Domain IV - Consulting role of the Internal Auditor

Question 1

Which of the following statements about the differences between the assurance and the
consulting roles of the internal auditor are correct?
I. Internal audit’s involvement in a consulting engagement is generally at the request of
management.
II. During consulting engagements, internal audit is able to implement improvements in ERM.
III. During consulting engagements, internal audit can only recommend improvements, and
management is free to accept or reject the proposals.
IV. Unlike assurance activities, consulting does not have to be defined in the internal audit charter.
a. I and II.
b. I and III.
c. II and IV.
d. III and IV.

Answer 1

Solution: b (I and III)
I. Correct. This is a key difference.
II. Incorrect. Implementing improvements is management’s responsibility.
III. Correct. This is a key difference.
IV. Incorrect. Both assurance and consulting engagements must be defined in the internal audit
charter.

Question 2

Internal audit uncovered significant cost overruns plaguing a high-visibility contract to
modernize a federal agency’s IT systems. The CAE directed that the CIO rework each element
of the contract into performance-based work orders, a collaborative, cross-functional
procurement approach with which the agency is not familiar. Which of the following
statements is correct?
a. Due to the conflict of interest safeguard, the CIO cannot request training or coaching assistance
from internal audit for 12 months following the audit.
b. Management should follow internal audit’s directive regarding the level of resources to be
allocated to mitigating procurement risk.
c. Management should seek training to ensure that the new work orders establish vendor
responsibilities consistent with internal audit’s revised procurement risk appetite.
d. If internal audit provides training and facilitates collaborative work sessions among government
and vendor parties, it must wait at least 12 months before it may give assurance on any part of
the resulting framework for which it was responsible.

Answer 2

Solution: d
a. Incorrect. Internal audit can provide training or coaching in an area that it had previously
audited. The opposite is not true, however. Internal audit cannot audit an area in which it
provided advisory services within the previous 12 months.
b. Incorrect. Internal audit should never make final decisions regarding resource allocation to
control or mitigate risk.
c. Incorrect. Internal audit should never establish risk appetite.
d. Correct. This is an essential safeguard to ensure that the internal audit activity and risk
management responsibility remain separate.

Question 3

Which of the following statements is/are true about the similarities and differences between
assurance and consulting engagements regarding risk assessment processes?
I. The nature and number of parties are the same for both.
II. Assurance engagements are generally delivered when everything needed is in place, whereas
consulting engagements are more likely performed where there are no processes, or the
processes are new or incomplete.
III. If needed skills are not available for assurance, they must be obtained to deliver the engagement,
but consulting may need to be declined if skills are absent and not obtained.
IV. Either type must be based on risk assessment and take into consideration error, fraud, and
noncompliance.
a. I, III, and IV.
b. II and III.
c. II, III, and IV.
d. II only.

Answer 3

Solution b
a. Incorrect. Assurance engagements have three main parties—internal auditor, owner of activities,
and recipient of assurance; consulting engagements have two main parties—internal auditor and
recipient (client) of the advice.
b. Correct. This statement about differences is correct.
c. Incorrect. I and II are correct. IV is a true statement for assurance engagements but not for
consulting.
d. Incorrect. This statement is true about assurance but not consulting.

Question 4

Which of the following requirements in IIA guidance is least related to assuring objectivity
and independence in performing consulting engagements?
I. Governance, risk management, and control processes may be included in the scope of consulting
engagements but must be included in assurance engagements.
II. Auditors must disclose potential impairments to objectivity before accepting proposed
engagements.
III. Consulting engagements should not be accepted simply because management made a request.
IV. Internal auditors may consider general observations (even if not part of a specific engagement)
from consulting in developing audit plans.
a. I and IV.
b. I only.
c. IV only.
d. I, II, and III.

Answer 4

Solution: a (I and IV)
I. Correct. This is true about consulting engagements but not directly related to objectivity.
II. Incorrect. This statement is clearly related to objectivity and independence.
III. Incorrect. Auditors should not perform consulting without considering whether the engagement aligns with organizational objectives—a potential threat to independence.
IV. Correct. This is true and not a threat to objectivity or independence.

