Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIA Challenge Exam (CPA) > Essentials: Governance, Risk, & Control > Flashcards

Essentials: Governance, Risk, & Control Flashcards

1
Q

In a process-based facilitated team workshop, team members focus on identifying

  1. selected activities that are elements of a process and the success of those activities in achieving the objectives of the process.
  2. controls that are currently being used and any remaining risks.
  3. risks to success and whether the controls are adequate to mitigate them.
  4. controls and key risks that have been selected by the facilitator.
A

1 - selected activities that are elements of a process and the success of those activities in achieving the objectives of the process.

Rationale
Process-based workshops focus on analyzing or revising a particular process or verifying its effectiveness. Generally, these workshops focus on one process at a time, from the beginning of the process to the end.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In the context of the fifth component of the COSO Internal Control—Integrated Framework, which of the following is the best example of a monitoring activity?

  1. An internal audit manager monitors for receipt of post-engagement client survey responses.
  2. A manufacturing department supervisor visually monitors workers to ensure that they are continually working.
  3. A retail floor supervisor routinely monitors hourly employees’ lunch and break times.
  4. An accounting manager monitors staff to ensure that bank reconciliations are performed and adjustments are timely.
A

4 - An accounting manager monitors staff to ensure that bank reconciliations are performed and adjustments are timely.

Rationale
Monitoring activities, in the context of the COSO Internal Control—Integrated Framework, are activities the organization uses to monitor control activities as well as how it takes action to address any identified deficiencies. Performing a bank reconciliation is a control activity, and management monitoring for timeliness would be considered a monitoring activity. The other answer choices are examples of routine tasks or supervisory activities that are unrelated to control activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for which of the following?

  1. Making strategic and operational decisions
  2. Setting standards for fair pay and living wage
  3. Identifying root causes of ethics violations
  4. Being aware of and concurring with the entity’s risk appetite
A

1 - Making strategic and operational decisions

Rationale
The evaluation of the processes for making strategic and operational decisions is an element of Performance Standard 2110, “Governance.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An organization uses a risk heat map with impact and likelihood values to classify fraud. The theft of proprietary customer data (i.e., credit card numbers) is classified as high likelihood and high impact. Based on this classification, the organization should

  1. pay little attention to the risk.
  2. reduce the risk impact.
  3. reduce the risk likelihood.
  4. share the risk with a backup plan.
A

3 - reduce the risk likelihood.

Rationale
The risk heat map for likelihood and impact looks at each type of fraud and determines how likely the fraud is to occur and how significant it would be if it did occur. Any fraud that has a high probability and high significance of material effect must be addressed with controls, processes, and procedures to prevent it or, more realistically, to drastically reduce its likelihood. Reducing the impact implies that the organization is willing to incur the theft. This would not be true for a high-impact loss of proprietary data. A backup plan is not an valid example of sharing the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following expresses the relationship between the governance practices and the ethical culture of an organization?

  1. An organization’s governance practices reflect the stability of most organizational cultures.
  2. The governance process enhances the interests of specific stakeholders but may or may not be concerned with the benefit to society.
  3. How effective the overall governance process is largely depends on the organization’s culture.
  4. The governance process requires compliance with legal and regulatory rules, but compliance with generally accepted societal expectations is optional.
A

3 - How effective the overall governance process is largely depends on the organization’s culture.

Rationale
Organizational culture impacts the values, roles, and behavior that will be articulated and tolerated by the organization and determines how sensitive, thoughtful, or indifferent the enterprise is in meeting its responsibilities to society. Thus, how effective the overall governance process is in performing its expected function largely depends on the organization’s culture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If the culture of an organization is more collegiate and people work more toward cross-functional goals, then which is the best way to define the audit universe?

  1. By organizational strategy
  2. By management team direction
  3. By functional areas
  4. By business processes
A

4 - By business processes

Rationale
If the culture is more collegiate and people work more toward the objectives of cross-functional business processes, then the audit universe is best defined by business processes. Since any organizational culture will have its strengths and weaknesses, considering the weaknesses of a given culture when defining the audit universe is important, such as looking for risks that occur in the interface between two functional areas for a formal functional area authority culture or looking for unclear definitions of accountability in this example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which is an appropriate role for an internal auditor to play in enterprise risk management (ERM)?

  1. Identify top ERM issues linked to key strategic objectives.
  2. Provide independent and value-added recommendations to management about ERM practices.
  3. Ensure appropriate risk management ownership by business unit leaders.
  4. Manage the reporting effectiveness of risk management systems.
A

2 - Provide independent and value-added recommendations to management about ERM practices.

Rationale
Providing independent and value-added recommendations about ERM practices is within the purpose, authority, and responsibility of the internal audit activity. The other strategies are management activities and are not appropriate for the internal audit activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which is the primary focus of risk management from an internal audit perspective?

  1. Internal audit failure to detect fraud
  2. Internal audit failure to detect financial statement material errors
  3. Impact on potential liability of the organization
  4. Impact on the achievement of objectives
A

4 - Impact on the achievement of objectives

Rationale
As defined in the IPPF Glossary, risk is “the possibility of an event occurring that will have an impact on the achievement of objectives… measured in terms of impact and likelihood.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An internal audit activity helps an organization maintain effective controls most effectively by

  1. performing a comprehensive risk assessment and identifying potential areas for audit.
  2. effectively coordinating the activities of and communicating information among the board, management, and external and internal auditors.
  3. identifying and evaluating significant exposures to risk and monitoring and evaluating the risk management system.
  4. evaluating the effectiveness and efficiency of controls and promoting the continuous improvement of the control environment and related control activities.
A

4 - evaluating the effectiveness and efficiency of controls and promoting the continuous improvement of the control environment and related control activities.

Rationale
Internal auditors must be proficient in governance, risk, and control activities. In discussing the requirements of Standard 2100, “Nature of Work,” Implementing the Professional Practices Framework, second edition, succinctly summarizes how internal auditors must evaluate and contribute to the improvement of governance, risk management, and control systems. For the area of control, the two primary ways the internal audit activity helps an organization maintain effective controls are by evaluating the effectiveness and efficiency of controls and by promoting the continuous improvement of the control environment and related control activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which would help ensure that an organization’s governance is effective?

