule #4.2, in connection with “Competency.”

Question 28

The IIA's International Professional Practices Framework includes among its "mandatory" guidance each of the following elements except
	A.  	Definition of Internal Auditing.
	B.  	Code of Ethics.
	C.  	Implementation Guidance.
	D.  	International Standards.

Answer 28

C. Implementation Guidance.

(Correct!) Mandatory guidance consists of: (1) Definition of Internal Auditing; (2) Core Principles; (3) Code of Ethics; and (4) International Standards. The “recommended” guidance includes Implementation Guidance and Supplemental Guidance.