CIA Part 2 2019 version Flashcards
To master rationale
When gathering data, an audit team identifies both subjective and objective criteria for measuring audit risk. Which of the following risk factors is most objective?
A. Prior audit findings
B. Comfort with operating management
C. Size of the audit unit
D. Changes in staff, systems, or the environment
ANSWER: C
RATIONALE: Interpretation of Standard 2420 states that “accurate communications are free from errors and distortions and are faithful to the underlying facts. Objective communications are fair, impartial, and unbiased…” Sawyer’s Internal Auditing states that “every categorical statement, every figure, every reference must be based on hard evidence.” The size of the audit unit is a fact, and it is not affected by the auditor’s impressions and feelings.
(Section I, Chapter 2, Topic A)
During the course of a business process review, an internal auditor may
A. decide which controls to select.
B. provide advice on appropriate controls during system design.
C. oversee the implementation of recommended controls.
D. lead a system design team.
ANSWER: B
RATIONALE: A business process review falls in the consulting category of engagements. During a consulting engagement (as in assurance engagements), an internal auditor cannot assume management responsibilities, make decisions, or execute transactions as if he or she were part of management. Providing advice is acceptable as long as there is a clear understanding that management has responsibility for accepting or rejecting the advice. The other responsibilities would significantly impair the auditor’s future ability to objectively evaluate the system.
(Section I, Chapter 2, Topic D)
Which of the following statements best describes the purpose of the audit manual?
A. To provide training in basic audit techniques for newly hired auditors
B. To describe objectives, policies, and procedures affecting auditors’ work
C. To serve as a reference for approved engagement tools
D. To define the employment relationship between the organization and the employee
ANSWER: C
RATIONALE
According to Standard 2040, “Policies and Procedures,” the chief audit executive is responsible for establishing policies and procedures to guide the internal audit activity. The audit manual documents these policies (e.g., avoidance of conflict of interest) and procedures (e.g., engagement process) as well as the activity’s charter, strategic objectives, structure, and annual audit plan.
(Section I, Chapter 1, Topic A)
Which is an appropriate role for internal audit during a systems development life cycle (SDLC) review?
A. Ensure that controls are designed during the conversion and implementation phase.
B. Restrict stakeholder representation.
C. Screen the technical expertise of employees participating in the study.
D. Provide the go/no go recommendation based on feasibility study conclusions.
ANSWER: C
RATIONALE
Organizations need to control information system resources. During a consulting SDLC review, the auditor could ensure that the team has sufficient hardware and software expertise and includes appropriate stakeholder representation. But internal audit cannot assume management responsibilities or make decisions as if they were part of management. Designing controls during the conversion and implementation phase would be far too late; this should be done during systems design or selection.
(Section I, Chapter 2, Topic D)
A new chief audit executive (CAE) is identifying sources of potential engagements for the internal audit activity. Which of the following would be the least helpful activity when examining organizational risk factors?
A. Interviews with senior management, the board, and the audit committee chairperson
B. Discussion with external auditors of open and closed internal control issues identified in their reviews
C. Research conducted with industry benchmarking groups and organizations
D. Review of organizational written policies and procedures
ANSWER: C
RATIONALE
The CAE needs to develop an understanding of organizational risks and internal controls available to mitigate these risks in order to help management protect the organization from risk exposures—present and future. Benchmarking is a useful tool for various aspects of the internal audit activity. However, discussions with external auditors and interviews with senior management help to surface problems and opportunities that have already been identified in the organization. Reviewing policies and procedures is of limited value in identifying sources of potential engagements, although policies and procedures do provide a sense of risk areas targeted by the organization.
(Section I, Chapter 2, Topic D)
Which of the following is an example of an internal nonfinancial benchmark?
A. The average actual cost per pound of a specific product at the company’s most efficient plant becomes the benchmark for the company’s other plants.
B. The labor rate of comparably skilled employees at a major competitor’s plant becomes a benchmark.
C. The percentage of customer orders delivered on time at the company’s most efficient plant becomes the benchmark for the company’s other plants.
D. The company is setting a benchmark of U.S. $50,000 for employee training programs at each of its plants.
ANSWER: C
RATIONALE
The percentage of on-time orders at the best plant is an example of an internal nonfinancial benchmark. The other items are all external financial benchmarks.
(Section I, Chapter 2, Topic D)
When the chief audit executive performs the risk assessment for the annual audit plan, which of the following would be most likely to raise the assessed risk of a potential audit area?
A. Fact that a critical activity had not been subject to a compliance audit during the past year
B. Request from senior management to review the strategic plan
C. Material, anticipated drop in cash flow after plant closings
D. Significant increase in receivables with a decrease in sales
ANSWER: D
RATIONALE
Unanticipated increases or decreases of significant size in significant measures, such as the amount of receivables, are an indicator of risk worth consideration. If sales had also increased commensurately, this would not have been a red flag, but since sales decreased, this is unexpected. A request from management to put an audit on the agenda is significant, but it does not necessarily indicate that the area is at risk. Compliance audits do not have to be conducted annually unless there is evidence indicating that an audit is necessary.
(Section I, Chapter 2, Topic B)
Determination of cost savings is most likely to be an objective of
A. program audit engagements.
B. compliance audit engagements.
C. financial audit engagements.
D. operational audit engagements
ANSWER: D
RATIONALE
Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency. Program audit engagements address accomplishment of program objectives. Financial auditing addresses accuracy of financial records. Compliance auditing addresses compliance with requirements, including legal and regulatory requirements.
(Section I, Chapter 2, Topic C)
Which of the following describes acceptable practice in small internal audit activities?
A. Close and daily supervision may take the place of formal internal audit operations manuals.
B. The quality assurance and improvement program is optional.
C. It is generally understood and accepted that absolute conformance with The IIA’s mandatory guidance is unlikely.
D. Detailed written policies and procedures are even more needed than in large internal audit organizations.
ANSWER: A
RATIONALE
Implementation Guide 2040 explains that in small internal audit activities, close and daily supervision may take the place of formal internal audit operations manuals. Conformance with The IIA’s mandatory guidance is expected, regardless of internal audit activity size. Detailed policies and procedures are more likely to be found in larger, more mature audit activities, not smaller ones. The quality assurance and improvement program is part of mandatory guidance (1300 series of Standards) and is not optional, regardless of audit activity size.
(Section I, Chapter 1, Topic A)
The primary purpose of budgets is to
A. move a company toward its short- and long-term strategic goals.
B. define a company’s mission.
C. provide an informal communication network.
D. determine when and how much to limit scope on each engagement.
ANSWER: A
RATIONALE
Budgets provide a tight, goal-oriented, rational linkage with the strategic plan. The scope of engagements should be based on the risk assessment and other factors rather than the budget. If the budget is not sufficient for the planned scope, the chief audit executive should request the required funds, and if these are not approved, indicate the scope limitation and its likely impact.
(Section I, Chapter 1, Topic B)
Of the options listed, the most important risk to consider related to interviews of prospective internal audit employees is
A. extending an offer to someone who is not the most qualified applicant.
B. that the audit activity should be recruiting contractors instead.
C. interviewers asking illegal questions of applicants.
D. needing to conduct multiple rounds of interviews.
ANSWER: C
RATIONALE
Those conducting interviews should be trained to reduce the risk of asking illegal questions, requesting that applicants take illegal or invalid tests, or being inconsistent in the use of allowed questions or tests. Extending an offer to someone who is not the most qualified applicant is a risk but it isn’t the biggest risk listed. Also, it may be necessary such as if the most qualified candidate has unrealistic salary expectations. Multiple rounds of interviews are common; recruit selection involves narrowing the choice down to those applicants who have the requisite qualifications and then conducting one or more rounds of interviews with those applicants. Contractor selection will involve many of the same steps as recruit selection, but a key factor is ensuring compliance with tax laws related to use of contractors. Since some organizations have overused contractors to avoid paying benefits and employment taxes, many governments have created tax and employment regulations related to contractor duties and how they are managed; the opposite is true – a risk to interviews of prospective contractors is that the audit activity should be recruiting employees instead.