  1. Ensuring that board members are independent from the organization to the degree that they have expertise in other industries than the organization’s operations
  2. Arranging the organizational structure in ways that support achieving the organization’s strategy
  3. Allowing lines of responsibility and accountability to shift over time without undue consequences
  4. Setting limits on board funding to prevent abuses of power such as independent inquiries
A

2 - Arranging the organizational structure in ways that support achieving the organization’s strategy

Rationale
An effective governance principle is to create an organizational structure that supports the enterprise in achieving its strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An organization uses a risk heat map with impact and likelihood values to classify fraud. Kickbacks are classified as low likelihood and high impact. Based on this classification, the organization should

  1. avoid the risk by not doing business in regions likely to have this issue.
  2. reduce the risk using automated detection and monitoring tools.
  3. share the risk with insurance or pursue the risk with a backup plan.
  4. accept the risk and pay little attention to it.
A

2 - reduce the risk using automated detection and monitoring tools.

Rationale
The risk assessment heat map looks at each type of fraud and determines how likely the fraud is to occur and how significant it would be if it did occur. Frauds that have high materiality but relatively low probability can be reduced in likelihood by using detection and monitoring (i.e., data mining and fraud screening).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which is an acceptable role for the internal audit activity in the risk management process?

  1. No role
  2. Managing specific risks if defined in the internal audit plan
  3. Active, continuous support in the process such as leadership of oversight committees
  4. Managing and coordinating the risk management process
A

1 - No role

Rationale
The internal audit activity’s role in the risk management process of an organization can change over time and may be found at some point along a continuum that ranges from:
* No role, to
* Auditing the risk management process as part of the internal audit plan, to
* Providing insight and historical data on risk events identified by internal audit findings, to
* Consulting on the establishment or improvement of risk management processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An organization experiences a data breach of its customers’ credit card information. In response, management puts better cybersecurity processes and controls in place and purchases insurance. These actions describe which types of risk responses?

  1. Reduce and avoid
  2. Reduce and share
  3. Share and accept
  4. Accept and avoid
A

2 - Reduce and share

Rationale
The organization is reducing risk (by putting more controls in place) and sharing it (by purchasing insurance).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Internal auditing may provide consulting services that improve an organization’s governance, enterprise risk management (ERM), and control processes. However, there should be safeguards in place. Which of the following allows internal audit to consult?

  1. Internal audit can provide objective assurance on any part of the ERM framework.
  2. Internal audit can make risk management decisions by itself.
  3. Internal audit’s responsibilities can be documented in the internal audit charter but are not required.
  4. Internal audit should not manage any of the risks on behalf of management.
A

4 - Internal audit should not manage any of the risks on behalf of management.

Rationale
Per the Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk Management,” internal audit should not manage risks on management’s behalf. In fact, that is the key factor in determining if internal audit can consult on the company’s ERM. Management should always retain responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following enterprise risk management (ERM) components influences the risk consciousness of an organization’s people and is the basis for all other ERM components?

  1. Information and communication
  2. Objective setting
  3. Internal environment
  4. Risk assessment
A

3 - Internal environment

Rationale
The internal environment influences the risk consciousness of an organization’s people, as it deals with the risk culture and risk philosophy of people.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Part of the ISO 31000 risk management standard is the framework that outlines five processes. The framework includes the implementing of risk management and the monitoring and review of the framework. Which is another process?

  1. Mandate and communication
  2. Managing risk costs and rewards
  3. Continual improvement of the framework
  4. Alignment with the board
A

3- Continual improvement of the framework

Rationale
Per the Practice Guide “Assessing the Adequacy of Risk Management Using ISO 31000,” continual improvement of the framework is another process along with mandate and commitment and monitoring and review of the framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

To perform meaningful evaluations around governance, internal auditors need to

  1. obtain a certification.
  2. learn key frameworks.
  3. be very experienced.
  4. understand the business.
A

4 - understand the business.

Rationale
Per Implementation Guide 2100, internal auditors need to understand the business to perform meaningful evaluations. They may use established frameworks as a guide in their evaluations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which is an appropriate responsibility for an internal audit activity?

  1. Designing and implementing appropriate controls after detecting control deficiencies in an assurance engagement
  2. Coordinating with the organization’s enterprise risk management framework to avoid redundancy by doing additional risk evaluations
  3. Designing and implementing an enterprise risk management (ERM) system at management’s request
  4. Reviewing the implementation of organizational policies related to risk management
A

4 - Reviewing the implementation of organizational policies related to risk management

Rationale
An internal audit activity is responsible for reviewing the implementation of organizational policies. Standard 2120, “Risk Management,” states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The responsibility of an internal audit activity, therefore, is not to implement ERM systems or appropriate controls—this is the responsibility of management. Internal audit should, however, assess the effectiveness of existing ERM systems or controls and (where necessary) offer recommendations for new controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In the COSO Enterprise Risk Management (ERM) framework, there are five interrelated components with corresponding principles. Which principle relates to the “Review and revision” component?

  1. Communicates risk information
  2. Formulates business objectives
  3. Pursues improvement in ERM
  4. Implements risk responses
A

3 - Pursues improvement in ERM

Rationale
In the COSO ERM framework, the three principles under “Review and revision” include assessing substantial change reviewing risk and performance and pursuing improvement in ERM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

As you are reviewing the communication protocols of the risk management activities, the chief audit executive asks you to consider the balancing of the messages. What elements should be balanced in risk management communication?

  1. Transparency and relevancy
  2. Transparency and sensitivity
  3. Transparency and audience
  4. Transparency and compliance
A

2 - Transparency and sensitivity

Rationale
Per the Practice Guide “Assessing the Adequacy of Risk Management Using ISO 31000,” internal communication and reporting mechanisms should be adequate to ensure that key outcomes of the risk management activities are communicated appropriately within the organization, balancing transparency with sensitivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When considering the risk and control implications of an organizational structure, which is an element of effective organizational structure design?

  1. Single pool of organizational resources
  2. Traditional hierarchy structure
  3. Segregation of diverse organizational tasks
  4. Formal lines of authority
A

4 - Formal lines of authority

Rationale
Regardless of what an organizational structure looks like on paper, an effective design will establish formal lines of authority, coordinate diverse organizational tasks, and allocate and deploy organizational resources, among other things. Not all organizational structures need to be of the traditional hierarchy type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following best describes an event that would be placed in the low impact, high likelihood area of a risk heat map?

  1. Downsizing consolidates the check signing and check authorization functions in the controller job role.
  2. Employees could find a way to bypass the automated controls over web surfing and thus waste time.
  3. Petty cash is kept in a high traffic area, and the organization doesn’t use an imprest account system.
  4. Computer output sits at the printer after it is printed, and valuable material could end up in competitors’ hands.
A

3 - Petty cash is kept in a high traffic area, and the organization doesn’t use an imprest account system.

Rationale
The controls over petty cash are almost nonexistent. This makes the event very likely, but the loss of some petty cash would not have a high impact on business continuity. The computer output answer is high impact but low likelihood, because an employee would likely need to be colluding with the competitor. The downsizing answer is high impact and high likelihood, while the web surfing answer is low likelihood and low impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which is a best practice in risk assessment?

  1. Quantifying all risks, not just those that are considered significant
  2. Ensuring that risk identification is primarily the concern of internal auditing
  3. Limiting the assessments primarily to financial hazards
  4. Potentially leveraging management’s macro assessment of risk if the chief audit executive deems it is effective
A

4 - Potentially leveraging management’s macro assessment of risk if the chief audit executive deems it is effective

Rationale
Management may have a process for identifying and evaluating high-level risk. In this situation, internal auditing should consider the effectiveness of management’s process when determining how much to rely on it for possible use in its own independent risk assessments. The internal audit activity can then potentially leverage the results of the organization-wide assessment. The other answer choices are examples of risk assessment pitfalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When assessing the risk associated with an activity necessary for the development of the organization’s financial statements, an internal auditor should

  1. provide assurance on the management of the risk.
  2. determine how the risk should best be managed.
  3. update the risk management process based on risk exposures.
  4. design controls to mitigate the identified risks.
A

1 - provide assurance on the management of the risk.

Rationale
Assurance services involve the internal auditor’s objective assessment of management’s risk management activities and the degree to which they are effective. Designing and updating the risk management process and determining how unacceptable risk should be managed are roles of management. Designing controls would impair the internal auditor’s independence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following is the responsibility of the chief executive officer in an organization’s enterprise risk management (ERM) process?

  1. Maintaining ultimate ownership for the ERM process, setting the “tone at the top,” and ensuring a positive internal environment
  2. Monitoring the enterprise risk profile and ensuring that major risks are identified and reported upward
  3. Assisting internal and external auditors relying on ERM output for the purposes of audit planning and execution
  4. Validating that ERM is functioning in each business unit according to the approved risk management policy and framework
A

1 - Maintaining ultimate ownership for the ERM process, setting the “tone at the top,” and ensuring a positive internal environment

Rationale
Ownership for the ERM process, the appropriate “tone at the top,” and a positive internal environment are responsibilities of the organization’s chief executive officer (CEO). The CEO would delegate the other tasks listed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which statement regarding corporate governance is correct?

  1. Appropriate disclosure of key information, in a transparent manner, is primarily the chief audit executive’s governance responsibility.
  2. The dilution of shareholders’ wealth resulting from employee stock options or employee stock bonuses is a corporate governance issue.
  3. The chief audit executive has more day-to-day responsibility for the company’s corporate governance than the board does.
  4. The compensation scheme for management is part of the corporate control mechanisms.
A

4- The compensation scheme for management is part of the corporate control mechanisms.

Rationale
One principle of effective corporate governance is to make sure that compensation policies and practices, especially related to senior management, are consistent with the organization’s ethical values, objectives, strategy, and control environment and encourage appropriate behavior. The chief audit executive is not the primary person for making disclosures to stakeholders. The board is ultimately responsible for the company’s corporate governance, not the internal auditors. The dilution of shareholders’ wealth resulting from employee stock options or employee stock bonuses is an accounting issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

In an organization with a less mature governance system, which of the following would be an appropriate action by the internal audit function?

  1. Analyzing the transparency and disclosure practices among parts of the governance structure
  2. Evaluating best practices for use by the organization
  3. Comparing the current governance structure and practices against regulations and other compliance requirements
  4. Auditing the design and effectiveness of specific governance-related processes
A

3 - Comparing the current governance structure and practices against regulations and other compliance requirements

Rationale
When less maturity in governance processes prevails, the internal audit function tends to focus more on performing discrete audits, providing advice regarding optimal structure and practices, and comparing the current governance structure and practices against regulations and other compliance requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Key risk responses include which of the following?

  1. Avoidance, sharing, control, pursuit.
  2. Control, avoidance, reduce, acceptance.
  3. Acceptance, avoidance, reduction, sharing.
  4. Sharing, acceptance, control, avoidance.
A

3 - Acceptance, avoidance, reduction, sharing.

Rationale
According to the Textbook: Risk response/risk treatment is “an action, or set of actions, taken by management to achieve a desired risk management strategy. Risk responses can be categorized as risk avoidance, reduction, sharing, or acceptance. Control is not a type of risk response; the chosen risk response determines how the organization will control the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?

  1. To provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically
  2. To ensure that weaknesses in the internal control system are corrected
  3. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives
  4. To determine whether the processes ensure that the accounting records are correct and that financial statements are fairly stated
A

1 - To provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically

Rationale
The purpose stated in Implementation Guide 2120 is to provide reasonable assurance that the risk management, control, and governance processes will enable the organization’s objectives and goals to be met efficiently and economically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An organization is affected by a costly stockout after a supplier fails to deliver a key component on time. The supplier says the reason for the stockout is that they operate with little or no inventory themselves. Which of the following would be the most cost-effective method of preventing this issue?

  1. Communicating the organization’s risk appetite and risk tolerance to the supplier
  2. Developing the component materials in-house
  3. Establishing an enterprise risk management framework at the supplier
  4. Keeping a large supply of the supplier’s component materials on hand
A

1 - Communicating the organization’s risk appetite and risk tolerance to the supplier

Rationale
While increasing the inventory of components would reduce the risk of another stockout, communicating the organization’s risk appetite and risk tolerance to suppliers can prevent an organization from inadvertently accepting excessive risk from a supplier who has different values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Effectively communicating risk and control information to appropriate areas of the organization is the proper function of which of the following?

  1. Risk management
  2. Core principles
  3. Control
  4. Governance
A

4 - Governance

Rationale
Effectively communicating risk and control information to appropriate areas of the organization is a governance function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which is a best practice for defining the risk universe in a culture that reinforces formal functional area authority?

  1. Require formal functional area process owners to define the risk universe.
  2. Define the risk universe primarily by cross-functional business processes.
  3. Define the risk universe primarily by functional area.
  4. Get buy-in from functional area process owners on the elements of the risk universe that most need auditing in the current year.
A

3 - Define the risk universe primarily by functional area.

Rationale
The organization’s culture can impact how the internal audit activity may want to organize the risk universe to ensure that engagements are value-added and critical risk areas are given sufficient attention. If the culture reinforces formal functional area authority, then a best practice is to define the risk universe by these functional areas. In this way, audits will be easier to comprehend and accept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The primary reason bank executives would decide to maintain a separate compliance function is to

  1. ensure the independence of line and senior management.
  2. better respond to shareholder expectations.
  3. better manage perceived high risks.
  4. strengthen controls over the bank’s investments.
A

3 - better manage perceived high risks.

Rationale
Managing risk includes a variety of activities to identify, assess, and control risk across the entire spectrum of an organization, ranging from single events or projects, to narrowly defined types of risk (e.g., market risk), to threats and opportunities facing the entire enterprise. Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to warrant continuous oversight and monitoring. A separate compliance function may have recommendations to help strengthen controls, but this is not its primary purpose. It will help respond to shareholder needs, but this is not the primary reason for establishing the compliance function. Management is not independent, and risk management is a direct responsibility.

34
Q

Internal audit can perform a variety of tasks within the enterprise risk management process. Which of the following would be a legitimate role for internal audit to play if there are safeguards?

  1. Developing the risk management strategy for board approval
  2. Being accountable for risk management processes
  3. Imposing risk management processes
  4. Evaluating risk management processes
A

1 - Developing the risk management strategy for board approval

Rationale
Per the Position Paper “The Role of Internal Auditing in Enterprise-Wide Risk Management,” internal audit can develop the risk management strategy for board approval, providing safeguards are in place

35
Q

An organization is looking to expand its operations by either entering new markets with its current product or creating a new product (through innovation or acquisition). The board has mandated a low risk appetite. What approach to expansion should management take to best align with the organization’s risk appetite?

  1. Enter its first market in Asia.
  2. Create or acquire an entirely new product outside of the organization’s current product offering.
  3. Expand the number of countries within its existing European market.
  4. Create a new product to supplement current product offerings.
A

3 - Expand the number of countries within its existing European market.

Rationale
Per the Practice Guide “Assessing the Risk Management Process,” risk appetite is the level of risk an organization is willing to accept, sometimes referred to a loss tolerance. Given that the organization has a low risk appetite, this means it is not willing to take on a lot of risk. Out of the potential expansion ideas, entering one new market in Europe (where the company already has other locations and so better understands the laws and processes) has the lowest risk.

36
Q

Internal audit has a responsibility for assessing the governance, risk management, and control process of an organization. One way to do this is to review the process for the annual risk assessment. Another way to assess risk management is to

  1. review key performance indicators and incentive plans.
  2. review minutes of meetings in which the code of conduct is discussed.
  3. interview departmental heads to understand strategic decisions.
  4. interview key personnel in compliance, risk, and finance.
A

4 - interview key personnel in compliance, risk, and finance.

Rationale
Per Implementation Guide 2110, another way to assess the risk management process is to interview key members in the compliance, risk, and finance functions.

37
Q

An organization creates an initiative involving all employees to develop a thorough enterprise risk management (ERM) process that focuses on significant risks and promotes proactively managing risk exposures. It builds early warning mechanisms into existing management information systems. Employees are given specific responsibilities to monitor for the identified risks in their purview. A year later, the system is continuing to function as it was built. What might be missing from this ERM system?

  1. Way of embedding control into the organizational processes
  2. Feedback process to learn from mistakes and to harness potential improvements and risk reductions
  3. Adoption of a risk-based approach to internal control and the assessment of its effectiveness
  4. Focus on those risks that have been identified by senior management as being potentially damaging to the achievement of the organization’s objectives
A

2 - Feedback process to learn from mistakes and to harness potential improvements and risk reductions

Rationale
Ongoing, continuous monitoring of risk and control is an important part of ERM. An organization’s risk management and internal control strategies and policies must be continuously monitored and fine-tuned in response to changing exposures. A feedback process should be in place to learn from mistakes and to harness potential improvements and risk reductions. The question makes no reference to improvements or ongoing updates to the ERM system but does discuss the items in the incorrect answer choices as already occurring.

38
Q

What is true of a company that focuses on integrity, ethical values, and competence in daily business activities?

  1. It has assurance that there are adequate internal controls over financial reporting (ICFR).
  2. It is strengthening its organizational culture.
  3. It can have less onerous systems for monitoring and enforcement of compliance standards.
  4. It is ensuring compliance with laws and regulations.
A

2 - It is strengthening its organizational culture.

Rationale
The control environment is influenced by management style and how leadership fulfills its oversight duty. As it focuses on integrity, ethical values, and competence in daily business activities, it is often associated with organizational culture.

39
Q

A fraud was recently discovered in the organization. The executive vice president of the affected functional area meets with the chief audit executive (CAE) and asks, “Where were the internal auditors? They haven’t audited our area in two years!” Which is the best response from the CAE?

  1. “The primary responsibility of monitoring rests with management.”
  2. “We will include this area in all future annual audit plans.”
  3. “We failed in our responsibilities and will use this case to continually improve.”
  4. “The audit department has no responsibility to notice fraud indicators.”
A

1 - “The primary responsibility of monitoring rests with management.”

Rationale
Internal control systems need to be monitored by management—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Due to the cyclical nature of performing internal audits, fraud may not be discovered in a timely fashion.

40
Q

Internal auditors frequently recommend that formal policies be written. However, the presence of certain conditions in an organization minimizes the need for written policies. One such condition is

  1. a high division of labor.
  2. a large span of control.
  3. a strong organizational culture.
  4. a strict unity of command.
A

3 - a strong organizational culture.

Rationale
With a strong culture, the organization’s key values are intensely held and widely shared. Substantial extra training has been expended to achieve this high degree of acceptance, making the need for formal, written policies minimal.

41
Q

Which of the following is a responsibility of the chief audit executive (CAE)?

  1. Communicating the internal audit activity’s plans and resource requirements to senior management and the board for review and approval
  2. Overseeing the establishment, administration, and assessment of the organization’s risk management processes
  3. Managing other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication
  4. Compelling management to take actions on the most significant reported risks
A

1 - Communicating the internal audit activity’s plans and resource requirements to senior management and the board for review and approval

Rationale
Performance Standard 2020, “Communication and Approval,” states in part that the CAE must communicate the internal audit activity’s plans and resource requirements… Risk management is a key responsibility of senior management and the board, not the CAE. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role in determining that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.

42
Q

A strong control environment requires a strong tone at the top. Which is the best approach to understand an organization’s culture and the tone at the top?

  1. Review the annual ethics training completion percentage to verify compliance.
  2. Review the mission and value statements, whistleblower policy, and code of conduct.
  3. Interview the top leaders to understand if they adhere to the code of conduct and set the right tone.
  4. Verify that the organization employs background checks during hiring to find ethical people.
A

2 - Review the mission and value statements, whistleblower policy, and code of conduct.

Rationale
Per Implementation Guide 2110, the internal audit activity reviews the organization’s related objectives, programs, and activities. These could include mission and value statements, a code of conduct, hiring and training processes, anti-fraud and whistleblowing policies, and a hotline and investigation process.

43
Q

An internal auditor reports the following: “I conclude that the risk still present after management has made its risk reduction efforts is a function of a tendency for the internal controls to lose effectiveness over time.” Which of the following states the same thing using proper terminology?

  1. “I conclude that the absolute risk is a function of managed risk.”
  2. “I conclude that the managed risk is a function of inherent risk.”
  3. “I conclude that the inherent risk is a function of residual risk.”
  4. “I conclude that the residual risk is a function of control risk.”
A

4 - “I conclude that the residual risk is a function of control risk.”

Rationale
Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an event, including control activities in responding to a risk. Control risk is the tendency of the internal control system to lose effectiveness over time and to expose, or fail to prevent exposure of, the assets under control.

44
Q

What is the best way for internal auditors to evaluate an organization’s management of risk?

  1. Assess the quality of risk management processes and systems, but also assess internal control and corporate governance processes.
  2. Assess the level of compliance of an organization with its policies and procedures as well as applicable laws and regulations.
  3. Assess the achievement of the organization’s vision and mission statement or the risk of failing to achieve these goals.
  4. Assess the quality of risk management processes and systems in isolation from other processes.
A

1 - Assess the quality of risk management processes and systems, but also assess internal control and corporate governance processes.

Rationale
Auditors must have a thorough understanding of governance, risk, and control appropriate to the organization. These elements are interrelated and need to be considered as such.

45
Q

Which is a role the internal audit function should undertake?

  1. Implementing risk responses on management’s behalf
  2. Providing recommendations on risk responses
  3. Imposing risk management processes
  4. Setting the risk appetite at an acceptable level
A

2 - Providing recommendations on risk responses

Rationale
The Role of Internal Auditing in Enterprise-Wide Risk Management” Practice Guide identifies roles the internal audit function should not undertake and this list includes setting the risk appetite at an acceptable level imposing risk management processes and implementing risk responses on management’s behalf.

46
Q

Part of internal audit’s role is to evaluate how effective the risk management function operates within the business. No matter the maturity of the organization, internal audit should verify that the risk management function performs which element?

  1. Communicates risks to the entire organization regularly and outside of assessments
  2. Identifies potential risk exposures and disruptive risks
  3. Supports lobbyists to increase legislation around industry risks
  4. Removes all risk exposure for the organization
A

2 - Identifies potential risk exposures and disruptive risks

Rationale
Per the Practice Guide “Assessing the Risk Management Process,” identifying potential risk exposures and disruptive risks should be included at any level of the maturity model, and internal audit should leverage the assessment of the risk management function.

47
Q

A chief audit executive is reviewing the following enterprise-wide risk map:
- Risk A: Remote likihood/critical impact
- Risk B: Possible likihood/critical impact
- Risk C: Possible likihood/minor impact
- Risk D: likely likihood/major impact

Which of the following is the correct prioritization of risks, considering limited resources in the internal audit activity?

  1. B, C, A, D
  2. D, B, C, A
  3. A, B, C, D
  4. B, C, D, A
A

2 - D, B, C, A

Rationale
D, B, C, A ranks the risks by a combination of probability and impact. B would take precedence over A as it has a higher probability of occurring. D would take precedence over C due to probability and impact. Another acceptable way to prioritize would be to rank A over C since C is minor, even if more probable.

48
Q

Which of the following goals sets risk management strategies at the optimum level?

  1. Maximizing shareholder value
  2. Maximizing market share
  3. Minimizing costs
  4. Minimizing losses
A

1 - Maximizing shareholder value

Rationale
Maximizing shareholder value is a comprehensive approach that will relate to risk management strategies across the enterprise. The other goals are not part of a comprehensive approach to risk management.

49
Q

The chief risk officer is most effective when he or she

  1. shares the management of risk with the chief audit executive.
  2. works with management in their areas of responsibility.
  3. shares the management of risk with line management.
  4. manages risk as a member of senior management.
A

2 - works with management in their areas of responsibility.

Rationale
The chief risk officer is most effective when working with other executives and managers in establishing effective risk management practices, monitoring progress, and assisting in reporting. Senior management has an oversight role. The chief audit executive is not responsible for managing risk. Risk knowledge at the line level would be specific only to that area of the organization.

50
Q

If an organization is acting in accordance with the principles of COSO’s Enterprise Risk Management—Integrating with Strategy and Performance framework, what does this provide to management and the board?

  1. Assurance to senior management that the internal controls over financial reporting are operating effectively
  2. Reasonable assurance that the organization understands and is striving to manage the risks associated with its strategy and business objectives
  3. A second line against control violations
  4. High assurance that enterprise risk management is stable at the organization and isn’t likely to change
A

2 - Reasonable assurance that the organization understands and is striving to manage the risks associated with its strategy and business objectives

Rationale
The COSO principles provide senior management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives.

51
Q

Which is a prerequisite in order for the people, processes, and technologies that are put in place to mitigate ethics and compliance risks to be effective?

  1. As much emphasis on the means to the end as the end results themselves
  2. An organizational code of conduct that is written in the hearts of the organization’s people rather than on paper
  3. Values that emphasize aggressive risk taking so long as it is directed toward achieving strategic objectives
  4. A well-funded organizational compliance function that serves as the first line of defense
A

1 - As much emphasis on the means to the end as the end results themselves

Rationale
The ethical, principle-based, and centered organization recognizes and consistently affirms that the “means” mean everything—in other words, how the organization conducts itself to achieve its objectives and goals is as important as achieving those objectives and goals themselves. If the culture of the organization does not support principled performance, then the people, processes, and technologies that are put in place to mitigate ethics and compliance risks are unlikely to be effective.

52
Q

According to the King Report on Corporate Governance, an organization wanting to fundamentally redesign itself around the concept of sustainability should use which key tools?

  1. Objectives setting, event identification, and risk assessment
  2. Innovation, fairness, and collaboration
  3. Purpose, commitment, capability, and monitoring and learning
  4. Effectiveness and efficiency of operations, reliability of financial reporting, and compliance
A

2 - Innovation, fairness, and collaboration

Rationale
The King Report places emphasis on effective leadership based on an ethical foundation and the need to fundamentally redesign the organization around sustainability. Innovation, fairness, and collaboration are key tools described to achieve sustainability. The other answer choices are related to different control or risk management models.

53
Q

Which of the following is true of COSO’s Enterprise Risk Management framework?

  1. Internal auditors assume the primary responsibility for identifying and assessing risk.
  2. A principle related to culture is that culture cannot be controlled but must be understood when defining risk.
  3. It develops a portfolio view of risk and considers it against risk appetite.
  4. It has a more focused approach than traditional risk management.
A

3 - It develops a portfolio view of risk and considers it against risk appetite.

Rationale
COSO ERM takes a broader portfolio view of risk than traditional risk management and deals with risks and opportunities affecting the creation or preservation of organizational value. COSO describes the board’s oversight of ERM in part as reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite. A COSO ERM principle is that the organization defines the desired behaviors that characterize the entity’s desired culture.

54
Q

In planning an audit, the internal auditor should design audit objectives and procedures to address the risk associated with the activity. Risk is defined as

  1. the possibility that the financial statements contain material misstatements.
  2. the failure to accomplish established objectives and goals for operations or programs.
  3. the failure to adhere to organizational policies, plans, and procedures or relevant laws and regulations.
  4. the possibility that an event may affect the achievement of objectives.
A

4 - the possibility that an event may affect the achievement of objectives.

Rationale
The IPPF glossary defines risk as “the possibility of an event occurring that will have an impact on the achievement of objectives.”

55
Q

An organization is introducing enterprise risk management (ERM) to management and employees. Which would be an example of a risk assessment best practice?

  1. Focusing risks primarily on financial hazards and avoiding focusing too much time on less tangible soft issues
  2. Aligning and linking a top-down organization-wide risk assessment with a bottom-up engagement-level risk assessment
  3. Selecting all risks from a generic risk framework to identify risk exposures
  4. Creating exhaustive lists of risk categories and listing many significant risks in each category
A

2 - Aligning and linking a top-down organization-wide risk assessment with a bottom-up engagement-level risk assessment

Rationale
Collaborative approaches such as top-down organization-wide assessments and bottom-up engagement-level risk assessments that are aligned and linked are much more effective than internal auditors developing risks in a vacuum. Implementing the International Professional Practices Framework mentions a number of common risk assessment pitfalls.

56
Q

If the organizational culture is more collegiate and people work more toward the objectives of cross-functional business processes, what would be the key benefit of defining the audit universe by cross-functional business processes?

  1. The weaknesses of the culture will be considered.
  2. Managers will more likely comprehend and accept planned audits.
  3. Audit results will highlight widespread or universal applications of audit findings.
  4. A meeting between the chief audit executive and future audit clients will be more likely to highlight areas of resistance to auditing.
A

2 - Managers will more likely comprehend and accept planned audits.

Rationale
The organization’s culture can impact how the internal audit activity may want to organize the audit universe to ensure that engagements are value-added and critical areas are given sufficient attention. If the culture is more collegiate, then the key benefit of defining the audit universe by cross-functional business processes is that audits will be easier to comprehend and accept.

57
Q

A board’s role in organizational governance is best described as

  1. providing assurance to shareholders.
  2. serving as the focal point.
  3. establishing the entity’s value system.
  4. managing strategies for the achievement of organizational objectives.
A

2 - serving as the focal point.

Rationale
The board is the focal point for all governance activities, and it establishes the “tone at the top.” The board is also responsible for implementing best governance practices and providing oversight of organizational activities.

58
Q

Operational managers identify and manage performance and risks inherent to the organization’s strategy and select management controls and internal control measures. If these functions are not fully in place or are not operating correctly and operational managers do not detect the issue, who should be the next to detect it and do something about it?

  1. Internal auditing
  2. Senior management
  3. External auditing or other assurance functions
  4. Risk management and compliance functions
A

4 - Risk management and compliance functions

Rationale
The management hierarchy could be structured using The IIA’s Three Lines Model. The operational management described in the question is serving as the management first line role, who should be the first to detect the issue. The management second line role, which includes risk management and compliance functions, should be next to detect deficiencies in these processes and do something about them. Internal auditing and other assurance functions are the third line role.

59
Q

Which is within the internal audit activity’s scope of responsibilities?

  1. Management of external risks
  2. Elimination of external risks
  3. Evaluation of external risks
  4. Control of external risks
A

3 - Evaluation of external risks

Rationale
Evaluating external as well as internal risks falls within the scope of internal audit responsibilities. Controlling and managing risk are management responsibilities. Risks cannot be entirely eliminated.

60
Q

According to Standard 2100, “Nature of Work,” the role of the internal audit activity is to evaluate and contribute to the improvement of an organization’s governance, risk management, and control processes. How best can internal audit understand business strategies and risks to assist with its evaluation of governance?

  1. Review board and committee charters, meeting minutes, and the organization’s mission and key objectives.
  2. Compile previous audit reports and enterprise risk assessments, and interview the organization’s officers.
  3. Interview the CEO to understand the direction and vision he or she has for the organization.
  4. Review the code of ethics, the organization’s vision statement, and the organizational chart for reporting lines.
A

1 - Review board and committee charters, meeting minutes, and the organization’s mission and key objectives.

Rationale
According to Implementation Guide 2100, the chief audit executive (CAE) will typically review board and committee charters, meeting agendas and minutes, and the organization’s strategic plan. The CAE will also review the organization’s mission, key objectives, critical risks, and the key controls used to mitigate such risks to an acceptable level. These high-level documents will provide a good sense of the governance structure; they also give a more complete perspective than the other answer choices, which are a bit more narrow-focused.

61
Q

Which of the following would be responsible for establishing and maintaining an organization’s governance processes?

  1. Senior managers
  2. Board of directors
  3. Internal auditors
  4. Chief audit executive
A

2 - Board of directors

Rationale
The board of directors is responsible for establishing and maintaining the organization’s governance processes and obtaining assurances concerning the effectiveness of the risk management and control processes.

62
Q

An organization requires employees in safety-sensitive positions to have a medical exam every year. The human resources department administers the program and maintains strict confidentiality over the process due to privacy issues, and it shares the results with the operating department only when a request is appropriate. What aspect of internal controls is being affected in this process?

  1. Risk assessment
  2. Monitoring
  3. Information and communication
  4. Autonomy
A

3 - Information and communication

Rationale
Culture can impact information and communication and monitoring activities related to internal controls. Some cultures may be better than others at ensuring that the objectives and responsibilities for internal control are internally communicated to the right persons, for example.

63
Q

What do the chief audit executive (CAE) and internal auditors need to have a clear understanding of prior to identifying and assessing significant risks to organizational objectives?

  1. Residual risk
  2. Whether to monitor risk using ongoing management activities or separate evaluations
  3. How management is likely to respond to the risks once identified
  4. Organization’s business missions and objectives
A

4 - Organization’s business missions and objectives

Rationale
Implementation Guide 2120 indicates the following: “To fulfill this standard, the CAE and internal auditors start by attaining a clear understanding of risk appetite, as well as the organization’s business missions and objectives. It is also important to attain a complete understanding of the organization’s business strategies and the risks identified by management.” One cannot measure residual risk without first understanding risk appetite and business missions and objectives and then comparing this to the actual assessment.

64
Q

Competence of personnel is critical for a company to achieve its overall strategy and business objectives. As such, competence of personnel is part of which of the following?

  1. Control activities
  2. Risk assessment
  3. Information and communication
  4. Control environment
A

4 -Control environment

Rationale
Part of the IPPF Glossary definition of control environment is as follows: “The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the…competence of personnel.”

65
Q

An organization sells goods and services in both domestic and international markets. In conducting a cultural diversity audit, which is an appropriate internal audit action?

  1. Assessing facility accessibility
  2. Relying on compliance professionals in the organization to verify compliance with country and regional laws and regulations
  3. Sending out a survey asking people to disclose their political beliefs
  4. Evaluating the political environment of the nations in which the organization conducts business
A

4 - Evaluating the political environment of the nations in which the organization conducts business

Rationale
Evaluating the political environment should recognize the potential for conflict and the risks associated with continued operations in a political environment. The Standards require auditors to verify compliance with laws and regulations. Also, per Performance Standard 2200, “Engagement Planning,” engagement plans need to consider the risks relevant to the engagement. Ignorance of local practices raises the risk of exposure for business loss.

66
Q

Which is an aspect of effective governance?

  1. It starts at the top with executive management.
  2. It balances economic and social goals.
  3. It is implemented by line management.
  4. Common stockholders help make organizational governance decisions.
A

2- It balances economic and social goals.

Rationale
Governance balances economic and social goals. It starts at the top with the board of directors and is implemented by the board. Common stockholders are not responsible for implementing decisions within the organization. If members of the management team are also common stockholders, they must make decisions based on their stewardship function and must separate their ownership interests from their managerial responsibilities. Organizational change is conducted through change agents, which include employees and top management of the organization. Outside consultants often act as change agents because they can offer an objective, independent view of the organization.

67
Q

An organization has changed its risk response strategy for an asset and has cancelled its insurance because the costs were greater than the asset’s replacement cost. The organization has changed from

  1. reduction to acceptance.
  2. sharing to avoidance.
  3. sharing to acceptance.
  4. reduction to avoidance.
A

3- sharing to acceptance.

Rationale
Sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common risk-sharing techniques include purchasing insurance products. Acceptance is taking no action to affect likelihood or impact.

68
Q

ISO 31000 is a risk management framework that talks about risk attitude as “an organization’s approach to assess and eventually pursue, retain, take or turn away from risk.” All organizations should know what their risk attitude is and include the board in the process. Which best describes the board’s role in enterprise risk management (ERM)?

  1. The board is responsible for communicating the risk attitude to various stakeholders along with risk prioritization.
  2. The board is responsible for determining whether the risk attitude is aligned with the best interests of shareholders.
  3. The board is responsible for verifying that the ERM function appropriately communicates the risk attitude.
  4. The board is responsible for deciding what the risk attitude should be each year for the company as well as its strategy.
A

2 - The board is responsible for determining whether the risk attitude is aligned with the best interests of shareholders.

Rationale
Per the Practice Guide “Assessing the Adequacy of Risk Management Using ISO 31000,” the board’s responsibility in ERM is to provide governance oversight, including determining whether the risk attitude is aligned with the best interests of the shareholders.

69
Q

There are numerous governance and ethics-related regulations around the world. Given the potential reputation and compliance risks involved, internal audit can play a key role in reviewing ethics programs. For example, to get a sense of the ethical climate, an employee questionnaire can be employed. What are the best type of questions for such a questionnaire?

  1. Multiple-choice questions
  2. Yes/no questions
  3. Open-ended questions
  4. Questions using a Likert scale
A

4- Questions using a Likert scale

Rationale
Per the Practice Guide “Evaluating Ethics-Related Programs and Activities,” questionnaires are a good tool, but employees must feel safe from retribution for honest answers. As ethical issues are rarely yes/no, the best approach is to use a Likert scale and then ask for additional comments to explain disagreement with a statement.

70
Q

Not all organizations have a risk management process. What should an internal auditor do if he or she works in such an organization?

  1. The internal auditor should establish a process for identifying and evaluating high-level risks.
  2. The internal auditor should establish a full enterprise risk management process and framework.
  3. The internal auditor should avoid responsibility for managing identified risks.
  4. Internal auditors should avoid working in departments that have not yet established a risk management process.
A

3- The internal auditor should avoid responsibility for managing identified risks..

Rationale
Internal auditors can facilitate or enable risk management processes, but they should not own or be responsible for the management of the risks identified. Management, not internal auditing, is responsible for establishing a risk management process, including high-level risk assessments.

71
Q

What is internal audit’s role in governance, risk management, and control (GRC)?

  1. To consult to create the ultimate strategy for GRC and obtain board approval
  2. To provide absolute assurance that GRC is functioning adequately
  3. To lead accountability for GRC
  4. To provide objective assurance and consulting activities around GRC
A

4- To provide objective assurance and consulting activities around GRC

Rationale
Per Implementation Guide 2100, internal audit’s role is to provide objective assurance and consulting activities around GRC.

72
Q

Within the implementation phase of the ISO 31000 risk management framework, what processes have two-way linkages to the establish context, assess risks, and determine risk treatment processes?

  1. Hard control evaluation and soft control evaluation
  2. Risk-based audit planning and enterprise risk management process assurance
  3. Communication and consultation as well as monitoring and review
  4. Recording and reporting as well as control activities
A

3- Communication and consultation as well as monitoring and review

Rationale
Two reinforcing processes in the ISO 31000 implementation phase process framework are communication and consultation as well as monitoring and review. These processes interact with the three processes listed in the question to ensure that stakeholders are informed and consulted and that the processes are proceeding as intended.

73
Q

Part of the COSO Enterprise Risk Management (ERM) framework is the component “Information, communication, and reporting.” Under this component is a principle that focuses on reporting. Which is the correct principle?

  1. Reports on the risk severity and prioritization
  2. Reports on the risk assessment results
  3. Reports on risk, culture, and performance
  4. Reports on risk, controls, and deficiencies
A

3- Reports on risk, culture, and performance

Rationale
In the COSO ERM framework, the principle that focuses on reporting is “Reports on risk, culture, and performance.”

73
Q

At the beginning of the year, the finance department begins using a new accounting software system. It comes with excellent documentation and can handle the complex accounting methods the organization employs. Which of the following would be the best approach for auditing the accounting system at the end of the year?

  1. Audit the components of the accounting system based on assessed inherent, control, and detection risks.
  2. Audit the components of the accounting system that appear on a list compiled from prior IT system audits.
  3. Audit the components of the accounting system that appear on a list received from the accounting system vendor.
  4. Audit every component of the accounting system equally.
A

1- Audit the components of the accounting system based on assessed inherent, control, and detection risks.

Rationale
Audits should be risk-based. Inherent and control risks relate to the risk that an account balance could have misstatements. Detection risk is the risk of not finding the misstatements. Auditors should note transactions where the risks are greater than normal rather than using best-practices lists.

73
Q

Which statement describes the nature of control as reflected in the 2100 series of the Standards?

  1. Control facilitates the management of organizational risks and promotes effective governance processes.
  2. Control is aligned with broad organizational goals and objectives by requiring internal auditors to assume responsibility for managing strategic risks.
  3. Control is limited to compliance with organizational policies and procedures.
  4. Control is a key mechanism to ensure the financial integration of functional units.
A

1- Control facilitates the management of organizational risks and promotes effective governance processes.

Rationale
The 2100 series of the Standards reflects the broad nature, or scope, of internal audit activity beyond internal control assurance and compliance to include risk management and governance initiatives. To be most effective, internal controls should be aligned with the broad organizational goals and objectives and the risks of not achieving them, but according to Standard 2120.C3, “internal auditors must refrain from assuming any management responsibility by actually managing risks.”

74
Q

Which of the following control procedures would be least effective in preventing a fraud conducted by sending purchase orders to fictitious vendors?

  1. Require that only approved vendors be paid for purchases, based on actual production.
  2. Require contracts with all major vendors from whom production components are purchased.
  3. Require that total purchases for a month not exceed the total budgeted purchases for that month.
  4. Require that all purchases be made from an authorized vendor list, maintained independently of the individual placing the purchase order.
A

3- Require that total purchases for a month not exceed the total budgeted purchases for that month.

Rationale
Requiring that total purchases for a month not exceed the total budgeted purchases for that month would be the least effective, because it controls the total amount of expenditures but does not control where the purchase orders are placed or whether there is receipt of goods for the items purchased.

75
Q

Which of the following is a role of the internal audit activity in governance best practices?

  1. Placing faith in management’s enterprise-wide risk assessment
  2. Monitoring compliance with the corporate code of conduct
  3. Ensuring the timely implementation of audit recommendations
  4. Providing appropriate disclosure of key information, in a transparent manner, to stakeholders
A

2- Monitoring compliance with the corporate code of conduct

Rationale
The internal audit activity is responsible for monitoring compliance with the corporate code of conduct and for assessing and making recommendations for improving governance processes in the accomplishment of organizational objectives. Internal audit will need to determine how much to rely on management’s enterprise-wide risk assessment but should exercise professional skepticism rather than having blind faith in it. Also, it is the role of management to ensure the timely implementation of audit recommendations. Internal audit develops procedures to monitor the disposition of the audit recommendations and works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.

76
Q

An organization’s governance processes include a variety of key activities, for example, promoting appropriate ethics and values. Which of the following is another appropriate governance activity?

  1. Appropriately restricting internal audit activities
  2. Communicating financial information to stakeholders
  3. Overseeing risk management and control
  4. Complying with various regulatory requirements
A

3- Overseeing risk management and control

Rationale
Per Implementation Guide 2110, governance processes include overseeing risk management and control along with communicating risk and control information to appropriate areas within the organization.

77
Q

During an assurance engagement for the organization’s enterprise risk management (ERM) process, the internal auditor notices that there are no risks listed for the internal audit activity. Which is the best recommendation listed?

  1. The internal audit activity is independent and rightfully needs to be considered outside of the ERM process, except for the risk that it does not do its own independent risk assessment.
  2. The internal audit activity could provide false assurance or suffer audit failure, and either of these categories of risks could create reputation risks.
  3. Risks to internal audit activities should be considered in three broad categories: lack of independence, lack of objectivity, and lack of professional skepticism.
  4. The internal audit activity is the second line, and, if it provides false assurance, there is a small risk that the third line, risk management and compliance functions, will also fail.
A

2- The internal audit activity could provide false assurance or suffer audit failure, and either of these categories of risks could create reputation risks.

Rationale
Implementation Guide 2120 reminds us that the internal audit activity is not immune to risks. Risks to internal audit activities tend to fall into three broad categories: audit failure, false assurance, and reputation risks.

78
Q

Management is concerned with a recent increase in expenditures and lower profits in a division and has asked the internal audit activity to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The chief audit executive is concerned with the time pressure, because the internal audit department is heavily involved in a major legal compliance audit that has been requested by the audit committee. Which comment is correct regarding the assessment of risk associated with the two projects?

  1. Activities requested by the audit committee should always be considered higher-risk than those requested by management.
  2. The management-requested audit is low-risk since the root cause of this is simply poor sales, and management doesn’t want to hear it; the other project should not lose any resources.
  3. Activities with higher-dollar budgets should always be considered higher-risk than those with lower-dollar budgets.
  4. Risk should always be measured by the potential harm to the organization and the likelihood of that harm occurring.
A

4- Risk should always be measured by the potential harm to the organization and the likelihood of that harm occurring.

Rationale
Requests from management and the audit committee should both be considered by the internal audit department. Although an audit committee request is important, it is not always more important, nor does it always imply higher risk. The size of an activity’s budget is only one of many risk factors to consider. Risk is measured by the potential exposure to the organization in terms of impact and likelihood. This is the basic definition of risk given in the IPPF glossary.

CIA Challenge Exam (CPA) (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions