Essentials: Foundations

Question 1

Accepting the concept that internal auditing should be an integral part of an organization can involve a major change of attitude on the part of top management. Which of the following would be the best way for internal auditors to convince management regarding the need for and benefits of internal auditing?

A) Involving top management in deciding which audit findings will be reported
B) Negotiating with top management to provide them with rewards, such as favourable audits
C) Persuading top managers to accept the idea of internal audits by contacting company shareholders and regulatory agencies
D) Educating top managers about the benefits of internal auditing and communicating with them on a regular basis

Answer 1

Educating top managers about the benefits of internal auditing and communicating with them on a regular basis

Rationale
Education and communication, although time-consuming, are the only way to achieve long-term results.

Question 2

Which is a quality of the internal audit charter?

A) Provides a basis for evaluating the internal audit activity
B) Specifies the minimum resources needed for the internal audit activity
C) Defines the chief audit executive (CAE) in the organizational structure at the same level as the chief executive officer (CEO)
D) Must be approved by the board only

Answer 2

Provides a basis for evaluating the internal audit activity

Rationale
The internal audit charter sets a benchmark against which the internal audit activity can be measured. The charter does not specify the minimum resources needed for an activity; the internal audit manual and the annual audit plan help in determining resource requirements. The CAE is not at the same level as the CEO. The charter must be approved by the board and senior management.

Question 3

Which is a characteristic typical of a consulting engagement?

A) There are typically only three parties involved.
B) The scope of the audit is at the discretion of the internal auditor.
C) The internal auditor may assist in the design of corrective actions.
D) Results require mandatory reporting to a third party.

Answer 3

The internal auditor may assist in the design of corrective actions.

Rationale
In a consulting engagement, the internal auditor may assist in the design of corrective actions. Mandatory reporting to a third party is required in assurance engagements. Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties:

• The person or group offering the advice—the internal auditor
• The person or group seeking and receiving the advice—the engagement client

Question 4

During an audit of the manufacturing division of a defense contractor, the auditor comes across a scheme that looks like the company is inappropriately adding costs to a cost-plus government contract. The auditor discusses the matter with senior management, which suggests that the auditor seek an opinion from legal counsel. The auditor does so, and, upon review of the government contract, legal counsel indicates that the practice is questionable but offers the opinion that it is not technically in violation of the contract. Based on legal counsel’s decision, the auditor decides to omit any discussion of the practice in the formal audit report that goes to management and the audit committee. She does, however, informally communicate legal counsel’s decision to management. Has the auditor violated the The IIA’s Code of Ethics?

A) Yes. It is a violation because all important information, even if resolved, should be reported to the audit committee.
B) No. The auditor has followed up on the matter with appropriate personnel in the organization and has reached a conclusion that no fraud is involved.
C) No. If a fraud is suspected, it should be resolved at the divisional level where it is taking place.
D) Yes. Internal legal counsel’s opinion is not sufficient. The auditor should have sought advice from outside legal counsel.

Answer 4

No. The auditor has followed up on the matter with appropriate personnel in the organization and has reached a conclusion that no fraud is involved.

Rationale: Although an argument can be made that it would be common sense to bring the issue to both the audit committee and management, there is no evidence that the auditor is deliberately withholding information. Therefore, there is no violation of the Code of Ethics.

Question 5

Which of the following is an element of authority that should be included in the internal audit activity’s charter?

A) Samples of the types of disclosures that should be made to the audit committee
B) Identification of the organizational units in which engagements are to be performed
C) Access to records, personnel, and physical properties relevant to the performance of engagements
D) Access to the external auditors’ engagement records

Answer 5

Access to records, personnel, and physical properties relevant to the performance of engagements

Rationale: Internal auditors need a clear mandate that provides the authority they need and supports their independence and objectivity if they are to deliver value in an organization. This authority is confirmed in the internal audit charter, which “establishes the internal audit activity’s position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities” (IPPF glossary).

Question 6

The operating manager of a department requests the chief audit executive (CAE) to perform a consulting review of industrial escalator maintenance at the plant. The manager wants the CAE to identify best practices in similar industries. The CAE also wants to recommend those best practices that the department should implement. Is the recommendation part of the project something the CAE should add?

A) No, the recommendation work should have been requested by the operating manager.
B) Yes, the CAE is independent from the operating location and has the purpose, authority, and responsibility to do so.
C) Yes, the operating department would want that information.
D) No, these recommendations would constitute management work.

Answer 6

No, the recommendation work should have been requested by the operating manager.

Rationale
Consulting services are advisory in nature and are generally performed at the specific request of an engagement client. The nature and the scope of a consulting engagement are subject to agreement with the engagement client. Benchmarking internal areas with comparable areas of similar organizations to identify best practices would add value to the organization.

Question 7

Which instrument establishes the authority and obligations of the audit staff and delineates appropriate types of auditing activities and access necessary to execute the roles outlined in the charter?

A) Staff job descriptions
B) Audit manual (policies and procedures)
C) Function and responsibility (F and R) statement
D) Statement of policy

Answer 7

Function and responsibility (F and R) statement

Rationale
The function and responsibility (F and R) statement establishes the authority and responsibility of the audit staff and delineates appropriate types of auditing activities and access necessary to execute the functions outlined in the charter.

Question 8

Which practice supports the mandate of an internal audit function?

A) Unfettered access to corporate employees, facilities, and records (including those of contractors)
B) Approval of the written charter by the chief audit executive (CAE)
C) Disclosure of operational accountability for functions subject to subsequent internal audit review
D) Overriding of the written charter with current best practices

Answer 8

Unfettered access to corporate employees, facilities, and records (including those of contractors)

Rationale
Unfettered access to corporate employees, facilities, and records relates to the authority of internal audit. If the written charter does not agree with current best practices, it should be updated and re-approved by the board or the audit committee (not the CAE). Disclosure does not preclude the fact that internal audit should not have any operational accountability or perform functions that would be subject to subsequent internal audit review.

Question 9

During a consulting engagement, the internal auditor discovers the use of materials that do not comply with contractual requirements. The finding is not related to the scope of the engagement, so the auditor does not include the information in the final audit report. According to The IIA’s Code of Ethics, this behavior is

A) appropriate, based on the auditor’s judgment.
B) unethical, because disclosure is expected by the profession.
C) prudent, as it maintains confidentiality.
D) incompetent, because it is in violation of the Standards.

Answer 9

unethical, because disclosure is expected by the profession.

Rationale
Through nondisclosure, the internal auditor would be lying about what he or she found. This behavior violates the integrity principle in The IIA’s Code of Ethics. Rule 1.2 in the Code states that internal auditors “shall observe the law and make disclosures expected by the law and the profession.” In other words, internal auditors are expected to perform their work with diligence and truthfulness and in accordance with the law and the ethical values of their organization and the profession.

Question 10

Participation in a standing committee would refer to what category of consulting services?

A) Formal
B) Informal
C) Special
D) Emergency

Answer 10

Informal

Rationale
Internal auditors may conduct consulting services as part of their normal or routine activities or in response to management requests. Informal consulting services include routine activities—such as participation in standing committees, limited-life projects, or ad hoc meetings—and routine information exchange.

Question 11

Which of the following abilities is important in marketing the internal audit function to executive management?

A) Knowing who the auditors serve as customers
B) Knowing what executive management wants internal auditors to audit and when
C) Preparing audit reports in a way that consistently highlights items of importance to executive management
D) Explaining the current use of audit software to executive management

Answer 11

Knowing who the auditors serve as customers

Rationale
Knowing who the auditors serve as customers is an important way to show that the internal audit function knows its audience. For example, Implementation Standard 1210.A2 states, “The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.” It would be inappropriate for executive management to dictate the scope and timing of audits. Audit reports may often need to serve the valuable function of conveying bad news or bringing up issues that management was unaware of. Knowing about current audit software is irrelevant to executive management.

Question 12

Organizational control systems are made up of various components that govern the operations of all levels of the organization. Some of these components originate at the senior management level, while others can be developed at the department level. What is the most basic component of the organizational control system meant to guide the daily operations of the organization or a department?

A) Policies and procedures
B) Statistical reports
C) Strategic plans
D) Performance appraisals

Answer 12

Policies and procedures

Rationale
Policies and procedures are the most basic control subsystem of an organization.

Question 13

In the internal auditing profession, the Standards refer to which of the following?

A) Criteria that are applicable to most, but not all, types of internal audit departments
B) Criteria by which the operations of an internal audit department are evaluated and measured
C) Statements intended to represent the practice of internal auditing as a rules-based system
D) Criteria that dictate the minimum level of ethical actions to be taken by internal auditors

Answer 13

Criteria by which the operations of an internal audit department are evaluated and measured

Rationale
The Standards are a set of principles-based, mandatory requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance, and they are internationally applicable at organizational and individual levels. The Code of Ethics, not the Standards, describes the minimum requirements for the ethical conduct of and the behavioral expectations for internal auditors.

Question 14

The senior management of an organization has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by

A) a special consulting engagement agreement.
B) an emergency consulting engagement agreement.
C) an informal consulting engagement agreement.
D) a formal consulting engagement agreement.

Answer 14

a formal consulting engagement agreement.

Rationale
Managerial training should be planned and continuous. It should be subject to a consulting agreement that is formal and is written to ensure that the needs and expectations of those who will be trained are recognized and satisfied.

Question 15

A written charter that outlines the internal audit department’s purpose, authority, and responsibility and is approved by the audit committee or board of directors is primarily meant to enhance the department’s

A) independence.
B) relationship with management.
C) stature within the organization.
D) due professional care.

Answer 15

independence.

Rationale
A charter establishes the department’s independence from management. Due care is a function of audit work, not the charter.

Question 16

Which consulting activity would be appropriately performed by the internal audit function?

A) Designing systems of control
B) Installing systems of control
C) Reviewing systems of control before implementation
D) Drafting procedures for systems of control

Answer 16

Reviewing systems of control before implementation

Rationale
Reviewing systems, even before implementation, is an activity appropriately performed by the internal audit function, and it does not impair objectivity. The other three options are presumed to impair either objectivity or independence.

Question 17

A chief audit executive (CAE) is hired from another organization. During the next planning cycle, the CAE offers for the board’s approval an audit charter and plan based on the CAE’s work in his previous position. What is the most likely result?

A) Decrease in efficiency or in the activity’s ability to fulfill its annual objectives
B) Increase in the quality of internal audit work, based on the infusion of external perspectives and procedures
C) Conflict between internal audit activities and the expectations and risk appetite of the board and senior management
D) Increase in risk that the organization will be in noncompliance with local laws and regulations

Answer 17

Conflict between internal audit activities and the expectations and risk appetite of the board and senior management

Rationale
The audit charter and annual plan must be aligned with the organization’s strategic objectives and risk appetite. If not, the annual plan, even if approved, will not meet the expectations of the board and senior management. The risk of noncompliance will probably not be strongly affected as long as compliance audits continue. Efficiency may not suffer, although the effectiveness of the internal audit activity will. The quality of internal audit work must be tied to its strategic alignment.

Question 18

An auditor with special expertise in financial statement analysis would most likely risk violating The IIA’s Code of Ethics by doing which of the following activities without consulting senior management and the chief audit executive (CAE)?

A) Founding a charitable foundation with family-owned investments and administering it
B) Charging a fee for evaluating financial risk in a division manager’s personal portfolio
C) Providing pro bono investment guidance to a local nonprofit organization
D) Teaching investment seminars for a fee at a local college

Answer 18

Charging a fee for evaluating financial risk in a division manager’s personal portfolio

Rationale
Performing paid services for a division manager of the organization would create a potential conflict of interest and therefore requires the consent of senior management and the CAE. Even though the internal auditor is providing a personal service that may seem unrelated to the work of the organization, the auditor’s interest in promoting the personal financial success of the executive and the executive’s interest in providing compensation for the auditor’s outside work could impair the independence of both in discharging their responsibilities in the organization.

Question 19

The IIA publishes three types of Standards to guide adherence to its International Professional Practices Framework. Which type expands guidance and provides requirements applicable to assurance and consulting engagements?

A) Attribute Standards
B) Implementation Standards
C) Assurance Standards
D) Performance Standards

Answer 19

Implementation Standards

Rationale
Implementation Standards expand upon the Attribute and Performance Standards by providing the requirements applicable to assurance or consulting services.

Question 20

In some organizations, managers insist that an internal auditing function is not needed to provide a critical assessment of the organization’s operations. The most detrimental result of such a management attitude is that this will most probably have an adverse affect on the internal auditing function’s

A) operating budget variance.
B) policies and procedures.
C) effectiveness.
D) performance appraisals.

Answer 20

effectiveness.

Rationale
In this type of situation, management is highly averse to analysis or possible criticism of its actions, and this will inhibit the internal audit department’s effectiveness.

Question 21

In applying the standards of conduct set forth in The IIA’s Code of Ethics, internal auditors are expected to

A) compare the standards to the standards in other professions.
B) use discretion in deciding whether to use the standards or not.
C) be guided by the desires of the audit client.
D) exercise their individual judgment.

Answer 21

exercise their individual judgment.

Rationale
The IIA’s Code of Ethics contains basic principles that require individual judgment in application. However, judgment may not be used to decide whether or not to follow the Code’s standards of conduct.

Question 22

During an audit, an employee with whom you have a good working relationship informs you that she has some information about top management that would be damaging to the organization and may concern illegal activities. The employee does not want to go public with the information and does not want her name associated with the release of the information. Which of the following actions would be considered inconsistent with The IIA’s Code of Ethics and Standards?

A) Suggesting that the person consider talking to legal counsel
B) Informing the employee of other methods of communicating this type of information
C) Informing the individual that you will attempt to keep the source of the information confidential and will look into the matter further
D) Assuring the employee that you can maintain her anonymity and listening to the information

Answer 22

Assuring the employee that you can maintain her anonymity and listening to the information

Rationale
The IIA’s Code of Ethics and Standards do not provide for strict confidentiality of information. The other options are allowable.

Question 23

The IIA publishes three types of Standards to guide adherence to the International Professional Practices Framework. Which type describes the nature of internal auditing and provides quality criteria against which services can be measured?

A) Consulting Standards
B) Performance Standards
C) Attribute Standards
D) Implementation Standards

Answer 23

Performance Standards

Rationale
Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.

Question 24

An engineering firm’s management is considering the potential benefits and drawbacks of contracting out the firm’s drafting. Consistent with the Standards, the internal auditing activity could contribute in which of the following ways?

A) Based on the audit activity’s expertise developed for audit interviews, creating an interview guide to use in selecting contractors
B) Writing a basic contract that would protect the organization against fraudulent work practices
C) Researching industry-wide best practices for outsourcing and determining pay rates for various types of drafting projects
D) Assessing the effectiveness of using contractors rather than employees in meeting management’s quality objectives

Answer 24

Assessing the effectiveness of using contractors rather than employees in meeting management’s quality objectives

Rationale
Assessing the effectiveness of outsourcing in meeting management objectives would be an appropriate consulting engagement for the internal auditing activity. Contracts would be developed by the legal department and interview guides by human resources (though internal audit could review them to identify weaknesses). Internal audit could research best practices and make recommendations, but determining pay rates is a management function.

Question 24

An audit committee chairperson requests that the chief audit executive (CAE) of a multibillion-dollar company revise their risk assessment and audit plan to perform internal audits only in the procurement area. The company’s procurement activities in a given year are approximately U.S. $3 billion, and they include a variety of sole source, invitation for bid, and competitively negotiated contracts. The chairperson says to the CAE, “In my opinion, there is no bigger risk facing the company at this given time. It’s all about procurement.” The CAE reports to the audit committee chairperson. Should the CAE adhere to the audit committee chair’s request?

A) Yes, the rationale for the change in the risk assessment is justified.
B) No, risk assessments include all areas of business risk that a company faces.
C) Yes, the CAE has been given a clear direction by the audit committee chairperson, who has the authority to direct audit focus.
D) No, the CAE should explain to the audit committee chairperson that internal audit is the primary risk management body for the organization as a whole and needs to serve a wider audience.

Answer 24

No, risk assessments include all areas of business risk that a company faces.

Rationale
While the original definition of internal auditing referred only to control, if senior management and the board are so willing (through approval of the annual audit plan, including its priorities and resource constraints), internal auditing can and should provide a more comprehensive evaluation of the organization’s risk management and governance processes. Governance, risk, and control are defining activities for an enterprise. Successful organizations don’t champion one over another; rather, they recognize the powerful interplay and benefits of all three.

Question 25

Organizational independence exists if the chief audit executive (CAE)

A) reports administratively to some other organizational level than the chief executive officer or a similar head of the organization, so long as the internal audit activity controls the scope and performance of the work and the reporting of results without interference.
B) reports administratively to some other organizational level than the chief executive officer or a similar head of the organization, so long as the internal audit activity approves the internal audit budget and risk-based internal audit plan without interference.
C) reports functionally to some other organizational level than the chief executive officer or a similar head of the organization, so long as the internal audit activity controls the scope and performance of the work and the reporting of results without interference.
D) reports functionally to some other organizational level than the chief executive officer or a similar head of the organization, so long as the internal audit activity approves the internal audit budget and risk-based internal audit plan without interference.

Answer 25

reports administratively to some other organizational level than the chief executive officer or a similar head of the organization, so long as the internal audit activity controls the scope and performance of the work and the reporting of results without interference.

Rationale
IIA Standard 1110 states that the CAE “must confirm to the board, at least annually, the organizational independence of the internal audit activity.” Organizational independence exists if the CAE reports functionally to the board, has direct and unrestricted access to the board, and reports administratively to the chief executive officer or a similar head of the organization or to some other organizational level, so long as the internal audit activity controls the scope of work, the performance of the work, and the reporting of results without interference.

Question 26

Which of the following would be an advantage of conducting environmental audits under the direction of the internal audit activity?

A) The financial aspects are de-emphasized.
B) Internal audit work products are confidential.
C) Independence and authority are already in place.
D) Technical expertise is more readily available.

Answer 26

Independence and authority are already in place.

Rationale
The internal audit activity normally has a broad charter and realm of responsibility and can readily assimilate the new auditing function.

Question 27

An internal auditor reviews the technology infrastructure to assure integrity of information and provides this information to senior management. Who else is generally involved in this type of audit service?

A) A consultant
B) The process owner
C) The operational manager
D) A total quality management (TQM) reviewer

Answer 27

The process owner

Rationale
This scenario describes a common type of assurance service related to IT. Three parties generally involved in assurance services include the process owner (e.g., one or more IT managers in this case), the internal auditor, and the user of the assessment (here, senior management).

Question 28

The internal audit activity should contribute to the organization’s governance by evaluating the processes through which

A) the effectiveness and efficiency of controls are evaluated.
B) activities of external and internal auditors and management are kept separate.
C) ethics and values are codified in controls.
D) risk and control information is communicated.

Answer 28

risk and control information is communicated.

Rationale
Part of assessing and improving governance is to evaluate the processes through which risk and control information is communicated to appropriate areas of the organization. Ethics and values need to be promoted but cannot necessarily be codified in controls. Another governance evaluation relates to effectively coordinating the activities of communicating information among the board, management, and internal and external auditors. Evaluating the effectiveness and efficiency of controls is part of contributing to effective controls rather than governance.

Question 29

Company A has a formal corporate code of ethics; company B does not. Company A’s code of ethics covers purchase agreements and relationships with vendors along with many other issues to guide individual behavior in the company. Which of the following statements can be logically inferred?

A) Company A exhibits a higher standard of ethical behavior than does company B.
B) Company A has established objective criteria by which an employee’s actions can be evaluated.
C) The absence of a formal corporate code of ethics in company B would prevent a successful audit of ethical behavior in that company.
D) Company A has a lower need for controls related to purchase agreements and vendor relationships than does company B.

Answer 29

Company A has established objective criteria by which an employee’s actions can be evaluated.

Rationale
A formalized corporate code of ethics presents objective criteria by which actions can be evaluated and would thus serve as criteria against which activities could be evaluated. The existence of a corporate code of ethics, by itself, does not ensure a higher standard of ethical behavior. A code of ethics must be complemented by follow-up policies and monitoring activities to ensure compliance. Standards that would influence individual actions can occur in other places than the corporate code of ethics. The existence of a code of ethics does not remove the need for related controls.

Question 30

To demonstrate the Core Principle “Provides risk-based assurance,” an internal audit activity must first effectively implement which other Core Principle?

A) “Aligns with the strategies, objectives, and risks of the organization”
B) “Demonstrates competence and due professional care”
C) “Demonstrates quality and continuous improvement”
D) “Promotes organizational improvement”

Answer 30

“Aligns with the strategies, objectives, and risks of the organization”

Rationale
To demonstrate that it provides risk-based assurance and fulfills its mission, the internal audit activity must effectively implement the Core Principle “Aligns with the strategies, objectives, and risks of the organization.” Additionally, the chief audit executive should start with an internal audit plan based on an organization-wide risk assessment that is aligned with the organization’s risk universe and takes into account its risk appetite.

Question 31

Which of the following is one of the Core Principles for the Professional Practice of Internal Auditing?

A) Maintains confidentiality
B) Promotes an ethical culture in the internal audit profession
C) Develops consistency in internal audit practices
D) Is appropriately positioned and adequately resourced

Answer 31

Is appropriately positioned and adequately resourced

Rationale
The Core Principles for the Professional Practice of Internal Auditing articulate internal audit effectiveness. One of the ten Core Principles states that the audit function should be “appropriately positioned and adequately resourced.” Maintaining confidentiality and promoting an ethical culture are both part of The IIA’s Code of Ethics. Developing consistency in internal audit practices is not a core principle, nor is it desirable, as practices will vary depending on organizational environment, culture, and level of maturity of the audit function.

Question 32

The chief audit executive (CAE) receives a request from the vice president (VP) of human resources. The VP would like the internal audit department to create a pension quality control (QC) unit to perform ongoing reviews of pension calculations made by the pension group. The CAE accepts this responsibility. He sees it as a consulting project, and consulting projects are included in the internal audit department’s charter. Should the CAE have obtained approval from senior management and the board prior to agreeing to perform this pension QC work?

A) Yes. While the CAE included consulting services in the existing audit charter, such a large project still needs individual approval.
B) Yes. The CAE should obtain approval from senior management prior to agreeing to perform any type of consulting work.
C) No. The CAE included in the existing audit charter that the department will perform consulting work.
D) No. This assignment is outside the services of an internal audit department and is a function of management.

Answer 32

No. This assignment is outside the services of an internal audit department and is a function of management.

Rationale
Establishing a QC function for the pension work should be denied, as it is a function of management. Part of the responsibility of the internal audit activity includes the mandate to not perform management activities.

Question 33

Which of the following situations would most likely be considered a violation of the Code of Ethics?

A) Your audit manager has just removed your most significant finding and recommendation from your audit report. Being the in-charge auditor, you have voiced your opposition to the removal and have explained that you know that the reported condition exists. Although you agree that, technically, the audit lacks sufficient evidence to support the finding, management cannot explain the condition and your audit finding is the only reasonable conclusion.
B) Because your department lacks skill and knowledge in a specialty area, your audit director has engaged the services of an expert consultant. As audit manager, you have been asked to review the expert’s approach to the assignment. You are knowledgeable regarding the area under review but are hesitant to accept the assignment because you lack the expertise to judge the validity of the expert’s conclusion.
C) After researching and developing the proposed yearly audit plan, you, as director, are required by the company audit charter to present the plan to the audit committee for its approval and suggestions.
D) As chief audit executive, you are perplexed as to how to resolve a disagreement between yourself and management regarding a finding and recommendation in a very sensitive audit area. Unsure as to what to do, you discuss the details of the finding and your proposed recommendation with a fellow chief audit executive you know from your work in the local chapter of The Institute of Internal Auditors.

Answer 33

As chief audit executive, you are perplexed as to how to resolve a disagreement between yourself and management regarding a finding and recommendation in a very sensitive audit area. Unsure as to what to do, you discuss the details of the finding and your proposed recommendation with a fellow chief audit executive you know from your work in the local chapter of The Institute of Internal Auditors.

Rationale
Discussing findings and recommendations with a fellow chief audit executive would be a violation, because the Code of Ethics requires confidentiality. The Standards allow for each of the other situations.

Question 34

Which of the following is part of the Mission of Internal Audit?

A) Promoting an ethical culture in the profession of internal auditing
B) Reducing the occurrence of fraud
C) Protecting organizational value
D) Respecting the value and ownership of information received and not disclosing information without appropriate authority

Answer 34

Protecting organizational value

Rationale
The Mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Promoting an ethical culture is the purpose of The IIA’s Code of Ethics, and respecting the value and ownership of information received and not disclosing it is the confidentiality principle from the Code of Ethics. Reducing the occurrence of fraud is management’s responsibility.

Question 35

The accounts payable manager for an airline requests a consulting review of the electronic submission of invoices. Three employees in the department handle this particular function. The manager feels that there is a bottleneck in the process that is caused by poor working practices on the part of the employees. The manager wants internal audit to validate this. Is this an assignment the chief audit executive should undertake?

A) Yes, this is a request that is well suited to be performed by internal audit.
B) No. This is a function of management, and the poor working practices should be reviewed by the accounts payable manager.
C) Yes, the assignment is well defined and has a clear objective.
D) No, the Standards specifically restrict the conduct of such reviews.

Answer 35

No. This is a function of management, and the poor working practices should be reviewed by the accounts payable manager.

Rationale
Supervision is a function of management, and the poor working practices should be reviewed by the accounts payable manager, not internal audit.

Question 36

The primary intent of internal audit assurance activities is to

A) evaluate the achievement of operational targets.
B) provide advice, generally at the request of the engagement client.
C) assess evidence relevant to the subject matter of interest and provide conclusions.
D) reduce risks to acceptable levels.

Answer 36

assess evidence relevant to the subject matter of interest and provide conclusions.

Rationale
Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding a process, system, or other subject matter.

Question 37

A chief audit executive (CAE) tours a company that was just acquired by his company. The existing auditor shows the CAE the different aspects of the plant, including maintenance, inventory, and the shipping department. The CAE notices a revenue room where the day’s cash sales are secured. The CAE asks to tour this room as well. The auditor quickly responds that no one is allowed in there, not even internal audit, due to the amount of cash kept there. The CAE should have an issue with this based on what aspect of the International Professional Practices Framework?

A) Organization and reporting structure
B) Responsibilities
C) Authority
D) Independence and objectivity

Answer 37

Authority

Rationale
One aspect of authority is that an internal audit activity must have appropriate, unfettered access to records, physical property, and personnel in order to perform engagements and must declare internal auditors’ accountability for safeguarding assets and confidentiality.

Question 38

The current charter, approved by the organization’s audit committee several years ago, went through a major revision to ensure that it reflected important elements contained in the International Professional Practices Framework (IPPF) of The Institute of Internal Auditors. Recently, the chief audit executive (CAE) determined a need for one more modification to the charter to align the department’s mission statement with the Mission of Internal Audit as promulgated by The Institute of Internal Auditors. Is this a change that needs to be communicated to the audit committee?

A) Yes, the internal audit activity will remain free from interference regarding matters of audit selection, scope, procedures, frequency, timing, or report content in order to foster an independent and objective mental attitude.
B) No, this is not a significant change since the department was adhering to the IPPF.
C) No, internal audit is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations.
D) Yes, the CAE cannot change the nature of the audit function or modify the internal audit charter without consulting the audit committee.

Answer 38

Yes, the CAE cannot change the nature of the audit function or modify the internal audit charter without consulting the audit committee.

Rationale
The CAE cannot change the nature of the audit function without consulting the audit committee or modifying the internal audit charter. Aligning the department’s mission statement with the Mission of Internal Audit as promulgated by The Institute of Internal Auditors is a significant deviation.

Question 39

During the course of work on an operations audit, the internal auditor learns that the organization is about to purchase one of its suppliers, which is a public company. There is no public discussion of this matter as yet. Which of the following actions by the internal auditor would stay true to The IIA’s Code of Ethics?

A) The auditor tells a friend that the supplier has many good qualities and would be a good addition to the friend’s portfolio but does not mention the takeover possibility.
B) The auditor takes no investment action on the information but documents the confidential information in the workpapers to include in the final report.
C) The auditor buys stock in the supplier but tells no one of the potential acquisition.
D) The auditor does not buy stock in the supplier and mentions the takeover only to family members.

Answer 39

The auditor takes no investment action on the information but documents the confidential information in the workpapers to include in the final report.

Rationale
Trading on insider (nonpublic) information is a violation of securities law, as is giving advice based on that information (even if the information itself is held confidential). Passing the information on to others is also a violation, whether they act on it or not. The breach of confidentiality should be reported to senior management.

Question 40

What do Implementation Standards provide?

A) They assist internal auditors in following up on internal audit recommendations.
B) They provide guidance to help internal auditors interpret and apply the Code of Ethics and the Standards and promote best practices.
C) They describe the nature of internal auditing and provide quality criteria for evaluating audit performance.
D) They provide separate mandatory instructions for implementing the Attribute and Performance Standards.

Answer 40

They provide separate mandatory instructions for implementing the Attribute and Performance Standards.

Rationale
Implementation Standards expand upon Attribute and Performance Standards. They provide separate mandatory instructions for implementing the Attribute and Performance Standards, depending on whether the engagement is to be for assurance or consulting.

Question 41

Adherence to the Core Principles for the Professional Practice of Internal Auditing, as a whole, best demonstrates

A) the maturity of the internal audit function.
B) conformance with the profession’s Code of Ethics.
C) the competencies of the chief audit executive (CAE).
D) the effectiveness of the internal audit activity.

Answer 41

the effectiveness of the internal audit activity.

Rationale
Per the IIA’s Practice Guide “Demonstrating the Core Principles for the Professional Practice of Internal Auditing,” the Core Principles, taken as a whole, characterize the effectiveness of the internal audit activity. The value added to an organization and the competency of the CAE are attributes of adhering to the Core Principles. The maturity of an internal audit function entails more than adherence to the Core Principles.

Question 42

An internal auditor who was recently terminated by a company due to downsizing has found a job with another company in the same industry. Which of the following disclosures made by the internal auditor to the new organization would constitute a violation of The IIA’s Code of Ethics?

A) The auditor discloses to the new organization’s senior management that the prior employer has significantly downsized its sales force in the northern region and so this is now a prime target for gains in market share.
B) While at the previous firm, the auditor conducted a great deal of research to identify best practices for the management of the treasury function as part of an audit for that firm. Since most of the research was done at home and during non-office hours, the auditor has retained much of it and plans to use it in conducting an audit of the treasury function at the new employer.
C) The new audit department does not use probability-proportionate-to-size (PPS) sampling, and the auditor believes that it has advantages for many of the types of audits conducted by the new employer. He conducts training sessions and develops forms to implement sampling in the same manner as the previous employer.
D) The auditor uses the audit risk approach that was used by his former employer in determining audit priorities in the new job.

Answer 42

The auditor discloses to the new organization’s senior management that the prior employer has significantly downsized its sales force in the northern region and so this is now a prime target for gains in market share.

Rationale
Disclosing confidential operating information from a prior employer would violate The IIA’s Code of Ethics’ confidentiality principle. Common approaches, standard auditing techniques, and industry best practices can be carried to the next employer. They do not involve confidential information. Research could be viewed as part of the continuing education of the auditor.

Question 43

According to The IIA’s Code of Ethics, the principle of integrity requires internal auditors to do which of the following?

A) Be prudent in the use and protection of the information acquired in the course of their duties.
B) Continually improve their proficiency, effectiveness, and quality of services.
C) Not accept anything that may impair or be presumed to impair their professional judgment.
D) Respect and contribute to the legitimate and ethical objectives of the organization.

Answer 43

Respect and contribute to the legitimate and ethical objectives of the organization.

Rationale
The principle of integrity, according to The IIA’s Code of Ethics, requires internal auditors to have full knowledge of the Code’s requirements and perform all activities accordingly. Internal auditors must “perform their work with honesty, diligence, and responsibility”; “observe the law and make disclosures expected by the law and the profession”; “not knowingly be a party to illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization”; and “respect and contribute to the legitimate and ethical objectives of the organization.”

Question 44

Which of the following is a consulting role rather than an assurance role for internal auditors?

A) Evaluating the effectiveness of controls and managing key risks
B) Assessing and reporting on risks in a reliable manner
C) Evaluating risk management processes
D) Teaching management about risk and control tools and techniques

Answer 44

Teaching management about risk and control tools and techniques

Rationale
Educating management about risk and control tools and techniques used by the internal audit activity and sharing those tools is a consulting role for internal auditors. The other answer choices are all assurance roles.

Question 45

To promote a greater awareness of the capabilities of the internal audit activity in the various departments of the organization, the chief audit executive (CAE) has instituted several initiatives. Which of the following would be an appropriate marketing tactic and would conform to the Standards?

A) The CAE follows up each assurance audit with a memo to the audit committee, senior management, and department heads with a summary of significant findings.
B) The CAE has made it a policy to buy lunch, from his own funds, for each head of a department at the start of an audit, with the purpose of promoting the resources and expertise of the audit activity.
C) The CAE has appointed an auditor to compile and distribute an intra-organization newsletter including testimonials from audit clients and similar positive items.
D) The CAE has promised all department heads in writing that they will be audited only once every three years.

Answer 45

The CAE has appointed an auditor to compile and distribute an intra-organization newsletter including testimonials from audit clients and similar positive items.

Rationale
Providing a newsletter with positive responses from audit clients would be a good marketing tactic to show the internal audit activity is adding value, per Performance Standard 2000, Managing the Internal Audit Activity. Auditing all departments at set intervals without regard to the results of an annual risk assessment is not appropriate. Promoting the audit activity’s resources and positive accomplishments through free lunches would not be appropriate, especially in relation to government audits. Revealing compliance audit findings through memos to the audit committee, senior management, and department heads would be likely to violate privacy rights and would publicize, inevitably, the audit consequences the potential clients fear. This is not likely to make the internal auditor’s job easier.

Question 46

An auditor has planned an audit of the effectiveness of the quality assurance function as it affects the receiving of goods, the transfer of goods into production, and the scrap costs related to defective items. The audit client argues that such an audit is not within the scope of the internal audit function and should come only under the purview of the quality assurance department. What would be the most appropriate audit response?

A) Indicate that the audit will examine the function only in accordance with the standards set and approved by the quality assurance function before beginning the audit.
B) Refer to the audit department charter and the approved audit plan that includes the areas designated for audit in the current time period.
C) Terminate the audit; an operational audit will not be productive without the audit client’s cooperation.
D) Seek the approval of management as a mediator to set the scope of the audit or, failing this, to refer the project to the quality assurance department.

Answer 46

Refer to the audit department charter and the approved audit plan that includes the areas designated for audit in the current time period.

Rationale
Referring to the charter and the audit plan is the most appropriate response. The charter should specify the broad responsibilities of the department, and the audit plan for the year should indicate the approval of management and the audit committee. It would not be appropriate to ask management to resolve every potential scope disagreement between the auditor and an audit client.

Question 47

Which of the following actions by an internal auditor would constitute a conflict of interest according to The IIA’s Code of Ethics?

A) An internal auditor very much wants to increase her knowledge, skills, and experience into the area of auditing the project management office, but she has no training in project management. To gain experience, she accepts the assignment as the lead auditor for this assurance engagement.
B) An internal auditor has accepted an assignment to audit the yogurt division. She has recently joined the internal auditing department. However, she discloses that she was senior auditor for the external audit of that division and has audited many dairy food companies during the past two years.
C) An internal auditor has inadvertently discovered the identity of an anonymous whistleblower by the process of logical deduction. He keeps this discovery to himself.
D) An internal auditor has decided to ignore a senior manager’s suggestion that a particular person is responsible for a potential fraud since the evidence is pointing entirely toward a different individual.

Answer 47

An internal auditor very much wants to increase her knowledge, skills, and experience into the area of auditing the project management office, but she has no training in project management. To gain experience, she accepts the assignment as the lead auditor for this assurance engagement.

Rationale
Accepting the lead auditor assignment would be a conflict of interest according to Competency Rule of Conduct 4.1, which requires auditors to engage only in those services for which they have the necessary knowledge, skills, and experience. The information that the whistleblower reports is the important information to research further. Disclosing the identity of the anonymous whistleblower would be inappropriate; keeping this information secret would uphold confidentiality (unless ordered to report it in a subpoena). Ignoring a senior manager’s suggestion about a potential fraud suspect would not be appropriate except for the fact that the internal auditor is letting the evidence speak for itself. In this case, the internal auditor is showing objectivity.

Question 48

An accounts payable manager contacts the chief audit executive of a small manufacturing company. The work of a supervising accounts payable clerk has been below average; the clerk has been making errors and reporting to work late. The manager asks if the internal audit department can review the clerk’s work and validate these issues. Is this a consulting service that the internal audit department should perform?

A) No, this is not a value-added service that would be performed under the consulting definition.
B) Yes, but limit it to work that may be prone to errors. Do not review the lateness issue.
C) Yes, but the scope should be expanded to other supervising accounts payable clerks in the department.
D) No, refer this work to an investigative body within the company.

Answer 48

No, this is not a value-added service that would be performed under the consulting definition.

Rationale
An internal audit activity is “a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations.” Internal auditing activities are often referred to with the acronym GRC (governance, risk, and control) due to the value-adding services internal auditing provides in assurance and consulting engagements to evaluate and help improve GRC effectiveness. The manager’s request is not a value-added service but a form of supervising of employees that the manager should do on an everyday basis as part of his or her own responsibilities.

Question 49

A service company is currently experiencing significant downsizing and process reengineering, and a more decentralized approach has been adopted to run the business functions by empowering the business branch managers to make decisions and perform functions traditionally done at a higher level. In the past, the primary focus of successful audit activities has been the service branches and the six regional division headquarters that support the branches. These division headquarters are the primary targets for possible elimination. The support functions—such as human resources, accounting, and purchasing—will be brought into the national headquarters. Up to this point, internal auditing has reported to the chief operating officer, even though all members have a financial auditing background. Due to the significant changes, there has been some discussion as to changing this reporting relationship. What would be the best reporting relationship for internal auditing?

A) Administrative reporting to branch managers and functional reporting to the chief financial officer
B) Administrative reporting to the chief financial officer and functional reporting to the chief executive officer
C) Administrative reporting to the chief executive officer and functional reporting to the board
D) Administrative and functional reporting to the chief executive officer

Answer 49

Administrative reporting to the chief executive officer and functional reporting to the board

Rationale
Independence is less likely to be impaired if the internal auditing department reports to the board. Functionally reporting to the president would impair independence, because the president is responsible for the areas to be audited. Functionally reporting to the chief operating officer or chief financial officer may impair independence for all audits of operational areas.

Question 50

The Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing are _____ elements of the International Professional Practices Framework (IPPF).

A) implementation
B) supplemental
C) mandatory
D) recommended

Answer 50

mandatory

Rationale
These are mandatory elements of the IPPF. Recommended guidance includes Implementation Guidance and Supplemental Guidance. Implementation Guidance is designed to help internal auditors understand how to apply and conform with the requirements of mandatory guidance. Supplemental Guidance provides additional information, advice, and best practices for providing internal audit services. It supports the Standards by addressing topical areas and sector-specific issues in more detail than Implementation Guidance and is endorsed by The IIA through formal review and approval processes.

Question 51

Internal auditors should review the effectiveness and efficiency of internal controls. A chief audit executive (CAE) emphasizes to her three-person staff that, when possible in performing internal audits, they should identify potential cost savings. What characteristic of an internal audit department’s activity is the CAE emphasizing to her staff?

A) Responsibility: Do not perform management activities.
B) Purpose: Add value and improve an organization’s operations.
C) Responsibility: Document the objectives and scope of the engagement as well as the methodology to be used.
D) Authority: Secure necessary internal and external resources to accomplish audit activity objectives as planned.

Answer 51

Purpose: Add value and improve an organization’s operations.

Rationale
Identifying potential areas for cost savings is an example of a value-added service that internal audit can provide. For an internal audit activity to best support executive management and boards of directors in accomplishing overall organizational goals and objectives and strengthen internal controls and corporate governance, the purpose, authority, and responsibility of the internal audit activity must be understood.

Question 52

The Standards help clarify the nature of the charter by providing guidelines as to its contents. Which of the following is suggested in the Standards as part of the charter?

A) Department’s ability to generate an internal audit plan without needing further approval
B) Scope of internal auditing activities
C) Types of revisions to the charter that are allowed without additional approval
D) Length of tenure for chief audit executive

Answer 52

Scope of internal auditing activities

Rationale
As described in the interpretation of Standard 1000, “The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities.” It does not specify the length of tenure of any internal audit staff. Revisions to the charter require approval. The annual audit plan will still need approval even with a signed charter.

Question 53

In the final report for an internal audit, the internal auditor states that security controls are at the same level of effectiveness as in the previous audit. There is no mention that control activities in the previous audit were found to be unsatisfactory. According to the Code of Ethics, this communication is

A) potentially biased.
B) prudent and competent.
C) balanced and objective.
D) specific but unethical.

Answer 53

potentially biased.

Rationale
Rule 2.3 in the Code of Ethics indicates that all information necessary for the user to correctly understand the audit report must be disclosed.

Question 54

An internal auditor who encounters an ethical dilemma not explicitly addressed by The IIA’s Code of Ethics should always

A) seek the counsel of the audit committee before deciding on an action.
B) take action consistent with the principles embodied in The IIA’s Code of Ethics.
C) act consistently with the employing organization’s code of ethics even if such action would not be consistent with The IIA’s Code of Ethics.
D) seek counsel from an independent attorney to determine the personal consequences of potential actions.

Answer 54

take action consistent with the principles embodied in The IIA’s Code of Ethics.

Rationale
The auditor must act consistently with the concepts and spirit embodied in The IIA’s Code of Ethics. Ethics is a moral and professional concept, not just a legal concept.