For more information, refer to Section I, Chapter 1, Topic B
In conducting an initial risk assessment, a newly established internal audit activity finds that the organization has no risk management process in place. Which of the following would be an appropriate response, according to The IIA’s International Professional Practices Framework?
A. The internal audit activity should recognize that the decision to establish a risk management policy belongs to management and is not within the scope of the internal audit activity.
B. The internal audit activity should make suggestions to management regarding ways to establish such a process.
C. The internal audit activity should consider lack of a risk management process to be a red flag and should schedule a management fraud engagement.
D. The chief audit executive should seek the advice of legal counsel about violations of regulations governing risk management.
ANSWER: B
RATIONALE
Management owns risk and risk management, but, if there is no risk management process in an organization, the internal audit activity should bring this situation to management’s attention and suggest ways to establish such a process. Even if lack of a risk management process were a red flag, scheduling a fraud engagement would be premature without further evidence that fraud might be occurring. In most businesses, lack of a risk management process violates no laws or regulations.
(Section I, Chapter 2, Topic B)
Which of the following best describes competitive benchmarking?
A. It looks at the performance of other organizations that have similar processes as the benchmark.
B. It looks within the department or process itself by selecting a stellar performance that rises (but not unreachably) above the current baseline performance.
C. It looks at a process in one operation and compares it to a process with similar characteristics but in another industry.
D. It looks at industry-wide measures as a target for improvement.
ANSWER: A
RATIONALE
An example of competitive benchmarking is when an organization attempts to achieve the same sales numbers as a competitor. The organization uses its competitor’s numbers as its benchmark for success.
For more information, refer to Section I, Chapter 2, Topic D
A chief audit executive (CAE) of a small community bank refreshes his risk assessment four months into the current audit plan year. From the refresh, he decides it is necessary to adjust the audit plan by adding an assessment of a newly launched, high-risk loan product that was urgently initiated by the vice president of lending due to competition from a local credit union. The CAE should
A. request a meeting with the vice president of lending for her approval of new engagement objectives and scope.
B. notify regulatory authorities to understand their scheduled lending activity examinations for proper coordination of work.
C. communicate the significant audit plan change to the board and senior management for review and approval.
D. substitute the high-risk loan product audit for other routine loan compliance work in the approved plan to stay on budget.
ANSWER: C
RATIONALE
Performance Standard 2020, “Communication and Approval,” states: “The chief audit executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval.” Eliminating previously approved engagements from the audit plan in favor of other work would be considered a significant interim change. It is not appropriate for management of the audited area to approve engagement objectives and scope; this is the CAE’s role. Notification to regulatory examiners regarding a new high-risk lending activity would not be appropriate.
For more information, refer to Section I, Chapter 3, Topic A
Several members of an organization’s senior management have questioned whether the internal audit activity should report to the newly established quality audit function as part of the total quality management process within the organization. The chief audit executive (CAE) has reviewed the quality audit standards and the programs that the quality audit manager has proposed. The CAE’s response to senior management should include which of the following?
A. Changing the applicable standards for internal auditing within the organization to provide compliance with quality audit standards.
B. Estimating departmental cost savings that would result from the elimination of the internal audit activity.
C. Identifying appropriate liaison activities with the quality audit function to ensure coordination of audit schedules and overall audit responsibilities.
D. Changing the qualification requirements for new staff members to include quality audit experience.
ANSWER: C
RATIONALE
An internal auditor should always consider the added value of coordinating internal and external audit work to increase economy, efficiency, and effectiveness of the overall audit process – for example, with other internal assurance functions, such as quality control. By coordinating, the two functions can provide support for each other, and potentially make the audit process more efficient. Therefore, when responding to management in this scenario, the CAE should identify ways in which they believe working with the quality audit function can enhance the audit function.
For more information, refer to Section I, Chapter 2, Topic E
In addition to the financial budget for the overall audit activity, the chief audit executive will also routinely prepare
A. a work hours and a schedule budget.
B. an office space requirements budget.
C. a time and materials budget.
D. a fixed vs. variable costs budget.
ANSWER: A
RATIONALE
The CAE will also create a schedule budget, aligning the number of available audit personnel against available work hours to determine the amount of coverage that can be provided during a fiscal year as well as within each audit project. A time and materials budget is generally used in production activities, not internal audit activities. Fixed and variable cost budgets are used in cost/volume/profit analysis, which is not generally applicable to internal audit activities. While an office space requirements analysis may be prepared infrequently (i.e., for a growing audit activity or for an upcoming office move), work hours and audit schedule budgets are routinely prepared in conjunction with the financial budget.
refer to Section I, Chapter 1, Topic B
A hospital is evaluating the purchase of software to integrate a new cost accounting system with its existing financial accounting system. Which of the following describes the most effective way for the internal audit activity to be involved in the procurement process?
A. The internal audit activity has no involvement, since the system has already been developed externally.
B. The internal audit activity determines whether the prototyped model is validated and reviewed with users before production use begins.
C. The internal audit activity evaluates whether the application design meets internal development and documentation standards.
D. The internal audit activity evaluates whether performance specifications are consistent with the hospital’s needs.
ANSWER: D
RATIONALE
The internal audit activity should be involved to ensure the existence of performance specifications consistent with the hospital’s needs. Incomplete or erroneous specifications may result in the acquisition of unusable software or unenforceable contract terms with the software vendor.
For more information, refer to Section I, Chapter 2, Topic D
An external auditor has asked the internal audit function of a large air transportation company for information uncovered during the most recent compliance review by a federal transportation regulatory agency. How should internal auditing respond to this request?
A. Share the information in an effort to reduce time spent by the external auditors, which would reduce cost to the organization.
B. Refuse. Internal audit should not share such information with parties outside the organization.
C. Direct the regulatory agency to release the information to the external auditors.
D. Ask the external auditors to demonstrate a need for specific information in writing before releasing the requested details.
ANSWER: A
RATIONALE
It is appropriate for the internal audit function to share information generated through a regulatory compliance review with external auditors since it will support a more efficient external auditing process and benefit the organization.
For more information, refer to Section I, Chapter 2, Topic E
Internal auditing has been asked to help the marketing department of a health-care services company assess its performance and identify areas for improvement. Which of the following types of benchmarking would be most useful to the internal auditor in accomplishing this task?
A. Competitive
B. Internal
C. Generic
D. Functional
ANSWER: A
RATIONALE
Since there are many businesses competing to provide health-care services, it would be feasible to identify successful competitors and compare their skill sets, activities, and sophistication in process with the client activity. Functional benchmarking would use performance in another industry and might offer too many variables for easy comparison. Generic benchmarking would probably yield data that is too general. Internal benchmarking, which might compare the current marketing function with previous marketing functions in the organization, would not allow for the introduction of new ideas being tried outside the organization.
For more information, refer to Section I, Chapter 2, Topic D
What is something to be gained from a Statement on Standards for Attestation Engagements (SSAE) No. 18 engagement?
A. Service providers can speed up the audits that each of their user organizations will need to do at least every three years.
B. Service providers can take advantage of a checklist for audit of control effectiveness.
C. It allows service organizations to disclose their control activities and processes in a uniform reporting format.
D. User organizations receive an internal auditor assessment of controls.
ANSWER: C
RATIONALE
The American Institute of Certified Public Accountants (AICPA) published its Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification, to provide consolidated guidance for independent audits for certification to standards related to service providers and users of these services. SSAE 18 is widely recognized as authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. In other words, the organization contracts with an independent accounting and auditing firm to perform an audit in accordance with SSAE 18 and is able to produce the certification document for multiple parties that want assurance rather than being audited by all of them.
For more information, refer to Section I, Chapter 2, Topic C
In a recent data backup recovery drill at a data center, an internal auditor observing the test noted that the IT professional had trouble reading the labels on some older backup repositories due to fading. This required loading several repositories until the correct one was found, which took a long time because it involved doing file date checks after the version was loaded. What would be the best thing for the internal auditor to recommend?
A. Off-site storage of backup media repositories
B. Storing the backup repositories in a dark place
C, Adoption of an automatic electronic labeling system
D. Periodic replacement of the oldest backups with newer versions
ANSWER: C
RATIONALE
Using systems that automatically label a file with an internal code mitigates the risk of external labels being lost or removed or becoming unreadable through time.
For more information, refer to Section I, Chapter 2, Topic C
Having completed a thorough risk assessment process and selection of areas to audit, the internal audit activity should give first priority to which of the following engagements?
A. IT, because network software has recently been upgraded by an external consultant
B. Receivables, because they ranked highest in potential dollar loss
C. Payables, because an audit committee member has received an anonymous tip alleging that a staff member has been directing payments to fictitious accounts
D. Financial statements, because the report had a “qualified opinion” on a recent external audit report
ANSWER: C
RATIONALE
The first priority is to investigate the potential fraud in payables. A high ranking on particular measures (the large potential loss, for example) is not necessarily of highest priority if other measures of risk have been identified as significant.
For more information, refer to Section I, Chapter 2, Topic B
The internal auditor is considering performing a risk analysis as a basis for determining which areas of the organization ought to be examined. Which of the following statements is correct regarding risk analysis?
A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
B. The highest risk assessment should always be assigned to the area with the highest probability of risk occurrence.
C. The highest risk assessment should always be assigned to the area with the largest potential loss.
D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
ANSWER: A
RATIONALE
The auditor could appropriately consider the extent of management judgments and accounting estimates as a risk factor. Risk analysis should consider both the potential loss (or damages) and the probability of occurrence.
For more information, refer to Section I, Chapter 2, Topic B
A department asks internal audit to participate in a business process benchmarking initiative. The goal is to achieve a world-class work process and enhance customer satisfaction. Which is an appropriate activity for internal audit participation?
A. Determine how to measure the activity.
B. Identify the activity to benchmark.
C. Analyze the benchmark data and set goals and an action plan.
D. Evaluate the appropriateness of the benchmark.
ANSWER: D
RATIONALE
Effective benchmarking depends upon the care and intelligence invested in selecting the goal. A benchmark that can’t be measured and can’t be reached—or that can be reached too easily—has little or no value. Evaluating the benchmarks set by clients in the organization is a service appropriate for internal auditors to provide.
For more information, refer to Section I, Chapter 2, Topic D
Which of the following audit tests should be performed by an internal auditor who is reviewing controls over user authentication procedures?
A. Reviewing how proper separation of duties is established using access control software
B. Reviewing procedures concerning revocation of inactive users
C. Verifying password masking at public data terminals
D. Verifing provisioning protocols
ANSWER: C
RATIONALE
Password masking procedures are directed at user authentication. User authentication involves validating that the person is who he or she claims to be, which includes controls to ensure that a valid password is known only by the intended person. Methods used to establish user privileges within the access control software are concerned with user access to applications. Procedures concerning revocation of inactive users are directed at identification. Inactive users should no longer be accepted. Provisioning involves assigning a user role-appropriate access. It is a separate issue from user authentication, because it presumes that the user has been authenticated.
For more information, refer to Section I, Chapter 2, Topic C
Which of the following is a consulting rather than assurance role for internal auditors?
A. Evaluating the effectiveness of controls and managing key risks
B. Teaching management about risk and control tools and techniques
C. Designing and evaluating risk management processes
D. Assessing and reporting on risks in a reliable manner
ANSWER: B
RATIONALE
Educating management about the risk and control tools and techniques used by the internal audit activity and sharing those tools is a consulting role for internal auditors. The other items are all assurance roles.
For more information, refer to Section I, Chapter 2, Topic D
In designing a control self-assessment (CSA) workshop, which of the following elements merits the most serious attention?
A. Scheduling time for participants to review information and suggest improvements
B. Designing carefully worded yes-no questions to ensure the gathering of precise information
C. Carefully briefing management to be certain to get higher-level commitment to the process
D. Developing metrics to assess respondents’ answers to pre-workshop questionnaires
ANSWER: A
RATIONALE
All of the answers identify valid concerns, but the essence of CSA is the involvement of staff and management with a sense of ownership to be active process participants. Their knowledge and experience in the process being discussed will enhance the opportunity for agreement on process improvement.
For more information, refer to Section I, Chapter 2, Topic C
A primary benefit of internal audit budgeting is
A. to provide a tool for accountability for IT support partners, independent contractors and other service providers.
B. to demonstrate conformance with internal audit Standards and other mandatory guidance elements promulgated by The IIA.
C. to provide evidence of internal audit management effectiveness for organizational senior leadership and the external auditors.
D. to allow for early identification of conflicts or issues so that situations can be addressed by audit management in a timely manner.
ANSWER: D RATIONALE Some of the main benefits of internal audit budgeting are: Planning ahead, Definite objectives, Early warning system, Coordination of activities, Management awareness, and Personnel motivation. Internal audit budgeting is not an element of The IIA’s mandatory guidance. Internal audit budgeting does not provide evidence of audit management effectiveness. Internal audit budgeting is a tool for internal audit management, not outside partners.
For more information, refer to Section I, Chapter 1, Topic B
A chief audit executive (CAE) has to determine how an organization can be divided into auditable activities. Which of the following is an auditable activity?
A. Business units only
B. Procedures, systems, and accounts
C. Regulatory mandates, specific individuals, and internal controls over financial reporting (ICFR)
D. Departments only
ANSWER: B
RATIONALE
Procedures, systems, and accounts can all be auditable activities or auditable units. Business, units, departments, regulatory mandates, and ICFR could also be auditable, but specific individuals would not be singled out.
For more information, refer to Section I, Chapter 2, Topic A
The chief audit executive (CAE) for a city has just completed a quarterly meeting with the audit committee. The committee has expressed a major concern it would like the audit department to examine as part of its operational audits during the next year: Is the downsizing that the city has been going through resulting in right-sizing of staff for the city? The audit committee has suggested that a review of a few areas might be appropriate and could provide some preliminary evidence in addressing the committee’s concerns. In spite of all the arguments, the CAE decides to go ahead and perform a preliminary investigation in two areas to address the audit committee’s concern. Which procedure would be appropriate in performing the preliminary investigation?
A. Interview executive management to determine whether or not criteria exist to determine the right size of departments.
B. Interview departmental managers to determine the approaches they would use to select the areas needing to be audited the most.
C. Develop a productivity ratio that can be used to gather objective information on employee morale.
D. Use risk analysis and select the two departments that would hold the largest risk of potential misstatement of account balances.
ANSWER: A
RATIONALE
If criteria exist to determine the right size of departments, this would form a baseline for the rest of the analysis. Misstatement of account balances is not the objective of the audit. More appropriately, the auditor should look for departments that have experienced large reductions in size.
For more information, refer to Section I, Chapter 2, Topic C
Internal auditors can evaluate the management function of planning (as opposed to organizing, directing, or monitoring) by determining
A. whether new standards of performance are established and disseminated when the old standards are inadequate or ineffective.
B. whether each management plan carries a means of measuring its success.
C. whether employee compensation is consistent with the organization’s specifications for compensation ranges by employee grade.
D. what managers are responsible for and what they are authorized to do.
ANSWER: B
ATIONALE
Determining whether each plan carries a means of measuring its success is one way internal auditors facilitate the management function of planning. Determining what managers are responsible for and what they are authorized to do relates to the management function of organizing. Determining whether employee compensation is consistent relates to the management function of directing. Determining whether new standards of performance are established and disseminated when the old standards are ineffective relates to the management functions of directing and monitoring.
For more information, refer to Section I, Chapter 1, Topic A
It is essential to ensure that internal audit policies and procedures are
A. aligned with The IIA’s Global Technology Audit Guides (GTAG’s).
B. aligned with The IIA’s Implementation Guidance.
C. aligned with The IIA’s position paper “Three Lines of Defense.”
D. aligned with The IIA’s Code of Ethics
ANSWER: D
RATIONALE
As noted in Standard 2040, “Policies and Procedures,” internal audit policies and procedures should be aligned with The IIA’s mandatory guidance. The Code of Ethics is included in the mandatory guidance; all others are recommended guidance (but not mandatory).
For more information, refer to Section I, Chapter 1, Topic A
Which of the following statements describes an important role that the chief audit executive (CAE) plays with regard to external auditors?
A. The CAE generally selects and provides oversight of the external auditors.
B. The CAE is responsible for ensuring that the work of internal and external auditors is carried out in a coordinated, cost-effective manner.
C. The CAE reviews results of all external financial audits and assigns audit staff to design controls to prevent recurrence of problems identified in the external audits.
D. The CAE informs the external auditors of their responsibilities in regard to the Standards and The IIA’s Code of Ethics and ensures compliance.
ANSWER: B
RATIONALE
The CAE is responsible for coordinating the work of internal and external auditors to avoid unnecessary (and costly) redundancy. The audit committee provides oversight of the external auditors, who are not responsible for abiding by the Standards and The IIA’s Code of Ethics. Designing controls, as opposed to assessing them, may compromise the internal auditor’s independence.
For more information, refer to Section I, Chapter 2, Topic E
Internal audit policies typically include guidance on
A. independence and objectivity.
B. communicating results of engagements.
C. preparing a risk-based audit plan.
D. monitoring and follow-up activities.
ANSWER: A
RATIONALE
Standard 2040, “Policies and Procedures,” specifically states that internal audit policies should include guidance on Independence and Objectivity. The other choices would be included in internal audit procedures (not policies).
For more information, refer to Section I, Chapter 1, Topic A
In which type of assurance engagement would an auditor focus on organizational targets, goals, or business objectives?
A. Quality audit engagement
B. Performance audit engagement
C. Financial audit engagement
D. Operational audit engagement
ANSWER: B
RATIONALE
In performance audit engagements, auditors focus on organizational targets, goals, or business objectives—key performance indicators (KPIs).
For more information, refer to Section I, Chapter 2, Topic C
A password is an example of
A. a data storage control.
B. a logical security control.
C. a physical security control.
D. a hazard control
ANSWER: B
RATIONALE
Passwords are a form of a logical security control. Logical security is electronic in nature, and it is designed to achieve the same results as physical controls. Passwords are the most common means of authenticating users. They limit access to computer systems and the information stored on them.
For more information, refer to Section I, Chapter 2, Topic C
A chief audit executive (CAE) performs an internal audit staff skills and experience analysis and then maps this analysis to requirements of her proposed risk-based plan. The output of this gap analysis will enable the CAE
A. to eliminate those engagements from the plan for which the audit activity lacks the necessary skills and experience.
B. to eliminate routine testing of internal controls over financial reporting for the external auditors in favor of other priorities.
C. to communicate the impact of identified resource limitations to senior management and the board.
D. to justify an increased internal audit activity budget in order to obtain lacking skills and experience to fulfill plan requirements.
ANSWER: C
RATIONALE
Standard 2020, “Communication and Approval,” states, “The chief audit executive must also communicate the impact of resource limitations.” Eliminating engagements from the proposed risk-based plan due to lack of skills and experience is inappropriate. While the analysis may support an increased audit activity budget, the standard requires communicating the impact of resource limitations. While eliminating external audit support activities may free up resources for other audit engagements, it is inappropriate for the CAE to unilaterally make the decision to do so. Standard 2020 requires communicating the impact of resource limitations.
For more information, refer to Section I, Chapter 3, Topic A
During the course of a business process review, an internal auditor may
A. oversee the implementation of recommended controls.
B. lead a system design team.
C. provide advice on appropriate controls during system design.
D. decide which controls to select.
ANSWER: C
RATIONALE
A business process review falls in the consulting category of engagements. During a consulting engagement (as in assurance engagements), an internal auditor cannot assume management responsibilities, make decisions, or execute transactions as if he or she were part of management. Providing advice is acceptable as long as there is a clear understanding that management has responsibility for accepting or rejecting the advice. The other responsibilities would significantly impair the auditor’s future ability to objectively evaluate the system.
For more information, refer to Section I, Chapter 2, Topic D
While conducting a risk assessment, internal auditors may use a number of criteria. Which would be considered subjective rather than objective?
A. Priority ranking of organizational objectives
B. Change in size of market share
C. Market value of oil futures the organization owns
D. Productivity ranked against industry benchmarks
ANSWER: A
RATIONALE
Measures of quality and significance are inherently subjective (or qualitative). Market share, market values of regularly traded derivatives such as futures, and benchmarks are all measurable quantitatively, so they can be considered objectively. (Although the importance of achieving a benchmark or a particular percentage of market share is subjective.)
For more information, refer to Section I, Chapter 2, Topic A
Which is a characteristic typical of a consulting engagement?
A. Results require mandatory reporting to a third party.
B. The internal auditor may assist in the design of corrective actions.
C. There are typically only three parties involved.
D. The scope of the audit is at the discretion of the internal auditor.
ANSWER: B
RATIONALE
Mandatory reporting to a third party is required in assurance engagements. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties:
The person or group offering the advice—the internal auditor
The person or group seeking and receiving the advice—the engagement client
For more information, refer to Section I, Chapter 2, Topic D
Internal audit staffing and workforce planning should primarily consider
A. the necessary experience, business knowledge and skill sets to perform the annual risk-based audit plan.
B. opportunities for auditor training, coaching and leadership.
C. using external service providers for cybersecurity and other highly technical audits.
D. regulatory examiner expectations of compliance and financial reporting audit skills.
ANSWER: A
RATIONALE
As noted in Standard 1210, “Proficiency,” the internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Performing the annual audit plan is the primary responsibility of the internal audit activity. While regulatory examiner expectations, the use of external service providers and opportunities for auditor training, coaching and leadership may also be considered in workforce planning, the requirements of the annual audit plan are the predominate consideration.
For more information, refer to Section I, Chapter 1, Topic B
If a department outside of the internal audit activity is responsible for reviewing a function or process, the internal auditors should
A. reduce the scope of the audit, since the work has already been performed by the other department.
B. consider the work of the other department when assessing the function or process.
C. ignore the work of the other department and proceed with an independent audit.
D. yield the responsibility for assessing the function or process to the other department.
ANSWER: B
RATIONALE
Review and testing of the other department’s procedures may reduce necessary audit coverage of the function or process.
For more information, refer to Section I, Chapter 2, Topic E
The chief audit executive is least likely to have a primary role in
A. allocating budget audit hours among assigned staff.
B. updating the permanent files.
C. preparing the critique sheet for the audit.
D. reviewing workpapers.
ANSWER: B
RATIONALE
This is a task most likely performed by the audit staff. The others are common chief audit executive tasks.
For more information, refer to Section I, Chapter 1, Topic A
Risk assessment is a systematic process for assessing and integrating professional judgments about probable conditions and/or events. Which of the following statements correctly reflects the appropriate action for the chief audit executive (CAE) to take?
A. The CAE should generally assign audit priorities to activities with higher risks.
B. The CAE should restrict the number of sources of information used in the risk assessment process.
C. The risk assessment process should be conducted at least every three to five years.
D. Work schedule priorities should be established in order to lead the CAE in the risk assessment process.
ANSWER: A
RATIONALE
Performance Standard 2010 states, “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.”
For more information, refer to Section I, Chapter 2, Topic B
A small architectural firm is planning to remodel its offices. The project involves removing and adding walls to increase traffic flow, installation of new cubicles, and new decor. What type of contract listed is best for the firm?
A. Unit-price
B. Lump-sum
C. No-bid
D. Cost-plus
ANSWER: B
RATIONALE
Lump-sum contracts work well and are commonly used if the work required is uncomplicated and the work is completed as agreed upon. In these cases, there may be little reason for an audit of the contract.
For more information, refer to Section I, Chapter 2, Topic C
A security audit needs to evaluate risk exposures related to the organization’s governance, operations, and information systems regarding
A. the reliability and integrity of internal auditing.
B. the financial instrument investment policy.
C. job safety.
D. the safeguarding of assets.
ANSWER: D
RATIONALE
Security audits primarily focus on governance, risks, and controls related to the safeguarding of assets and the reliability and integrity of financial and operational information.
For more information, refer to Section I, Chapter 2, Topic C
To improve audit efficiency, internal auditors can rely upon the work of external auditors that is
A. conducted in accordance with The IIA’s Code of Ethics.
B. coordinated with internal audit activity.
C. performed after the internal audit engagement.
D. primarily concerned with operational objectives and activities.
ANSWER: B
RATIONALE
Coordinating internal and external audit work helps to prevent duplication in coverage, thereby improving internal audit efficiency. Internal auditing encompasses both financial and operational objectives and activities. Therefore, internal audit coverage could also be provided by external audit work, which includes primarily financial objectives and activities. External audit work is conducted in accordance with Generally Accepted Auditing Standards or other similar international standards.
For more information, refer to Section I, Chapter 2, Topic E
An audit of environmental controls, including regulatory compliance, has been concluded. Possible corrective actions are being discussed at a closing conference. The environmental manager states that funds are not available in this year’s budget to make necessary changes and repairs to the hazardous waste storage yard. The deficiencies prevent management from complying with controls established to manage waste safely and to comply with regulations. The auditor should
A. accept temporary, but clearly incomplete, corrective action in order to improve the situation.
B. agree that corrective action may be postponed until funds can be provided in the following year’s budget.
C. involve senior management in the decision.
D. insist that the changes and repairs be made, regardless of any apparent budget constraints.
ANSWER:
Two organizations agree to share data on store operations. The data reveals that three stores in company A are characterized by significantly lower gross margins, higher-than-average sales volume, and higher levels of employee bonuses. The three stores are part of a set of six that are managed by a relatively new section manager. The store managers of the three stores are also relatively new. What is the most likely cause of the observed data?
A. Promotional activities that offer large discounts coupled with the payment of commissions to employees who reach targeted sales goals
B. Fraudulent activity whereby goods are taken from the stores, thus resulting in the lower gross margins
C. Problems with employee training and employee ability to meet customer needs
D. Relative inexperience of the store managers, especially their offering bonuses that are reducing gross margins
ANSWER: A
RATIONALE
This is the one explanation that could be supported by all the data elements and would thus form a hypothesis for subsequent audit testing. For example, gross margins are lower, which means that the revenue per unit sold is less than at other stores, and this could be explained by the large discounts. (Note that the size of sales commissions would not affect the gross margin, since this is not part of the cost of goods sold.) The relative inexperience of the store managers might be a potential explanation for one store but is unlikely to occur at all three stores. Employee training might be a problem, but the data tends to contradict it. Sales are increasing, which would indicate customer satisfaction. There is not enough evidence to indicate that fraud might be present. In order for this hypothesis to hold true, there would have to be significant amounts of inventory shrinkage. This does not explain higher sales and bonuses.
For more information, refer to Section III, Chapter 2, Topic B
During an audit, which factor should the internal auditor consider more than the other options listed when determining the extent to which analytical procedures should be used?
A. Whether the area represents significant risk to objectives
B. The remaining available budget for such procedures
C. Precision with which the results of analytical audit procedures can be predicted
D. Availability of a suitable analytical procedure
ANSWER: A
RATIONALE
Analytical procedures take time and money to complete but may nevertheless be critical to audit testing. Therefore, additional procedures should be added only to areas that represent
significant risk, either because they relate to achievement of objectives or because they have special qualities such as complexity or vulnerability to failure. Once an area is determined to be important to test using analytical procedures, then the other considerations can take place, but lack of budget should not be a reason to avoid a procedure that is deemed necessary and relevant.
For more information, refer to Section III, Chapter 2, Topic D
Productivity statistics are provided quarterly to the board of directors. An auditor checks the ratios and other statistics in the four most recent reports. The auditor uses scratch paper and copies of the board reports to verify the accuracy of computations and compares the data used in the computations with supporting documents. The auditor writes a note describing his work for the working papers and then discards the scratch paper and report copies. The auditor’s note states the following:
“The ratios and other statistics in the quarterly board reports were checked for the last four quarters, and appropriate supporting documents were examined. All amounts appear to be appropriate.”
Which of the following is true of this situation?
A. The auditor should have included the scratch paper in the workpapers.
B. Four quarters is not a large enough sample on which to base a conclusion.
C. The auditor’s working papers are not sufficient to facilitate an efficient review of the auditor’s work.
D. The auditor did not consider whether the information in the board report was compiled efficiently.
ANSWER: C
RATIONALE
It is not possible for a reviewer to check any of the auditor’s work without obtaining additional copies of the quarterly reports and independently checking the computations. The review would be much more efficient if the auditor had included the board reports in the working papers and had used tick marks with explanations to show which computations were checked and describe what he did to verify the amounts used in the computations.
For more information, refer to Section III, Chapter 2, Topic E
Internal audit is conducting risk assessment in engagement planning. Management has already created an assessment of risk as part of an enterprise risk management framework. The internal audit function should do which of the following related to the management assessment?
A. Avoid using the management assessment because adopting it would hinder independence and objectivity.
B. Assess the reliability of the management assessment prior to adopting it.
C. Avoid using the management assessment because its objectives differ significantly from those of an audit risk assessment.
D. Adopt the management assessment without reservations to avoid duplication of effort.
ANSWER: B
RATIONALE
Implementation Guide 2210, “Engagement Objectives,” states, “It is helpful for internal auditors to determine whether a risk assessment was performed during the engagement’s planning phase and to attain a thorough understanding of the risks of both the organization and the area or process under review. In addition, it is critical to understand the expectations of stakeholders including senior management and the board.” The internal auditor also considers the reliability of management’s acceptance of risk.
For more information, refer to Section II, Chapter 1, Topic C
As a particular audit is being planned in a high-risk area, the chief audit executive determines that the available staff does not have the requisite skills to perform the assignment. The best course of action, consistent with the Standards for audit planning, would be to
A. consider using external resources to supplement the needed knowledge, skills, and disciplines and complete the assignment.
B. use the audit as a training opportunity and let the auditors learn as the audit is performed.
C. not perform the audit since the requisite skills are not available.
D. perform the audit but limit the scope in light of the skill deficiency.
ANSWER: A
RATIONALE
Proper planning includes documented determination of resources including consideration of supplementation (Performance Standard 2230).
For more information, refer to Section II, Chapter 1, Topic E
Difference estimation sampling is appropriate to use to extrapolate the dollar error in a population if
A. virtually no differences between the individual book values and the audited values exist.
B. a number of nonproportional differences between book values and audited values exist.
C. observed differences between book values and audited values are proportional to book values.
D. subsidiary ledger book balances for some individual inventory items are unknown.
ANSWER: B
RATIONALE
There must be a sufficient number of nonproportional errors to generate a reliable sample estimate.
For more information, refer to Section III, Chapter 1, Topic C
After partially completing an internal control review of the accounts payable department, an auditor suspects that some type of fraud has occurred. To ascertain whether the fraud is present, the best approach would be to use
A. probability-proportional-to-size sampling to select a sample of vouchers processed by the department during the past year.
B. simple random sampling to select a sample of vouchers processed by the department during the past year.
C. judgmental sampling to select a sample of vouchers processed by clerks identified by the department manager as acting suspiciously.
D. discovery sampling to select a sample of vouchers processed by the department during the past year.
ANSWER: D
RATIONALE
The purpose here is to determine whether any fraud has taken place rather than to estimate its overall frequency. Discovery sampling is designed specifically to do this.
For more information, refer to Section III, Chapter 1, Topic C
Of the following, which is the most efficient source for an auditor to use to evaluate a company’s overall control system?
A. Narrative describing departmental history, activities, and forms use
B. Industry operating standards
C. Standard operating procedures
D. Flowchart
ANSWER: D
RATIONALE
Flowcharting is an efficient and comprehensive method of describing relatively complex activities, especially those involving several departments. Copies of procedures and related forms do not provide an efficient method of overviewing the processing activities. A narrative review covering the history and forms use of the department is not as efficient or comprehensive as flowcharting for communicating relevant information about controls. Industry standards do not provide a picture of existing practice for subsequent audit activity.
For more information, refer to Section III, Chapter 2, Topic C
Policies and procedures provide guidance to management and employees. An internal auditor in a multinational organization is preparing to perform an operational review of a senior management function. Should the auditor expect to find policies and procedures at this level?
A. Yes, all policies and procedures are developed by senior management.
B. No, senior management develops policies and procedures only for lower levels.
C. Yes, policies and procedures should be used throughout an organization’s ranks.
D. No, only middle managers and below develop and use policies and procedures.
ANSWER: C
RATIONALE
Ensuring that the “tone at the top” reinforces rather than undermines process-level controls is an example of a key governance control at the entity level. One good way to ensure this occurs is for senior management to develop and adhere to a set of relevant policies and procedures.
For more information, refer to Section II, Chapter 1, Topic B
The chief audit executive (CAE) is responsible for sharing information and coordinating activities with other internal and external service providers to ensure proper coverage and minimize duplication of efforts. With the exception of the external auditors responsible for auditing the organization’s financial statements, which of the following coordination activities should be limited to internal assurance and consulting providers?
A. Access to audit programs, working papers, and management letters
B. Exchange of organizational charts
C. Common understanding of audit techniques, methods, and terminology
D. Copies of regulatory reports relevant to audit engagements
ANSWER: A
RATIONALE
Reviews conducted by internal assurance and consulting providers and the external auditors responsible for auditing the organization’s financial statements typically address areas and issues that are relevant to internal auditing’s scope of work.
For more information, refer to Section I, Chapter 2, Topic E
Following a negative performance evaluation by a supervisor, a staff auditor goes to the audit director to seek a change in the evaluation. The director is familiar with the auditor’s performance and agrees with the evaluation. The director agrees to meet and discuss the situation. Which of the following is the best course of action for the director to take?
A. The director should meet privately with the employee and should tell the employee of his or her agreement with the performance evaluation, expressing interest in any additional facts the employee may wish to present.
B. The director should have the supervisor participate in the meeting so there is no misunderstanding about the facts.
C. The director should meet informally with the employee and should encourage a conversation in public by asking for the employee’s side of the issue and disclaiming any agreement with the supervisor.
D. The director should ask a human resources administrator to be present to ensure that improper statements are not made.
ANSWER: A
RATIONALE
A private conversation signals to the employee that the director is interested in what he or she has to say and will not be measuring his or her words against those of another. However, the director must establish a position and show support for the supervisor. There may be more than one valid viewpoint, but that does not necessarily mean that the employee’s viewpoint is valid.
For more information, refer to Section III, Chapter 3, Topic A
Which is the most significant risk listed for an exit conference at the end of an audit engagement?
A. The audit client has little to say about the report and duly files it away for future reference.
B. Senior management is upset about the report and make a big deal out of it with affected middle management.
C. Just those people who attended the entrance conference attend the exit conference.
D. The audit client asks for clarification on many points and needs many misunderstandings to be resolved.
ANSWER: A
RATIONALE
Success in the exit conference phase is crucial, since audit reports are not meant to be filed with other seldom-read reference works but are intended instead to stimulate activity—or at the very least receive serious consideration.
For more information, refer to Section IV, Chapter 1, Topic E
An internal audit team completes an audit of a company’s compliance with its lease-versus-purchase policy concerning company automobiles. The audit report notes that the basis for several decisions to lease rather than purchase automobiles was not documented and is not auditable. The report contains a recommendation that operating management ensure that such lease agreements not be executed without proper documentation of the basis for the decision to lease rather than buy. The internal auditors are about to perform follow-up work on this audit report. Senior management says they have decided to accept the risk involved in failure to document the basis for lease-versus-purchase decisions involving company automobiles. In such a case, what would be the auditors’ reporting obligation?
A. The auditors should issue a follow-up report to management clearly stating the rationale for the recommendation that the basis for lease-versus-purchase decisions be properly documented.
B. The auditors have no further reporting responsibility.
C. The auditors should inform the external auditor and any responsible regulatory agency that no action has been taken on the finding in question.
D. Management’s decision and the auditors’ concern should be reported to the company’s board of directors.
ANSWER: B
RATIONALE
When senior management has assumed such risk, reporting to the board is required only for significant findings. There is no indication that the failure to document several decisions is significant enough to report to the board.
For more information, refer to Section IV, Chapter 1, Topic F
The chief audit executive (CAE) believes that the proposed organizational budget will not enable the activity to perform planned risk management projects. What action should the CAE take?
A. Plan the annual audit schedule accordingly, performing as many risk management activities as possible within the budget.
A. Go around senior management and appeal directly to the board for the necessary budget.
C. Arrange to co-fund risk management projects with other functions.
D. Use time at a board meeting to educate senior management about the process and benefits of risk management.
ANSWER: D
RATIONALE
Interpretation of Standard 2000, “Managing the Internal Audit Activity,” notes that the internal audit activity adds value to the organization when it “contributes to the effectiveness and efficiency of governance, risk management, and control processes.” The CAE can effectively fulfill this role by educating the board and senior management on the benefits of risk management to the organization.
For more information, refer to Section I, Chapter 3, Topic C
Internal auditing is conducting an assurance audit of a regional office. The audit team does not suspect fraud, but it has found significant gaps in controls that could create opportunity for fraud (for example, allowing the same individual to send invoices and receive payments) and laxity in record keeping. Some documentation of expenses is missing, but the internal auditors have obtained documentation from vendors. Furniture appears to be missing. It may have been stolen, but it is equally possible that it was discarded. The audit team has completed a report listing the various issues, explaining the potential for loss and fraud that these issues have created and citing company policies and procedures. Management of the office responds to the report via email. It says that it believes the recommendations are unwarranted, that the report questions the honesty of loyal employees, and that implementation of the recommendations would be an unnecessary waste of the office’s time. However, to satisfy concerns about invoicing and billing, the manager promises to review the paperwork weekly. What might be an appropriate time frame to schedule monitoring to evaluate management’s response to the audit recommendations?
A. The recommendations should be implemented immediately because of their significance.
B. Given the minor nature of the problems, no deadline is required. Auditing can review the situation at its next regular engagement.
C. Management should ensure that the identified problems have been addressed within a specified time frame.
D. Management should ensure an adequate response to the identified shortcomings within 30 days.
ANSWER: C
RATIONALE
The findings do not require an urgent response, although auditing will want to monitor the response within the specified time frame. Many organizations focus on 90 days, but there is no specific statement in The IIA’s Standards.
For more information, refer to Section IV, Chapter 2, Topic A
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which would be required as part of such an engagement?
A. Determining the existence of management expertise in proposed investments in sophisticated instruments
B. Determining whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations
C. Determining the nature of controls established by the board to monitor the risks in the investments
D. Determining if policies exist that describe the risks the treasurer may take and the types of instruments in which the treasurer may make investments
ANSWER: D
RATIONALE
A key control for limiting risk in investments of any sort is to have a clear policy that prohibits use of certain instruments and permits use of other instruments. Although an audit of the adequacy of controls over investments in new financial instruments might be informational, there is no need to develop a comparison of investment returns with other organizations. Indeed, financial investment scandals have shown that such comparisons can be highly misleading because high returns can be due to taking on a high level of risk. Also, this is not a test of the adequacy of the controls. Management needs to have a reasonable understanding of the types of investments allowed under their investment policies, but expertise would be more suited to be a requirement for the individual investors. Management, not the board, establishes controls.
For more information, refer to Section II, Chapter 1, Topic C
An auditor is scheduled to audit payroll controls for a company that has recently outsourced its processing to an information service bureau. What action should the auditor take, considering the outsourcing decision?
A. Review only the controls over payments to the service bureau based on the contract.
B. Cancel the engagement because the processing is being performed outside of the organization.
C. Review the controls over payroll in both the company and the service bureau.
D. Review only the company’s controls over data sent to and received from the service bureau.
ANSWER: C
RATIONALE
Controls at the service bureau and the user organization are both important to the control of the overall payroll function. Though the processing is being performed outside the organization, the external information service bureau is an extension of the organization’s information systems. In fact, the risk may be higher, since an external organization controls part of the internal control environment. Also, the recent change increases the company’s risk, as does the complexity of communicating between the organization and the service bureau.
For more information, refer to Section III, Chapter 2, Topic D
The internal auditor includes summaries in the workpapers for which of the following reasons?
A. To tie together groups of papers that bear upon a single point
B. To provide a place to state conclusions based on preceding detailed evidence
C. To conform to requirements in The IIA’s Standards and Implementation Guides
D. To use in briefing senior management in place of the entire final report
ANSWER: A
RATIONALE
Workpaper summaries can draw together information from a group of papers and focus it on one point; they are not the place to develop conclusions and recommendations, though they would include them. Senior management receives the entire final report.
For more information, refer to Section III, Chapter 2, Topic E
Which of the following procedures would provide the most relevant evidence to determine the adequacy of an allowance for doubtful accounts receivable?
A. Analyzing the allowance through an aging of receivables and an analysis of current economic data
B. Confirming the receivables
C. Analyzing the following month’s payments on the accounts receivable balances outstanding
D. Testing the controls over the write-off of accounts receivable to ensure that management approves all write-offs
ANSWER: A
RATIONALE
Aging of receivables provides direct, relevant evidence regarding the valuation of receivables and thus the allowance account.
For more information, refer to Section III, Chapter 2, Topic B
A chief audit executive (CAE) sets up a computerized spreadsheet to facilitate a risk assessment process involving a number of different divisions in the organization. The spreadsheet includes the following factors:
Pressure on divisional management to meet profit goals
Complexity of operations
Competence of divisional personnel
Dollar amount of subjectively influenced accounts in the division, such as accounts where management’s judgment can affect the expense (for example, post-retirement benefits)
The CAE uses a group meeting of audit managers to reach a consensus on the competence of divisional personnel. Other factors are assessed as high, medium, or low by either the CAE or an audit manager who has audited the division. The CAE assigns a weight ranging from 0.5 to 1.0 to each factor and then computes a composite risk score. Which of the following statements is true of this risk assessment process?
A. The weighting is subjective and should have been determined through a process such as multiple regression analysis.
B. The risk analysis would not be appropriate because it mixes both quantitative and qualitative factors, thereby making expected values calculation impossible.
C. Using a subjective group consensus to assess personnel competence is appropriate.
D. Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk assessment process because the ratings are not quantifiable.
ANSWER: C
RATIONALE
Group consensus tends to eliminate the extreme judgments that might occur with a single evaluator and would be an acceptable method. In making judgments, risk analysis should consider all appropriate factors and need not be limited to quantitative or expected value calculations. It may include weightings such as high, medium, and low. In this case, subjective analysis is acceptable. It would be difficult to use multiple regression analysis to obtain a weighted average for the risk weighting model because no criterion value exists to determine the weightings.
For more information, refer to Section II, Chapter 1, Topic C
An internal auditor is explaining the use of a risk control matrix to an assurance engagement client. The client is skeptical of the matrix’s value and believes that it will take an unreasonable amount of time to complete. Which of the following statements would be effective responses to this objection?
A. The information on the matrix helps focus attention on the conditions that pose the greatest risk to the business objectives.
B. Completing the matrix ensures that all the risks associated with each business objective will be identified and adequately addressed, including use of controls to mitigate each risk.
C. The risk control matrix helps to put an exact economic value on the risks faced by the area being audited, so the benefits will clearly outweigh the costs.
D. Completing the matrix requires little time and demonstrates commitment to the risk control philosophy.
ANSWER: A
RATIONALE
Generally, risk control matrices allow internal auditing and clients to identify risks associated with the clients’ objectives and to prioritize those risks according to probability and significance. The risk control matrix is one of the processes for validating internal controls recommended in the Internal Control—Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Generally, a risk control matrix does not incorporate an analysis of the exact economic costs of each risk, and it cannot guarantee that all risks will necessarily be indentified, nor can it guarantee what the management responses will be. And while completing the risk control matrix is a lesson in the risk control approach and demonstrates awareness of the value of this approach to an organization, it will probably require a significant time investment.
For more information, refer to Section II, Chapter 1, Topic C
An internal auditor is conducting an operational audit of the information system department. Which of the following factors would the auditor give the most weight to in evaluating the effectiveness of the department?
A. It has a robust technical staff.
B. It uses leading-edge technology.
C. Its objectives and goals are consistent with the overall objectives of its organization.
D. It is given top priority in the budgeting process.
ANSWER: C
RATIONALE
The information systems department must be aware of where the organization is going in the future in order to adequately support it.
For more information, refer to Section II, Chapter 1, Topic A
During an operations audit, the internal auditor hears testimony from several staff members that a supervisor has developed a drinking problem in recent months. This has led to erratic and sometimes abusive behavior that has seriously reduced morale and affected staff performance. After hearing the same story several times and observing telltale signs of alcoholism in the supervisor, which of the following steps should the auditor take?
A. Talk to the supervisor to get his or her side of the story.
B. Treat the matter as confidential, personal information that should not be documented in the workpapers.
C. Advise the staff members who have complained to contact human resources.
D. Report the situation to senior management and suggest appropriate steps for them to take.
ANSWER: D
RATIONALE
The auditor should let senior management know that a situation is developing in which the manager’s personal problem with drinking has affected his professional ethics, with consequences for staff morale and efficiency.
For more information, refer to Section I, Chapter 3, Topic B
Internal audit wants to assess management’s opinion about a recently completed engagement. Which of the following would be the most effective and efficient way to accomplish this?
A. Conversational interviews with key players in the engagement
B. Series of yes/no questions where yes indicates approval and no indicates dissatisfaction with a performance-related statement
C. Mostly numerical ranking statements and space for additional qualifying comments
D. Focus group designed to explore attitudes and opinions regarding specific topics
ANSWER: C
RATIONALE
Ratings, rankings, or yes/no questions (sometimes called forced-choice questions) are simple to answer and score. Open comments or questions can reveal valuable insights. When used in combination in a questionnaire format, they can reasonably assess client perceptions.
For more information, refer to Section III, Chapter 1, Topic B
Which is a statistical process control (SPC) technique that has been developed for auditing rather than being part of a set of standard SPC techniques?
A. Dollar-unit sampling
B. Continuous auditing and feedback
C. Acceptance sampling
D. Quality control charts
ANSWER: A
RATIONALE
Dollar-unit sampling is a sampling technique that has been uniquely applied to auditing. It is not used in statistical process control. Acceptance sampling is a standard statistical process control technique. Quality control charts are an integral part of TQM approaches. Continuous monitoring and frequent feedback are two of the important elements of statistical process control.
For more information, refer to Section III, Chapter 1, Topic C
Management of a company is attempting to build a reputation as a world-class manufacturer of quality products. On which of the four costs of quality should the company spend the majority of its funds?
A. External failure costs
B. Appraisal costs
C. Internal failure costs
D. Prevention costs
ANSWER: D
RATIONALE
The firm would do well to spend the bulk of its funds on prevention through better product and process design and testing, supplier evaluation and training, employee training, and preventive maintenance—that is, preventing quality breakdowns before the product is produced.
For more information, refer to Section I, Chapter 2, Topic C
Should an internal auditor include statements acknowledging satisfactory performance when communicating engagement results?
A. Yes; it may improve the client’s receptiveness to the audit findings and recommendations to address problems.
B. No; it is good practice in any engagement where notable performance exists, but satisfactory performance is by definition not noteworthy.
C. Yes; though not mandated, it demonstrates due diligence and objectivity.
D. Yes; the Standards mandate that communications should do so.
ANSWER: A
RATIONALE
Standard 2410.A2 states, “Internal auditors are encouraged to acknowledge satisfactory performance in engagement reports.” This is the only place in the Standards where the word “encouraged” is used. Whether this is done and to what extent generally correlates with client expectations and the level of notable performance. If the auditor sets a tone of fairness and objectivity, the client is much more likely to be receptive to the findings and recommendations.
For more information, refer to Section IV, Chapter 1, Topic B
Identifying and documenting that the controls that management says are in place are really in place and evaluating whether these controls are well designed are often part of which of the following steps in a risk control matrix?
A. Identify the controls.
B. Evaluate the adequacy of controls.
C. Test the effectiveness of controls.
D. Identify risks to business objectives
ANSWER: B
RATIONALE
After identifying the controls that should be in place as part of developing a risk control matrix, the next step would be to evaluate the adequacy of controls. This step asks the question “Are the control processes for managing this risk well designed?” As part of this step, the internal auditor identifies and documents the controls that management says are in place and evaluates how well designed the controls are—if they are effective, efficient, and economical and are working the way they were designed to work. Testing the effectiveness of controls is a later step.
For more information, refer to Section II, Chapter 1, Topic C
As part of an internal audit, a benchmark must be established for the defect rate for an innovative new production process. The auditor can either use a large sample that is already available from other production processes in the same plant or draw a fresh sample from the new process. However, a fresh sample would be expensive, time-consuming, and much smaller in size. Which of the following is the best course of action for the auditor?
A. The auditor should accept this large historical sample because analyses based on it will have high statistical power.
B. The auditor should first determine how similar the new process is to the old process before deciding what to do.
C. The auditor should draw a fresh sample and combine it with the old sample.
D. The auditor should accept the historical sample but use nonparametric statistics to analyze it.
ANSWER: B
RATIONALE
The first question that should always be asked concerning the use of historical data is how representative the process that generated it is compared to the process currently under study.
For more information, refer to Section I, Chapter 2, Topic D
A new staff auditor is told to perform an audit in an area with which the auditor is not familiar. Because of time constraints, there is no supervision of the audit. The auditor is given the assignment because it represents a good learning experience, but the area is a little beyond the auditor’s competence. Nonetheless, the auditor prepares comprehensive working papers and reports the results to management. Which of the following is true of this situation?
A. The audit department violated the Standards by hiring an auditor without proficiency in the area.
B. The chief audit executive has not violated the Code of Ethics since the Code does not address supervision.
C. The audit department violated the Standards by not providing adequate supervision.
D. The Standards and the Code of Ethics were followed by the audit department.
ANSWER: C
RATIONALE
Standard 2340 interpretation indicates that the “extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement.”
For more information, refer to Section III, Chapter 3, Topic A
During a preliminary survey of the purchasing department, the internal auditor determines that there is no policy for the verification of miscellaneous cash receipts. Which of the following is an appropriate engagement objective for this purchasing audit?
A. To evaluate the accuracy of the classification of cash receipts
B. To review cash disbursement vouchers and perform attribute tests
C. To obtain information to support or disclaim indicators of fraud
D. To summarize the results of all compliance tests related to cash disbursements
ANSWER: A
RATIONALE
Audit engagement objectives answer the question “Why are we auditing this activity?” Objectives may be stated in various ways, but it should be clear what assurances the engagement will provide.
For more information, refer to Section II, Chapter 1, Topic A
During an operational audit, an auditor observes a large number of above-ground storage containers and a large amount of black emissions from a company smokestack. The organization has an environmental safety department. The audit engagement is not designed to consider environmental concerns. Which of the following would be the best course of audit action?
A. Document the observations and report them to the environmental safety department; determine if the response will be timely and follow up to determine if timely action has been taken.
B. Make a note to consider environmental risk concerns when developing the audit plan for the next year, but do not expand the scope of the existing audit since the budget and risk priorities are already set.
C. Inquire of local management as to the use of the storage tanks in order to determine if they are properly classified as an asset. Do not take action on the environmental issues, because the auditor is untrained in the area and such action is the responsibility of an already existing department.
D. Report the observations to the audit committee and seek their advice on whether the audit should be expanded for the environmental issues.
ANSWER: A
RATIONALE
The auditor cannot ignore information gathered during the course of an audit. Since environmental concerns present large risks to most organizations, the auditor should determine that the environmental safety department is aware of the concerns and is actively monitoring the potential exposure to the organization. Follow-up is necessary.
For more information, refer to Section I, Chapter 2, Topic E
In determining whether to conduct an audit of compliance with environmental regulations or a consulting engagement in the tax department, the chief audit executive should give the lowest weight to which of the following considerations?
A. The audit staff has more expertise in taxation than in environmental compliance, necessitating reliance on outside consultants for environmental audits.
B. Tax laws have recently changed in ways that may affect the organization’s very substantial write-offs.
C. In the state where the organization is headquartered, a recently elected official campaigned on a promise to go after polluters in the organization’s industry.
D. Management has expressed a desire for a tax audit.
ANSWER: A
RATIONALE
Available resources should not be a major consideration in this decision.
For more information, refer to Section I, Chapter 2, Topic B
After preliminary discussion, internal auditing and the engagement client decide that one audit objective should be to map the customer service process used in the organization’s various customer service centers, identify variances in implementation of the process by center, and suggest ways in which the process might be improved. The most useful tool to gather information that will support this objective is
A. an internal control questionnaire.
B. a deployment flowchart.
C. a narrative description of the process.
D. a focus group interview.
ANSWER: A
RATIONALE
An internal control questionnaire (ICQ) can break a process down into its components, assess whether specific steps were performed, and allow for observations that might yield information about difficulties or inefficiencies at each step. The ICQ could help to provide information from each customer service center that could be used to identify different practices for improvement. A deployment flowchart is prescriptive rather than descriptive. A narrative description might establish the process but not necessarily variances or reasons for gaps. An interview might be used to establish the process and gather feedback on ways to improve it, but data based on observation is inherently more reliable than reported data.
For more information, refer to Section III, Chapter 1, Topic B