Question 5

An internal auditor following The IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards) should be familiar with the definition and nature of consulting
and assurance, how the two categories may be interrelated, and possible subcategories
within each category. With which of the following statement(s) would you agree?
I. Consulting engagements have subcategories of formal, informal, special, or emergency.
Assurance can have various subcategories.
II. The two categories are distinct and cannot be “blended.”
III. An assurance engagement should not be performed to circumvent a consulting engagement.
IV. In either category, when laws and/or regulations prohibit following certain standards, auditors
need to comply without explanation.
a. I, III, and IV.
b. I, II, and III.
c. I, II, III, and IV.
d. I only.

Answer 5

Solution: a (I, III, and IV)
I. Correct. See The IIA’s CIA Learning System for these four common consulting categories, and
other IIA guidance and literature for multiple assurance categories.
II. Incorrect. Components of one audit can be a “mix” of the two categories.
III. Correct. The reverse of this is the case, i.e., consulting should not be used to circumvent
assurance engagements.
IV. Correct. If this is the case, a disclosure is required.

Question 6

While assurance and consulting engagements have common features, there are significant
differences. All of the following are true about comparisons except:
a. The internal auditors should not take on a consulting role separately from the delivery of
assurance.
b. The extent of consulting should be coequal with assurance.
c. Internal auditors must incorporate knowledge of risks gained from consulting engagements into
evaluating risk management processes.
d. Internal auditors should incorporate knowledge of controls gained from consulting engagements
into evaluating control processes.

Answer 6

Solution: b
a. Incorrect. This could lead to a conflict of interest.
b. Correct. The primary value of internal auditing comes from delivery of assurance. There should
not be an “even split” between the two.
c. Incorrect. See IIA Standard 2120.C2.
d. Incorrect. See IIA Standard 2130.C1.

Question 7

A company wants internal audit advisory services to help it identify and evaluate the risks
associated with entering into a new market. What statement about internal audit’s advisory
qualifications and roles is incorrect?
a. As experts in facilitation and risk management identification and evaluation, internal audit should determine the requirements of the advisory engagement.
b. Internal audit’s knowledge of the risk management maturity of the client organization can help
to determine the appropriate risk identification and evaluation techniques and benchmarks to
be used.
c. Internal audit is well positioned to identify who should attend and what resources are needed to
conduct sufficient risk identification exercises.
d. Internal audit can teach clients strengths, weaknesses, opportunities, and threats (SWOT)
analysis and other competitive analysis techniques.

Answer 7

Solution: a
a. Correct. The auditors should work jointly with management to determine the requirements of
the engagement.
b. Incorrect. This knowledge is a great asset that internal audit can contribute in an advisory
capacity.
c. Incorrect. These are also key benefits to having internal audit act in an advisory capacity. Note,
however, that internal audit can only make informed suggestions and cannot dictate the level of
participation or the level of resources dedicated to an engagement.
d. Incorrect. Internal audit can teach the client competitive analysis techniques without imposing
on management’s responsibility to determine strategic direction.

Question 8

A home appliances manufacturer is considering adding web-enabled technology into its
products. The CEO asks the CAE to undertake a month-long consulting engagement to identify
and evaluate the risks of adopting this product development change. Which of the following
statements is true regarding the involvement of the CAE in the consulting engagement?
a. The CAE must determine if there is sufficient expertise in internal audit to conduct the
engagement on its own. If not, he or she should hire additional consultants to augment internal
audit’s skill set.
b. The CAE should ensure that the objectives, scope, and approach of the consulting engagement
are achievable within a month.
c. The CAE must determine if the scope of the engagement is sufficient to achieve the desired
objectives before committing to the task.
d. The CAE is ultimately responsible for the objectives and scope of the engagement.

Answer 8

Solution: c
a. Incorrect. While the CAE should determine if internal audit has the appropriate skill set and
available labor, management (not the CAE) should decide whether to hire external consultants.
b. Incorrect. Objectives, scope, and approach of the consulting engagement should be agreed upon
between the client and the internal auditor.
c. Correct. The auditor must ensure that the scope of the engagement is sufficient to address
agreed-upon objectives. If the scope is insufficient, internal audit must discuss its reservations
with the client to determine whether to proceed with the engagement. If the client and the CAE
cannot reach an acceptable compromise, the CAE should decline the engagement.
d. Incorrect. The client is ultimately responsible for the objectives and scope of engagement.

Question 9

Which of the following is not a key activity that internal audit can engage in facilitating risk
identification and evaluation with a management group?
a. Asking the group to spontaneously come up with any risks that may exist.
b. Distributing a set of questions in advance to draw input from the group anonymously.
c. Gathering data from other industry groups or from leading metrics.
d. Creating a risk checklist and distributing it to the group members for ranking.

Answer 9

Solution: d
a. Incorrect. This is a brainstorming activity and is common for facilitating risk identification.
b. Incorrect. Sending out questions or a survey in advance helps build a risk universe to be
discussed in follow-up facilitation of risk identification.
c. Incorrect. Benchmarking in a firm’s industry is a valuable source of information for identifying
risks.
d. Correct. Internal audit should not be telling management what the risks are.

Question 10

Which of the following statements correctly describes why internal auditors are well
positioned to coach management on responding to risk?
a. Internal auditors are accustomed to dealing with confidential matters and thus provide a safe
environment in which a client can talk about all matters of concern without fear of
repercussion.
b. Internal audit may have been responsible for identifying that management’s current response to
risk is an area of weakness within the risk management framework.
c. Internal audit has the appropriate experience and skill set in governance and risk management
to teach management about the areas in ERM that are not working and need improvement.
d. Internal audit’s analytical training and audit experience enable it to find solutions for weak
systems or controls.

Answer 10

Solution: b
a. Incorrect. While clients should be able to talk freely with internal audit without worrying that
conversations will be reported up the chain of command, if significant control weaknesses or
potential wrongdoing are identified, the client should not have an expectation of confidentiality.
b. Correct. Furthermore, it is not a conflict of interest for auditors who identified a material
weakness in risk management to coach management in ways to redress the weakness.
c. Incorrect. When internal audit is in a coaching rather than a training situation, it does not tell
management what is wrong and needs improvement, but it does help management identify the
areas that need improvement and the goals needed to get there.
d. Incorrect. Coaching should not be seen as a way to fix a problem but as a process of helping
others develop through personal growth and discovery. Coaching contributes to “a culture of
continuous improvement and increasing risk management maturity.”

Question 11

Consider the following potential consulting roles for internal audit to improve management’s
capability to respond effectively to risk. Which of the following would an internal auditor
most likely suggest in each of the following situations?
I. The deputy CRO is being groomed to replace the CRO when he retires in six months.
II. An employee will be reassigned to a role in the CRO’s office with a new added responsibility of
developing event inventories.
III. All employees, some with more significant roles than others, will be introduced to a new
regulatory ERM with new terms and procedures.
IV. The CAE is asked to temporarily assign an internal auditor to prepare the management report on
risk.
Choose from the following: Coaching, Training, Mentoring, Other
a. Training for I, Coaching for II, Mentoring for III, and no role for IV.
b. Coaching for I, Mentoring for II, Other for III, and Training for IV.
c. Coaching for I, Mentoring for II, Training for III, and no role for IV.
d. Mentoring for I, Coaching for II, Training for III, and Other for IV.

Answer 11

Solution: c
a. Incorrect. Training is not the most appropriate for I, nor is Mentoring for III.
b. Incorrect. The choices for III and IV are not the most appropriate, and none of the three roles
are appropriate for IV.
c. Correct. All choices are the likely the most effective and appropriate for the situation.
d. Incorrect. The only effective and appropriate choice here is Training for III.

Question 12

One event demonstrates the negative impact of ignoring the likelihood and impact of risks. A
state internal auditor identified the lack of an effective system to identify and treat mentally
ill citizens. The state auditor recommended (twice) that a corrective system be in place to
ensure timely, effective responses. Two years later, after no state action, an untreated
mentally ill person committed two murders. Which of the following actions by the CAE would
most likely have avoided this?
a. Early discussion with management of a potential consulting engagement to facilitate
implementation of the auditors’ recommendations.
b. The CAE’s offer to allow the auditor who performed the review to join management temporarily
to implement the revised system.
c. Lobbying the legislative branch to enact a law for corrective action.
d. The internal audit activity did all it could, and the CAE has no further requirement.

Answer 12

Solution: a
a. Correct. Consulting seems the most practical action because two assurance engagements had
already led to relevant recommendations, the risks were great, and action was not taken.
b. Incorrect. Standards do not permit the auditor to assume a management role.
c. Incorrect. This approach would usually be seen as beyond the role of the internal audit function.
In addition, enacting legislation is often a very slow process.
d. Incorrect. This would not be seen as “adding value.” A nonchalant attitude, if discovered, could
harm internal audit’s reputation.

Question 13

Internal audit is sometimes asked to coach management, as a whole or individually, on how
to respond to risks. Which of the following is a legitimate expectation of coaching?
a. It should be seen as a way to fix a problem.
b. A program of training in risk-related matters may require coaching to ensure full benefits are
realized.
c. It tells management what is wrong and what needs improvement.
d. Its focus is primarily on getting someone through a challenging period.

Answer 13

Solution: b
a. Incorrect. Coaching contributes to a culture of continuous improvement and increasing risk management maturity.
b. Correct. This is a situation that is likely to have the most appeal for providing coaching.
c. Incorrect. Identifying what is wrong and what needs improvement is an expectation of a
training session.
d. Incorrect. Its primary focus is equipping him or her for continued success in the future.

Question 14

Which of the following “audits” is least likely to be performed by internal auditors solely as
consulting, rather than an assurance or “blended” category?
a. Business process mapping.
b. Financial statement.
c. Systems development review.
d. Control self-assessment.

Answer 14

Solution: b
a. Incorrect. Internal auditors are often involved as consultants.
b. Correct. The objective is assessing the fairness/reliability of financial statement information, and
approaches are structured. Also, external auditors are often extensively involved.
c. Incorrect. Internal auditors are often involved as consultants and must avoid making
management decisions.
d. Incorrect. The IIA states that the range of involvement by internal auditors is from intense
(maybe assurance) to minimal (likely consulting).

Question 15

Two audit categories identified by The IIA are operational and performance. These two
categories have some similarities. However, which of the following statements describe how
the characteristics of these two categories differ?
a. Operational audits focus on economy and efficiency, while performance audits focus on whether
key performance indicators (KPIs) are being achieved.
b. Performance audits cannot be consulting engagements, whereas operational audits can be either
assurance or consulting engagements.
c. Both categories place equal emphasis on evaluating the specific indicators on how well
objectives are being achieved.
d. The stakeholders are likely to include external parties for both categories of audit.

Answer 15

Solution: a
a. Correct. By definition, this is correct.
b. Incorrect. In performance audits, for example, a consulting engagement can advise management
on whether the measures in use are appropriate.
c. Incorrect. This is true of performance audits, but operational audits have a broader focus (e.g.,
overall effectiveness, continuous improvement, etc.).
d. Incorrect. Certain stakeholders (e.g., the board and management) would be interested in both
categories, but it is likely that external stakeholders would be interested in the results of
performance audits.

Question 16

A business in a highly regulated sector discovers it has different practices and language for identifying, evaluating, monitoring, and responding to and reporting on risks. Which of the
following is not an appropriate advisory role for internal audit?
a. Reviewing all internal and external sources of assurance (management, external auditors, health
and safety inspectors, and compliance officers) to ensure that there are no significant gaps and
no unnecessary overlaps and duplications.
b. Making recommendations to management about training and coaching needs to achieve
standardized approaches to risk management.
c. Determining the holistic risk management framework to be used across the enterprise.
d. Having discussions with risk owners and other stakeholders to challenge risk identification and
evaluation.

Answer 16

Solution: c
a. Incorrect.
b. Incorrect.
c. Correct. While internal audit is often fluent in the spectrum of standards and the operations of
the enterprise, establishing effective enterprise-wide risk management is one of the principal
responsibilities of management and the board. Internal audit can advise management of
available options but not dictate the best approach to risk management that meets the needs of
the organization and reflects its size, culture, goals, and capabilities.
d. Incorrect.

Question 17

Regarding the internal auditor’s role in coordination of risk management activities, which of
the following four statements are true?
I. The move to ERM has brought a greater degree of centralized control and coordination and,
coincidentally, likely more requests from management for advisory help from the auditors.
II. Internal auditors are not allowed to deliver assurance on operations for which they had
responsibility, including risk management.
III. Internal auditors, in an advisory capacity, seek to ensure common use of terminology used in the
risk management process.
IV. In the coordinating role, internal auditors are in a good position to identify training needs of
employees throughout the organization.
a. I only.
b. II only.
c. I, II, and III.
d. I, II, III, and IV.

Answer 17

Solution: d

a. Incorrect.
b. Incorrect.
c. Incorrect.
d. Correct. All four options are true about coordination.

Question 18

An organization needs reports in order to monitor risk events as well as the ongoing risk
management plan. What would be the appropriate consolidation of reports by a CAE?
a. Significant events should be reported immediately, periodic written reports should cover key
risk indicators on a scheduled basis, and the ERM plan should be reported during periodic
presentations.
b. Significant events should be reported on a scheduled basis and periodic written reports and presentations should cover only risks that require immediate attention.
c. The CAE only needs to report to the board at meetings at intervals, while the risk owners need
to report risk events more frequently.
d. The risk owners should report every risk event timely, and the CAE is responsible for ensuring
that risk owners communicate their risks.

Answer 18

Solution: a
a. Correct. Events that have a major impact need to be escalated immediately; monthly or
quarterly reports should cover risks needing attention; and periodic presentations can be timed
with board meetings to cover non-critical changes to risk profile and risk indicators.
b. Incorrect. Significant events should be escalated immediately, not just at scheduled or periodic
intervals.
c. Incorrect. The CAE should consolidate the risk owners’ reports and ensure that they are rolled
into periodic written reports or presentations, or when significant, escalated.
d. Incorrect. The CAE does not ensure that risk owners communicate their risks but should take the
role of consolidating the risk owners’ reports.

Question 19

TLKT international has set its risk tolerance levels for customer returns of its handheld tools
at 16%. The internal auditor notices a lag indicator in the inventory reports from the
warehouse. The warehouse is restocking handheld tools at a 24% increase since the same
period last year. What would be the appropriate action for the internal auditor to take to
make management aware of this indicator?
a. The internal auditor needs to disclose the risk tolerance disruption to the external stakeholders.
b. An outlier to risk tolerance is significant enough to be reported immediately, and the internal
auditor should make the board aware.
c. The lag indicator should coordinate with risk owners to deliver status updates to the appropriate
level of authority and determine if escalation is needed.
d. The internal auditor should do some research on the external environment to determine if the
lag indicator needs to be reported.

Answer 19

Solution: c
a. Incorrect. Reporting lag indicators should first be coordinated with internal reporting.
b. Incorrect. Outliers to risk tolerance may have to be escalated at times, but the internal auditor
should coordinate with risk owners to find out what levels of reporting exist and how risk
events are communicated.
c. Correct. When risk events threaten to disrupt operations, the internal auditor should determine
the system for reporting that already exists.
d. Incorrect. It is important to understand the external environment, but the role of the internal
auditor is to coordinate any research and reporting that t

Question 20

While a successful risk management strategy can and should involve a wide range of internal
and external parties, some of these parties have special roles and responsibilities. In this
regard, which of the following responsibilities is correct?
a. High-level influence to ensure ERM is managed at an acceptable level is a responsibility of the
operations team.
b. Facilitation of risk management reporting protocol is the responsibility of the CRO.
c. Implementing ERM in a coordinated, consistent manner is the responsibility of the board.
d. Risk management is never to be outsourced to external service providers.

Answer 20

Solution: b
a. Incorrect. The board has high-level influence, not the operations team.
b. Correct. This option is consistent with IIA guidance. Note that risk management cannot be
delegated.
c. Incorrect. The CEO has to ensure implementation in a coordinated, consistent manner.
d. Incorrect. Risk management may be outsourced as needed under the direction of the board.

Question 21

Which of the following is an inappropriate trigger for internal audit to perform consulting?
a. An organization enters into a new market or activity.
b. Management wants to progress further along the risk maturity spectrum.
c. Management performs a PESTEL (P-Political; E-Economic; S-Social; T-Technological; EEnvironmental;
L-Legal) analysis and identifies new external risks.
d. A key risk management player leaves the organization and management wants to save time and
money by having the internal auditor fill the second line of defense role via consulting.

Answer 21

Solution: d
a. Incorrect. This is a legitimate reason that organizations request internal audit advisory services.
b. Incorrect. This is a legitimate reason that organizations request internal audit advisory services.
c. Incorrect. This is a legitimate reason that organizations request internal audit advisory services.
d. Correct. To maintain independence, internal audit should not assume responsibility for
managing risk. Therefore, any internal audit consulting role in the second line of defense should
only be an interim solution for a fixed time period.

Question 22

Which of the following are true statements about the appropriate advisory activities for
internal audit?
I. Internal audit has a legitimate role in establishing risk responses.
II. Internal audit has a legitimate role in maintaining or developing the risk management
framework.
III. Internal audit can play an advisory role in organizational governance.
IV. To maintain its objectivity, internal audit should not support risk management champions or
good practices from other sections of the organization.
a. II and III.
b. I, II, and III.
c. I and III.
d. II and IV.

Answer 22

Solution: a (II and III)
I. Incorrect. See the IIA “Fan.” Internal auditors can promote risk responses but not establish them.
II. Correct. As long as stringent safeguards are in place and everyone understands that the
managing risk is the responsibility of management, internal audit can provide consulting to help
the organization improve its risk management.
III. Correct. The governing body needs independent assurance and consultative services of internal
audit with respect to governance. Standard 2100 states that internal audit must contribute to the
improvement of governance.
IV. Incorrect. These are key ways that internal audit can promote risk management and move the
organization forward in the maturity of its risk management processes. Internal audit does not
compromise its objectivity by highlighting better practices in risk management, even if the
practitioners are from the same organization.

Question 23

Federal agency X has determined its appetite for different types of risk across the
organization. The agency also accounts for both upside and downside risk in its planning and
develops strategic solutions to risks based on the interests of its multiple stakeholders. Based
on this information, Pickett would consider agency X to be in which phase of developing its
risk management framework?
a. Phase 1.
b. Phase 2.
c. Phase 3.
d. Phase 4.

Answer 23

Solution: c
a. Incorrect. An organization in Phase 1 views risks as threats to achieving its goals without
proactive measures to identify or address risk.
b. Incorrect. Agency X has defined risk appetite, which is not achieved until Phase 3.
c. Correct. Agency X has satisfied the conditions of Phases 2 and 3.
d. Incorrect. There is no evidence that agency X integrates risk management in its operations.

Question 24

The risk profile of an organization includes compliance with regulatory requirements as its
highest-ranking risk. The CAE reviews the risk management plans for a lag indicator of
regulatory compliance and notices that management has neglected to implement remedial
plans after several complaints about a wage and payroll matter. In light of the KRI, what is
the best way for the CAE to communicate to management?
a. The CAE must bring the matter to the attention of the board because of the high risk ranking of
this risk indicator, in accordance with IIA Standards.
b. The CAE must engage in an assurance audit to determine if management is at risk of failure to
comply.
c. The CAE does not have to take any action because management is in charge of risk management
for the organization.
d. The CAE should try to convince management to implement appropriate remedial or contingency
plans.

Answer 24

Solution: a
a. Correct. When the level of risk that management has accepted is deemed unacceptable by the
CAE, the CAE must communicate his or her observations to the board.
b. Incorrect. The information given indicates that the risk of noncompliance is deemed high
already, so an additional assurance audit will not be an effective action by the CAE. The CAE
must address management’s current risk response with the board.
c. Incorrect. The CAE is responsible for reviewing risk management activities of its organization
and reporting exceptions to the board.
d. Incorrect. Option a is better.

Question 25

What is the least effective step in a successful risk management advocacy project plan?
a. Identifying the target audiences for advocacy.
b. Demonstrating the value of integrating risk management into routine activities related to
finance, procurement, and IT and advocating to extend that methodology to other departments
and activities in an organization.
c. Reviewing the resources that can be applied to advocating risk management.
d. Setting and monitoring KPIs to assess the impact of advocacy.

Answer 25

a. Incorrect. Advocacy is the art of inspiring others to take action. Therefore, advocacy is improved
by tailoring messaging to each audience or set of stakeholders.
b. Correct. To be the best advocate for risk management, internal audit must move beyond reliance on traditional (finance, procurement, IT) internal controls and risk responses. Internal audit
should strive to be conversant with and advocate the most current best practice developments in
risk management across the enterprise, including traditional and nontraditional activities.
c. Incorrect. Planning an advocacy project, like any other project, requires an understanding of the
time and money available to advocate for risk management.
d. Incorrect. Establishing and monitoring progress against KPIs is critically important to
understanding and communicating progress made as a result of the advocacy initiative.

Question 26

When an internal auditor’s report highlights risks for a client in a new line of business and
makes recommendations beyond the mechanical level of formal systems, such as the client’s
project planning system in new business lines, what is the benefit to the client with regard to
risk management?
a. The client will have an advantage over its customers in entering the new line of business
because of the additional recommendations.
b. The client can rely on the auditor to act as the risk officer for its company.
c. Promotion of risk responses that go beyond the prescribed areas of responses can create
valuable risk management activity for the client.
d. The internal auditor’s report will save the client money in future audits by considering uncertain
risks rather than favored risk responses.

Answer 26

Solution: c
a. Incorrect. There is not enough information in risk identification alone for the client to gain
advantages in market entry.
b. Incorrect. While the internal auditor needs to advocate for risk management, there would need
to be clear delineation of his or her role in an advisory capacity.
c. Correct. When the internal auditor provides responses based on uncertain risk factors rather
than specific risks, he or she advocates for more robust risk management.
d. Incorrect. There is not enough information to make a direct correlation between an audit report
that highlights uncertain risk responses and the need for or cost of future audits.

Question 27

The CAE of Yolo, Inc. has taken a strategic position that a disciplined risk management
culture would benefit her organization. To advocate for the establishment of risk
management, what are some of the steps that she can take?
I. Stakeholder analysis.
II. Develop key messages.
III. Select a framework.
IV. Set targets and KPIs.
a. I, II, and III.
b. I, III, and IV.
c. II, III, and IV.
d. I, II, and IV.

Answer 27

Solution: d (I, II, and IV)
I. Correct. Determining who should be involved and what their respective interests and needs are
is critical in getting support from the stakeholders.
II. Correct. As part of the timeline to advocate for risk management, a well-thought-out
communication plan that includes what and to whom messages should be broadcast is critical.
III. Incorrect. Selecting a framework is a key element after a disciplined risk management culture
and project plan is developed and initiated.
IV. Correct. As is true of any project, establishing metrics and performance indicators will help
advocate for risk management in order to build confidence in its value.

Question 28

“To Facilitate Communication of Risks Across all Stakeholders and Risk Owners in Order to
Reduce Silos and Increase Disciplined Risk Management” is an example of which of the
following in building a risk management strategy?
a. Rationale and principles.
b. Role and purpose.
c. Risk policies.
d. Action plan.

Answer 28

Solution: b
a. Incorrect. Rationale and purpose is needed after the role and purpose is documented; this is
when the risk management strategy is clearly aligned to the needs of the organization.
b. Correct. Creation of a mission statement for risk management will support the board’s overall
objectives of supporting organization effectiveness.
c. Incorrect. Policies are the details by which a risk management strategy will be guided and
measured.
d. Incorrect. An action plan is one of the last steps needed in developing a risk management
strategy. It describes the detailed steps for execution.

Question 29

Which of the following is not a role that internal audit can perform when supporting an
organization in developing its risk management strategy?
a. Consult with management and the board to clarify the objectives of the risk management
strategy.
b. Identify key standards and frameworks that management could consider in implementation of
the risk management strategy.
c. Conduct a gap analysis to help management identify the areas that the board and management
will need to enhance and execute to achieve the desired risk management strategy.
d. Impose risk management processes that must be implemented.

Answer 29

Solution: d
a. Incorrect. Consulting engagements are an acceptable role of internal audit to gather information
that management can use in its risk management strategy development.
b. Incorrect. Internal audit has the knowledge and understands the recognized standards and
guidance that may be best for the organization’s unique structure, values, and objectives.
c. Incorrect. Before the execution of a risk management strategy, internal audit can facilitate a gap
analysis to determine where the organization’s position in risk management maturity currently
is and identify where it needs to grow.
d. Correct. Internal audit cannot impose risk management processes; this is the responsibility of
the board and management.

Question 30

In a systems development and cycle review, consulting engagements could be involved in several places. The internal auditor’s focus will vary depending on which of four broad phases of development is involved. Which on of the four phases is correctly matched with the auditor’s focus:

a. Systems Analysis (SA) - Ensure controls are included in the design
b. Systems design/selection (SD) - Ensure objectives/acceptance criteria are met
c. Conversion/implementation (C/I) - Ensure there are economical operations
d. Post-project design/acquisition (PD/A) - Review for continuous improvements and/or process in general

Answer 30

Solution: d

a. Incorrect. SA focus is to evaluate feasibility, not to ensure controls are included in the design.
b. Incorrect. SD focus is to ensure controls are included in design, not to meet criteria.
c. Incorrect. C/I focus is to assure project objectives and acceptance criteria are met.
d. Correct. These are correct for audit focuses in post-project/acquisition