Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cia Part 1 > Flash Cards V1C2 - V1C2 > Flashcards

Flash Cards V1C2 - V1C2

1
Q 
Question: V1C2-0001
What should the audit strategy be?
Answers
A: It should be knowledge based.
B: It should be cycle based.
C: It should be request based.
D: It should be risk based.
A

Answer Explanations
Answer (a) is incorrect because it does not consider risk as explicitly as choice (d).
Answer (b) is incorrect because it does not consider risk as explicitly as choice (d).
Answer (c) is incorrect because it does not consider risk as explicitly as choice (d).
Answer (d) is correct. Audits should be planned and conducted according to the risk level; that is, high-risk auditable areas should be reviewed first, followed by medium-risk areas, which are followed by low-risk areas. The medium and low-risk auditable areas should be reviewed only when audit resources are available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q 
Question: V1C2-0002
Which one of the following items includes the other three items?
Answers
A: Inherent risk.
B: Control risk.
C: Audit risk.
D: Detection risk.
A

Answer Explanations
Answer (a) is incorrect. Inherent risk is the susceptibility of a management assertion to a material misstatement, assuming that there are no related internal control structure policies or procedures.
Answer (b) is incorrect. Control risk is the risk that a material misstatement in a management assertion will not be prevented or detected on a timely basis by the entity’s internal control structure policies or procedures.
Answer (c) is correct. Audit risk is the risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. It is the product of the other three risks: It is equal to inherent risk multiplied by control risk, which is multiplied by detection risk. Audit risk is an all-inclusive term here.
Answer (d) is incorrect. Detection risk is the risk that the auditor will not detect a material misstatement present in a management assertion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q 
Question: V1C2-0003
Which of the following would not be considered in performing a risk analysis exercise?
Answers
A: System complexity.
B: Results of prior audits.
C: Auditor skills.
D: System changes.
A

Answer Explanations
Answer (a) is incorrect. It is considered in performing a risk analysis exercise.
Answer (b) is incorrect. It is considered in performing a risk analysis exercise.
Answer (c) is correct. Auditor skills become a consideration during audit scheduling. Risk analysis is done prior to the start of an audit, where factors such as system complexity, system changes, and results of prior audit are very important to consider. These factors determine whether an auditable area is high risk, medium risk, or low risk.
Answer (d) is incorrect. It is considered in performing a risk analysis exercise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q 
Question: V1C2-0004
During a computer risk assessment process, which of the following would not be considered an auditable activity?
Answers
A: Application software.
B: Systems software.
C: Print software.
D: Telecommunications software.
A

Answer Explanations
Answer (a) is incorrect. It is an auditable activity to audit due to its high-risk nature.
Answer (b) is incorrect. It is an auditable activity to audit due to its high-risk nature.
Answer (c) is correct. The audit resources should be allocated to those areas where the risk level is the highest. Print software is low risk compared to the other three types of software to be reviewed by an auditor.
Answer (d) is incorrect. It is an auditable activity to audit due to its high-risk nature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question: V1C2-0005
Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The director of internal audit is concerned with the time pressure since the internal audit department is heavily involved in a major legal compliance audit that had been requested by the audit committee
Which of the following comments are correct regarding the assessment of risk associated with the two projects?
I. Activities requested by the audit committee should always be considered higher risk than those requested by management.
II. Activities with higher dollar budgets should always be considered higher risk than those with lower dollar budgets.
III. Risk should always be measured by the potential dollar or adverse exposure to the organization.
Answers
A: I only.
B: II only.
C: III only.
D: I and III.

A

Answer Explanations
Answer (a) is incorrect. Requests from management and the audit committee should both be considered by the internal audit department. Although an audit committee request is important, it is not always more important, nor does it always imply higher risk (item I).
Answer (b) is incorrect. Risk is measured by the potential exposure to the organization. The size of the departmental budget is an important determinant, but is not a sufficient determinant (item II).
Answer (c) is correct. This is the basic definition of risk given in the IIA Standards (Item III).
Answer (d) is incorrect since it contains both correct and incorrect answers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question: V1C2-0006
Management is concerned with a recent increase in expenditures and lower profits at a division and has asked the internal audit department to perform an operational audit of the division. Management would like to have the audit completed as quickly as possible and has asked the internal audit department to allocate all possible resources to the task. The director of internal audit is concerned with the time pressure since the internal audit department is heavily involved in a major legal compliance audit that had been requested by the audit committee.
Which of the following factors would be considered the least important in deciding whether existing internal audit resources should be moved from the ongoing legal compliance audit to the management-requested division audit?
Answers
A: A financial audit of the division by the external auditor a year ago.
B: The potential of fraud associated with the legal compliance audit.
C: The increase in expenditures at the division for the past year.
D: The potential for significant regulatory fines associated with the legal compliance audit.

A

Answer Explanations
Answer (a) is correct. The results of a financial audit would be the least relevant factor in prioritizing the auditor’s tasks because the financial audit will not resolve the question asked by management. Also, the financial audit was prior to the recent problems.
Answer (b) is incorrect. Fraud is one of the major factors to be considered in analyzing risk and identifying audit activities.
Answer (c) is incorrect. The increase in expenditures provides a benchmark for potential exposure or loss to the organization.
Answer (d) is incorrect. Fines imposed by regulatory agencies could represent a significant risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question: V1C2-0007
When gathering data, an audit team identified both subjective and objective criteria for measuring audit risk. Which one of the following risk factors is most objective?
Answers
A: Prior audit findings.
B: Size of the audit unit.
C: Comfort with operating management.
D: Changes in staff, systems, or the environment.

A

Answer Explanations
Answer (a) is incorrect. Assessment of prior audit findings is dependent on the auditor’s impressions and feelings.
Answer (b) is correct. The IIA Standards state, “Objective reports are factual. …” Sawyer states, “Every categorical statement, every figure, every reference must be based on hard evidence.” The size of the audit unit is a fact, and not affected by the auditor’s impressions and feelings.
Answer (c) is incorrect. Comfort with operating management is dependent on the auditor’s impressions and feelings.
Answer (d) is incorrect. Assessment of changes in staff systems or the environment is dependent on the auditor’s impressions and feelings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question: V1C2-0008
The director of internal auditing was reviewing recent reports that had recommended additional audits because of risk and exposure to the company. Which of the following represents the greatest risk to the company and should be the next assignment?
Answers
A: Three prenumbered receiving reports were missing.
B: Several purchase orders were issued without purchase requisitions.
C: Payment had been made for routine inventory items without a purchase order or receiving report.
D: Several times cash receipts had been held over an extra day before depositing.

A

Answer Explanations
Answer (a) is incorrect. This is an important item, but most important items include whether cash disbursements are properly controlled and payment will not be made without verification of receipt. The receipts could have been voided and destroyed.
Answer (b) is incorrect. Some types of purchases do not require purchases requisitions, such as routine inventory acquisition. There is some risk in this, but it is not the greatest risk posed in the problem.
Answer (c) is correct. There is a great risk when cash payments can be made with no authorization. Several possible types of fraud could be occurring.
Answer (d) is incorrect. Unless other controls are missing, the largest risk would be the loss of a day’s receipts. This is a risk, but not the greatest risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question: V1C2-0009
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
Which department would most likely need a pure operational (nonfinancial) audit?
Answers
A: Production A.
B: Production C.
C: Purchasing.
D: Marketing.

A

Answer Explanations
Answer (a) is correct. A department causing production bottlenecks would seem to have problems with efficiency and effectiveness, and would thus warrant an operational audit.
Answer (b) is incorrect. There is no information given that would indicate that production C was particularly inefficient or ineffective.
Answer (c) is incorrect. There is nothing to indicate that purchasing has been particularly inefficient or ineffective.
Answer (d) is incorrect. There is nothing to indicate that marketing has been particularly inefficient or ineffective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question: V1C2-0010
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
Department Assets Annual Costs Probability of Loss
Production A $ 50,000 $ 700,000 10%
Production B 5,000,000 10,000,000 1%
Production C 1,000,000 1,000,000 1%
Purchasing 50,000 150,000 10%
Marketing 50,000 500,000 10%
Shipping 60,000 100,000 50%
Security 10,000 100,000 90%
Travel 6,000 30,000 50%
What is the audit director’s most logical definition of risk of loss to be used in selecting auditees?
Answers
A: Amount of risk exposure times the probability of loss.
B: Amount of annual costs in department.
C: Probability of loss.
D: Amount of assets in a department.

A

Answer Explanations
Answer (a) is correct. Risk is a combination of the amount of assets exposed to risk times the probability of a loss occurring.
Answer (b) is incorrect. Annual cost is not a sufficient reason to conduct an audit. The amount of costs at risk times the probability of loss would be a better risk measure.
Answer (c) is incorrect. The probability of loss is not sufficient reason to conduct an audit. If only a few assets are involved (i.e., a petty cash fund), then audit resources can best be utilized elsewhere.
Answer (d) is incorrect. Quantity of assets is not a sufficient reason to conduct an audit. The amount of assets at risk times the probability of loss would be a better risk measure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question: V1C2-0011
Department Assets Annual Costs Probability of Loss
Production A $ 50,000 $ 700,000 10%
Production B 5,000,000 10,000,000 1%
Production C 1,000,000 1,000,000 1%
Purchasing 50,000 150,000 10%
Marketing 50,000 500,000 10%
Shipping 60,000 100,000 50%
Security 10,000 100,000 90%
Travel 6,000 30,000 50%
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
The internal auditing department is assigned responsibility for investigating fraud by its charter. If obtaining access to outside media outlet records and personnel were not possible, the best action an auditor could take to investigate the allegation of marketing kickbacks would be to
Answers
A: Search for unrecorded liabilities from media outlets.
B: Obtain a list of approved media outlets.
C: Develop a financial/behavioral profile of the suspect.
D: Vouch any material past charge-off of receivables.

A

Answer Explanations
Answer (a) is incorrect. The issue is not unrecorded liabilities but direct financial kickbacks, which will not be determined by this action.
Answer (b) is incorrect. Although helpful in identifying possible sources of kickbacks, this action would not corroborate the allegation.
Answer (c) is correct. Developing a financial/behavioral profile may corroborate illegal income and provide a basis for tracing illegal payments.
Answer (d) is incorrect. Past charge-offs of receivables have no relation to kickbacks from a media outlet to a marketing manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question: V1C2-0012
The audit process is one of critical thinking, analysis, and careful evaluation. All mechanical procedures are integrated into a larger context of thoughtful inquiry. All audits include a description and analysis of internal controls. Auditees are selected in a number of ways, with risk being the primary basis for selection. The departments being considered for possible audit in the coming year and attributes of those departments are listed below.
Department Assets Annual Costs Probability of Loss
Production A $ 50,000 $ 700,000 10%
Production B 5,000,000 10,000,000 1%
Production C 1,000,000 1,000,000 1%
Purchasing 50,000 150,000 10%
Marketing 50,000 500,000 10%
Shipping 60,000 100,000 50%
Security 10,000 100,000 90%
Travel 6,000 30,000 50%
All of these departments except two are on the potential list of auditees because of a risk analysis performed by the audit director. Production Department A is on the list because the president thinks too many bottlenecks occur in that department. The marketing department is on the list because the chief of security received an anonymous phone call accusing a marketing manager of accepting substantial financial kickbacks from a media outlet. Internal controls seem adequate in all departments, with the possible exception of marketing.
If there is fraud in the marketing department, which of the following would be beyond the scope of the auditor’s responsibility?
Answers
A: Informing the wrongdoer of his or her legal rights.
B: Determining the effects of the wrongdoing.
C: Discussing the wrongdoing with an appropriate level of management.
D: Including the wrongdoing in a report that will go to the audit committee.

A

Answer Explanations
Answer (a) is correct. Informing the wrongdoer of legal rights is the responsibility of legal authorities.
Answer (b) is incorrect. This is a part of the auditor’s responsibility with respect to the discovery of fraud.
Answer (c) is incorrect. It is a part of the auditor’s responsibility.
Answer (d) is incorrect. It is a part of the auditor’s responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q 
Question: V1C2-0013
Which of the following auditable activities represents the greatest risk to a postmerger manufacturing corporation and would therefore most likely be subjected to an audit?
Answers
A: Combining imprest funds.
B: Combining purchasing functions.
C: Combining legal functions.
D: Combining marketing functions.
A

Answer Explanations
Answer (a) is incorrect. The usual size of imprest funds will not likely result in risk that matches a purchasing operation.
Answer (b) is correct. Of all the four answers, the purchasing function typically represents significant risk for a manufacturing operation. In a merger of two manufacturers’ purchasing functions, that auditable area can be a source of even more significant risk.
Answer (c) is incorrect. Legal functions typically do not represent the magnitude of risk that a purchasing operation has.
Answer (d) is incorrect. Marketing functions may have identifiable risks but typically not as much as purchasing operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question: V1C2-0014
In planning an audit, the internal auditor should design audit objectives and procedures to address the risk associated with the activity. Risk is defined as
Answers
A: The risk that the balance or class of transactions and related assertions contain misstatements that could be material to the financial statements.
B: The probability that an event or action may adversely affect the activity under audit.
C: The failure to adhere to organizational policies, plans, and procedures, or not complying with relevant laws and regulations.
D: The failure to accomplish established objectives and goals for operations or programs.

A

Answer Explanations
Answer (a) is incorrect. This is the AICPA’s definition of inherent risk for financial statement audit purposes.
Answer (b) is correct. The IIA Standards specifically define risk as: “the probability that an event or action may adversely affect the activity under audit.”
Answer (c) is incorrect. It is listed in the Standards as a type of adverse action that can result from unmitigated risk.
Answer (d) is incorrect. It is listed in the Standards as a type of adverse action that can result from unmitigated risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question: V1C2-0015
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged. Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations. Which of the following would be the least important risk factor when considering the ability to integrate the two companies’ computer systems?
Answers
A: The number of programmers and systems analysts employed by each company.
B: The extent of EDI connections with vendors.
C: The compatibility of existing operating systems and database structures.
D: The size of company databases and the number of database servers used.

A

Answer Explanations
Answer (a) is correct. This is the least risky area because the number of analysts and programmers may be more of a reflection of operating philosophy (buying new applications versus developing them). This philosophy is unlikely to affect the probability of the event adversely affecting the operations. See IIA Standards for a description of risk and materiality concepts.
Answer (b) is incorrect. This is a risk area because one of the companies has little experience with dealing with EDI, and the complexity of computer communications in an EDI environment creates risk for those companies that have not yet established strong communication controls.
Answer (c) is incorrect. This is a high-risk factor because the two different systems must be made compatible to achieve the economy of objectives and strategic plans of a merged organization. The conversion from one systems or database structure to another is risky because data or applications may be lost or modified. Employees will have to be retrained on the surviving system. There is always increased risk of error when people are not familiar with a computer system.
Answer (d) is incorrect. This is a heavy risk factor for all the reasons discussed in answer (c).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question: V1C2-0016
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
During the first meeting, a disagreement occurs over the approach taken regarding store compliance. The audit director for Company B questions Company A’s extensive use of store compliance testing, stating that the approach is neither responsive to materiality concepts nor an appropriate application of risk assessment. Company A’s audit director presents the following reasoning:
I. You have misconstrued materiality. Materiality is not based only on the size of individual stores; it is also based on the control structure that affects the whole organization.
II. Any deviation from a prescribed control procedure is, by definition, material.
III. The only way to ensure that a material amount of the company’s control structure is covered is to comprehensively audit all stores.
Which of the statements by the audit director of Company A are valid?
Answers
A: I only.
B: I and II only.
C: III only.
D: I, II, and III.

A

Answer Explanations
Answer (a) is correct. Materiality is defined by the potential impact of an item on the organization and is not limited to items that can be assessed only in quantitative terms.
Answer (b) is incorrect. There may be some control failures of a minor nature that would not be considered material.
Answer (c) is incorrect. Sampling approaches may be used to comprehensively cover the control structure of an organization.
Answer (d) is incorrect. Responses II and III are not correct. See answers (b) and (c).

17
Q

Question: V1C2-0017
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
The audit director for Company B decides to review selected store compliance audit reports issued by the internal audit department of Company A. Upon reviewing the reports, the director comments that most items included in the report are inappropriate because they are very minor and cannot be considered material. The director states that such reports would not be tolerated by the management of Company B. Which of the following assertions by the audit director of Company A are valid?
I. These are the kinds of reports we have provided since the company has been in operation, and they have served our company well.
II. The reports are consistent with management’s control philosophy and are an integral part of the overall control environment.
III. Materiality is in the eyes of the beholder. Any deviation is considered material by my management
Answers
A: I only.
B: II only.
C: III only.
D: II and III.

A

Answer Explanations
Answer (a) is incorrect. It is difficult ever to justify an audit approach or reporting style based on tradition. It may indicate the audit director is not in touch with management or that management may not be adopting its control philosophy to substantive changes in the environment.
Answer (b) is correct. This could be very consistent with management’s philosophy and would be considered part of the overall control environment. Detailed internal audit review can be an integral part of an organization’s control structure.
Answer (c) is incorrect. There is a “user” component of materiality, but it would be difficult to consider every situation or deviation as material.
Answer (d) is incorrect. See answers (a) and (c).

18
Q

Question: V1C2-0018
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
In analyzing the differences between the two companies, the audit director of Company A notes that Company A has a formal corporate code of ethics while Company B does not. The code of ethics covers such things as purchase agreements and relationships with vendors as well as a host of other issues to guide individual behavior within the firm. Which of the following statements regarding the existence of the code of ethics in Company A can be logically inferred?
I. Company A exhibits a higher standard of ethical behavior than does Company B.
II. Company A has established objective criteria by which an individual’s actions can be evaluated.
III. The absence of a formal corporate code of ethics in Company B would prevent a successful audit of ethical behavior in that company.
Answers
A: I and II.
B: II only.
C: III only.
D: II and III.

A

Answer Explanations
Answer (a) is incorrect. Response I is not correct. The existence of a corporate code of ethics, by itself, does not ensure higher standards of ethical behavior. It must be complemented by follow-up policies and monitoring activities to ensure adherence to the code.
Answer (b) is correct. A formalized corporate code of ethics presents objective criteria by which actions can be evaluated and would thus serve as criteria against which activities could be evaluated.
Answer (c) is incorrect. Standards of ethical behavior, which would influence individual actions, can occur in other places than the corporate code of ethics. For example, there may be defined policies regarding purchasing activities that may serve the same purpose as a code of ethics. These policies also serve as criteria against which activities may be evaluated.
Answer (d) is incorrect. See response given for answer (c).

19
Q

Question: V1C2-0019
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
Company A’s audit director, who is also a CIA, faces an ethical dilemma. For an audit in process, persuasive evidence indicates that a top manager has been involved in insider trading. The extent and type of trading is such that the trading would be considered fraudulent. However, the findings were encountered as a side issue of another audit and are not considered relevant to the compatibility of the computer systems. Regarding this finding, which of the following is the audit director’s most appropriate action?
Answers
A: Discontinue audit work associated with the insider trading and report the preliminary findings to the company’s external legal counsel for their investigation. Report the legal counsel findings to management.
B: Discontinue audit work associated with the insider trading. Report the preliminary findings to the chairperson of the audit committee and recommend an investigation.
C: Continue work on the insider trading sufficient to conclusively establish whether fraudulent activity has taken place, then report the findings to the chairperson of the audit committee. Report the matter to government officials if appropriate action is not taken.
D: Discontinue audit work associated with the insider trading since it is not an integral part of the existing audit and the audit committee has established higher priority work for the auditors.

A

Answer Explanations
Answer (a) is incorrect. This response would not be appropriate because the internal auditors are not in a position to engage external legal counsel. Further, the findings should not be reported to management since they might be involved.
Answer (b) is correct. The audit director’s preliminary findings should be immediately reported to the audit committee, rather than management, because the audit committee is considered an organization one level above where the alleged fraud is taking place.
Answer (c) is incorrect. The Standards clearly indicate that the auditors report the suspected fraud to the appropriate levels of the organization to determine whether an investigation is undertaken. The auditors may not be in the best position to determine whether the trading is fraudulent and certainly are not in a position to report the information to government officials.
Answer (d) is incorrect. This would not be acceptable because the IIA’s Code of Ethics clearly indicates that auditors cannot be associated with any illegal or inappropriate behavior. Ignoring their findings would violate that standard of conduct.

20
Q

Question: V1C2-0020
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
The two organizations agree to share data on store operations. The data reveal that three stores in Company A are characterized by
• Significantly lower gross margins,
• Higher-than-average sales volume, and
• Higher levels of employee bonuses.
The three stores are part of a set of six that are managed by a relatively new section manager. In addition, the store managers of the three stores are also relatively new. The most likely cause of the observed data is
Answers
A: The relative inexperience of the store managers.
B: Problems with employee training and employee ability to meet customer needs.
C: Fraudulent activity whereby goods are taken from the stores thus results in the lower gross margins.
D: Promotional activities that offer large discounts coupled with the payment of commissions to employees who reach targeted sales goals.

A

Answer Explanations
Answer (a) is incorrect. This might be a potential explanation for one store but is unlikely to occur at all three stores.
Answer (b) is incorrect. Although this might be a problem, the data tend to contradict it. Sales are increasing, which would indicate customer satisfaction.
Answer (c) is incorrect. There is not enough evidence to indicate that fraud might be present. In order for this hypothesis to hold true, there would have to be significant amounts of inventory shrinkage. This does not explain higher sales and bonuses.
Answer (d) is correct. This is the one explanation that could be supported by all the data elements and would thus form a hypothesis for subsequent audit testing.

21
Q

Question: V1C2-0021
Two major retail companies, both publicly traded and operating in the same geographic area, have recently merged.
Both companies are approximately the same size and have audit departments. Company B has invested heavily in information technology and has electronic data interchange (EDI) connections with its major vendors.
The audit committee has asked the internal auditors from both companies to analyze risk areas that should be addressed after the merger. The director of internal auditing of Company B has suggested that the two audit groups have a planning meeting to share audit programs, scope of audit coverage, and copies of audit reports that were delivered to their audit committees. Management has also suggested that the auditors review the compatibility of the companies’ two computer systems and control philosophy for individual store operations.
Assume the auditor concludes that the most reasonable explanation of the observed data in the prior question is that inventory fraud is taking place in the three stores. Which of the following audit activities would provide the most persuasive evidence that fraud is taking place?
Answers
A: Use an integrated test facility (ITF) to compare individual sales transactions with test transactions submitted through the ITF. Investigate all differences.
B: Interview the three individual store managers to determine if their explanations about the observed differences are the same, and then compare their explanations to that of the section manager.
C: Schedule a surprise inventory audit to include a physical inventory. Investigate areas of inventory shrinkage.
D: Take a sample of individual store prices and compare them with the sales entered on the cash register for the same items.

A

Answer Explanations
Answer (a) is incorrect. The ITF provides evidence only on the correctness of computer processing. It would not be relevant to the hypothesized rationale for the operating data.
Answer (b) is incorrect. Interviews provide a weak form of evidence and would be better if the auditor first has substantive documentary evidence.
Answer (c) is correct. If this type of fraud was occurring, it would result in inventory shrinkage. The surprise inventory count would be an effective audit technique.
Answer (d) is incorrect. The problem is with inventory shrinkage, not whether items are appropriately keyed in or scanned in at the cash register.

22
Q

Question: V1C2-0022
The first phase of the risk assessment process is to identify and catalog the auditable activities of the organization.
Which of the following would not be considered an auditable activity?
Answers
A: The agenda established by the audit committee for one of its quarterly meetings.
B: General ledger account balances.
C: Computerized information systems.
D: Statutory laws and regulations as they affect the organization.

A

Answer Explanations
Answer (a) is correct. The audit committee’s agenda for an audit committee meeting would not be an auditable activity, but may contain audit activities conducted by the audit function.
Answer (b) is incorrect because it is an auditable activity specifically identified in the IIA Standards.
Answer (c) is incorrect because it is an auditable activity specifically identified in the IIA Standards.
Answer (d) is incorrect because it is an auditable activity specifically identified in the IIA Standards.

23
Q

Question: V1C2-0023
The director of internal auditing for an organization has just completed a risk assessment process, identified the areas with the highest risks, and assigned an audit priority to each. Which of the following conclusions logically follows from such a risk assessment and are consistent with the IIA Standards?
I. Items should be quantified as to risk in the rank order of quantifiable dollar exposure to the organization.
II. The risk priorities should be in order of major control deficiencies.
III. The risk process, though quantified, is the result of professional judgments about both exposures and probability of occurrences.
Answers
A: I only.
B: III only.
C: II and III only.
D: I, II, and III.

A

Answer Explanations
Answer (a) is incorrect. Risk represents the probability that an event or action may adversely affect the organization. Although it may be most convenient to quantify those risks into dollars for ranking purposes, it is not required that they be quantified.
Answer (b) is correct. This is the essence of the risk process per the IIA Standards.
Answer (c) is incorrect. The risk priorities do not necessarily mean there are major control deficiencies in the area. The auditor may use the exposures as a basis to evaluate controls, but the controls may be in place.
Answer (d) is incorrect. Items I and II are incorrect. See the responses in answers (a) and (c).

24
Q

Question: V1C2-0024
Which of the following represents appropriate internal audit action in response to the risk assessment process?
I. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be performed by the internal auditing function.
II. The high-risk areas should be integrated into an audit plan along with the high-priority requests of management and the audit committee.
III. The risk analysis should be used in determining an annual audit work plan; therefore the risk analysis should be performed only on an annual basis.
Answers
A: I only.
B: II only.
C: III only.
D: I and III only.

A

Answer Explanations
Answer (a) is incorrect. The Standards incorporate the concept of coordinating work with the external auditor. There may be a number of factors that affect the Answer of work performed by the external auditors. However, there is no prohibition regarding high-risk or low-risk items.
Answer (b) is correct. The annual audit plan should integrate the risk analysis with requests from management and the audit committee.
Answer (c) is incorrect. The risk analysis should be updated for changes as they occur during the year.
Answer (d) is incorrect. Items I and III are not correct as noted in the responses to answers (a) and (c).

25
Q

Question: V1C2-0025
The internal auditor is considering performing risk analysis, as a basis for determining which areas of the organization ought to be examined. Which one of the following statements is correct regarding risk analysis?
Answers
A: The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
B: The highest risk assessment should always be assigned to the area with the largest potential loss.
C: The highest risk assessment should always be assigned to the area with highest probability of occurrence.
D: Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

A

Answer Explanations
Answer (a) is correct. According to the Standards, the auditor could appropriately consider the extent of management judgments and accounting estimates as a risk factor.
Answer (b) is incorrect. Risk analysis should consider both the potential loss (or damages) and the probability of occurrence. An area with the largest potential loss may have a very low expected loss.
Answer (c) is incorrect. Risk analysis should consider both the potential loss (or damages) and the probability of occurrence. An area with a high probability of occurrence may have a very small risk of potential loss associated with it.
Answer (d) is incorrect. Although it may be preferable in many circumstances to reduce items to quantitative terms, the concept of risk analysis is not limited to quantitative measures.

26
Q

Question: V1C2-0026
The director of internal auditing set up a computerized spreadsheet to facilitate the risk assessment process involving a number of different divisions in the organization. The spreadsheet included the following factors:
• Pressure on divisional management to meet profit goals.
• Complexity of operations.
• Competence of divisional personnel.
• The dollar amount of subjectively influenced accounts in the division, such as accounts where management’s judgment can affect the expense. Example: postretirement benefits.
The director used a group meeting of audit managers to reach a consensus on the competence of divisional personnel.
Other factors were assessed as high, medium, or low by either the director or an audit manager who had audited the division. The director assigned a weight ranging from 0.5 to 1.0 to each factor and then computed a composite risk score. Which of the following statements is correct regarding the risk assessment process?
Answers
A: The risk analysis would not be appropriate because it mixes both quantitative and qualitative factors, thereby making expected values calculation impossible.
B: Assessing factors at discrete levels such as high, medium, and low is inappropriate for the risk assessment process because the ratings are not quantifiable.
C: The weighting is subjective and should have been determined through a process such as multiple regression analysis.
D: Using a subjective group consensus to assess personnel competence is appropriate.

A

Answer Explanations
Answer (a) is incorrect. Risk analysis should consider all appropriate factors and need not be limited to quantitative or expected value calculations.
Answer (b) is incorrect. High, medium, and low may be the most precise measures available for the audit department and would therefore be acceptable assessments for the risk analysis process.
Answer (c) is incorrect. Subjective analysis is acceptable. It would be difficult to use multiple regression analysis to obtain a weighted average for the risk-weighting model because no criterion value exists to determine the weightings.
Answer (d) is correct. Audit managers have the experience to make such judgments. Group consensus tends to eliminate the extreme judgments that might occur with a single evaluator and would be an acceptable method.

27
Q

Question: V1C2-0027
Corporate management has just implemented a policy that every department must downsize by immediately cutting 10% of each department’s staff and budget. The director of internal auditing has reacted to the organization’s recent plans for “downsizing” (reducing the size of staff across the board) by notifying the audit managers that the time allocated for all jobs must be cut by 10%. Which of the following statements regarding the director’s action and potential manager’s action would be correct?
Answers
A: The director’s action should result in approximately the same amount of risk coverage as the previous audit plan, but reduced by 10%.
B: Individual audit managers can attain 90% of the previously defined audit coverage by uniformly cutting audit procedures by 10%.
C: The director should have reprioritized risks and cut out specific audit engagements, rather than cutting 10% across the board.
D: All of the above.

A

Answer Explanations
Answer (a) is incorrect. Cutting all jobs by 10% does not necessarily mean that the risks addressed will drop by 10%. The auditor should reprioritize the audit schedule to ensure the optimum coverage of risk with the more limited resources.
Answer (b) is incorrect. A uniform 10% reduction in audit procedures or audit scope may result in gathering insufficient evidence across a number of audit areas. The managers should consider cutting the scope of each audit to better address the major risks in the auditable unit.
Answer (c) is correct. This would be the preferred response and should enable the auditor to develop an optimum plan to cover the maximum amount of risk with the more limited resources.
Answer (d) is incorrect. Only answer (c) is correct.

28
Q

Question: V1C2-0028
Risk models or risk analysis is often used in conjunction with development of long-range audit schedules. The key input in the evaluation of risk is
Answers
A: Previous audit results.
B: Management concerns and preferences.
C: Specific requirements of the Standards.
D: Judgment of the internal auditor.

A

Answer Explanations
Answer (a) is incorrect. The informed judgment of the internal auditor is still required to assess the magnitude of risk posed by previous audit results.
Answer (b) is incorrect. To assess the risk posed by management concerns, informed judgment of the internal auditor is required.
Answer (c) is incorrect. The Standards do not specify the basic input risk analyses.
Answer (d) is correct. In assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the auditor is required.

29
Q

Question: V1C2-0029
Directors may use a tool called “risk analysis” in preparing work schedules. Which of the following would not be considered in performing a risk analysis?
Answers
A: Financial exposure and potential loss.
B: Skills available on the audit staff.
C: Results of prior audits.
D: Major operating changes.

A

Answer Explanations
Answer (a) is incorrect because it is a factor that should definitely be considered in risk analysis.
Answer (b) is correct. This does not involve risk associated with potential auditees.
Answer (c) is incorrect because it is a factor that should definitely be considered in risk analysis.
Answer (d) is incorrect because it is a factor that should definitely be considered in risk analysis.

30
Q 
Question: V1C2-0030
Factors that should be considered when evaluating audit risk in a functional area include
1. Volume of transactions.
2. Degree of system integration.
3. Years since last audit.
4. Significant management turnover.
5. (Dollar) value of “assets at risk.”
6. Average value per transaction.
7. Results of last audit.
Factors that best define materiality of audit risk are
Answers
A: 1 through 7.
B: 2, 4, and 7.
C: 1, 5, and 6.
D: 3, 4, and 6.
A

Answer Explanations
Answer (a) is incorrect. Although all items are used to define audit risk, not all factors are used to define materiality of audit risk.
Answer (b) is incorrect. Factors 2 and 4 cannot be quantified into materiality.
Answer (c) is correct. Factors 1, 5, and 6 can all be quantified into values, which can be measured into materiality.
Answer (d) is incorrect. Factors 3 and 4 cannot be quantified into materiality.

31
Q

Question: V1C2-0031
In an audit of a purchasing department, which of the following generally would be considered a risk factor?
Answers
A: Purchase specifications are developed by the department requesting the material.
B: Purchases are made against blanket or open purchase orders for certain types of items.
C: Purchases are made from parties related to buyers or other company officials.
D: There is a failure to rotate purchases among suppliers included on an approved vendor list.

A

Answer Explanations
Answer (a) is incorrect. It is a normal procedure; purchasing reviews the specifications only.
Answer (b) is incorrect. It is normal procedure for high-use items.
Answer (c) is correct. This invariably involves high risk.
Answer (d) is incorrect. An approved vendor list is often maintained as a control factor to help ensure that purchases are made only from reliable vendors. However, rotation is not usually appropriate.

32
Q

Question: V1C2-0032
Employees using personal computers have been reporting occupational injuries and claiming substantial workers’ compensation benefits. Working papers of an operational audit to determine the extent of company exposure to such personal injury liability should include
Answers
A: Analysis of claims by type of equipment and extensiveness of use by individual employees.
B: Confirmations from insurance carriers as to claims paid under workers’ compensation policies in force.
C: Reviews of documentation supporting purchases of personal computers.
D: Listings of all personal computers in use and the employees who are assigned to use them.

A

Answer Explanations
Answer (a) is correct. Claims analysis is an appropriate inclusion since it enables identification of the importance of the two key factors (equipment in use and time spent by employees at such equipment) in leading to claims.
Answer (b) is incorrect. This procedure fails to identify exposure to risks; it only supports claims paid by the carrier under the worker’s compensation policies.
Answer (c) is incorrect. Documentation supporting purchases of personal computers cannot customarily be expected to address risk assessments.
Answer (d) is incorrect. These data fail to indicate the risks associated with extent of usage and with type of equipment.

Cia Part 1 (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions