Level 1 - Essentials of Internal Auditing Flashcards

Question 1

Q

A specific objective of an audit of an organization’s expenditure cycle is to determine if all goods paid for have been received and charged to the correct account. This objective would address which of the following primary objectives identified in the Standards?

I. Reliability and integrity of financial and operational information.
II. Compliance with laws, regulations, and contracts.
III. Effectiveness and efficiency of operations.
IV. Safeguarding of assets.

a. I and II only.
b. I and IV only.
c. I, II, and IV only.
d. II, III, and IV only.

Answer

A

b) I and IV only.

I. Correct. According to Standard 2130.A1: “The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:
- Achievement of the organization’s strategic objectives;
- Reliability and integrity of financial and operational information;
- Effectiveness and efficiency of operations and programs;
Safeguarding of assets; and
- Compliance with laws, regulations, policies, procedures, and contracts.”
The specific engagement objective of determining if goods are charged to the appropriate account would address the objective regarding the reliability and integrity of information.

II. Incorrect. The specific engagement objective described does not address compliance.

III. Incorrect. The specific engagement objective described may address effectiveness of operations but does not address efficiency.

IV. Correct. The specific engagement objective of determining if all goods paid for have been received would address the objective regarding safeguarding of assets.

Question 2

Q

Which of the following is “mandatory guidance” in The IIA’s IPPF?

I. Implementation Guidance.
II. Code of Ethics.
iII. The Core Principles for the Professional Practice of Internal Auditing.
IV. Standards.

a. I, II, and IV only.
b. II and IV only.
c. II, III, and IV only.
d. I, II, III, and IV.

Answer

A

c) II, III, and IV only

I. Incorrect. Implementation Guides are only recommended guidance; they are not mandatory guidance.

II. III, and IV. Correct. The IIA’s Code of Ethics, Core Principles for the Professional Practice of Internal Auditing, and the Standards are mandatory guidance.

Question 3

Q

Which of the following is a Core Principle for the Professional Practice of Internal Auditing?

a. Maintain confidentiality.
b. Promote an ethical culture in the internal audit profession.
c. Develop consistency in internal audit practices.
d. Is appropriately positioned and adequately resourced.

Answer

A

d)

a. Incorrect. This is a principle of The IIA’s Code of Ethics but not one of the Core Principles.

b. Incorrect. This is the purpose of The IIA’s Code of Ethics.

c. Incorrect. This is not a Core Principle, nor is it something even desirable across the internal audit profession, as practice will vary depending on organizational environment, culture, and level of maturity of the audit function.

d. Correct. This is one of the 10 Core Principles.

Question 4

Q

Which of the following types of IPPF guidance require(s) public exposure?

I. A new Implementation Guide.
II. A new standard.
III. A new Supplemental Guide for auditing cybersecurity.
IV. A new definition in the IPPF Glossary.

a. III only.
b. II and IV only.
c. II, III, and IV only.
d. I, II, III, and IV.

Answer

A

b) II and IV only

I. Incorrect. The Implementation Guides do not require public exposure prior to issuance; they only require internal IIA committee approval.

II. Correct. A new standard requires public exposure of 90 days.

III. Incorrect. Supplemental Guides do not require public exposure; they only require internal IIA committee approval.

IV) Correct. The Glossary is a part of the Standards. Thus, new definitions or changes to the definitions require 90-day public exposure.

Question 5

Q

Which of the following is a part of the Mission of Internal Audit?

a. Promoting an ethical culture in the profession of internal auditing.
b. Protecting organizational value.
c. Reducing the occurrence of fraud.
d. Respecting the value and ownership of information received and not disclosing information without appropriate authority.

Answer

A

b)

a. Incorrect. This is the purpose of the Code of Ethics.

b. Correct. The Mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

c. Incorrect. This is management’s responsibility. Internal audit evaluates the potential of fraud (Standard 2120.A2). Further, this is only one part of protecting organizational value.

d. Incorrect. This is the confidentiality principle from the Code of Ethics.

Question 6

Q

Which of the following is not a role of the internal audit activity in best practice governance activities?

a. Support the board in enterprisewide risk assessment.
b. Ensure the timely implementation of audit recommendations.
c. Monitor compliance with the corporate code of conduct.
d. Discuss areas of significant risks.

Answer

A

b)

a. Incorrect. The internal audit activity performs this role. The board and management are responsible for the identification of an appropriate risk model and methodology.

b. Correct. It is the role of management to ensure the timely implementation of the audit recommendations. The internal audit activity is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit activity works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.

c. Incorrect. The internal audit activity should monitor compliance with the corporate code of conduct set by the board and management.

d. Incorrect. The internal audit activity is responsible for discussing significant financial, technical, and operational risks and exposures and the plans to minimize such risks.

Question 7

Q

Which of the following is not true with regard to the internal audit charter?

a. It defines the authorities and responsibilities for the internal audit activity.
b. It specifies the minimum resources needed for the internal audit activity.
c. It provides a basis for evaluating the internal audit activity.
d. It should be approved by senior management and the board.

Answer

A

b)

a. Incorrect. The internal audit charter defines the necessary authorities and responsibilities.

b. Correct. The internal audit manual and annual audit plan help in determining the resource requirements.

c. Incorrect. The internal audit charter defines the role and responsibility of the internal audit activity and acts as a benchmark for evaluating the audit activity.

d. Incorrect. The internal audit charter should be approved by senior management and the board.

Question 8

Q

Which of the following is not a responsibility of the CAE?

a. To communicate the internal audit activity’s plans and resource requirements to senior management and the board for review and approval.
b. To coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication.
c. To oversee the establishment, administration, and assessment of the organization’s system of risk management processes.
d. To follow up on whether appropriate management actions have been taken on significant reported risks.

Answer

A

c)

a. Incorrect. This is a responsibility of the CAE, according to Standard 2020.

b. Incorrect. This is a responsibility of the CAE, according to Standard 2050.

c. Correct. This is the role of senior management and the board, not the CAE.

d. Incorrect. This is a responsibility of the CAE, according to Standard 2500.

Question 9

Q

The function of internal auditing, as related to internal financial reports, would be to:

a. Ensure compliance with reporting procedures.
b. Review the expenditure items and match each item with the expenses incurred.
c. Determine if there are any employees expending funds without authorization.
d. Identify inadequate controls that increase the likelihood of unauthorized expenditures.

Answer

A

d)

a. Incorrect. The Standards do not require internal auditors to ensure compliance with reporting procedures.

b. Incorrect. There is no expected match of funds flows with expense items in a single time period.

c. Incorrect. This would be a function of the personnel and/or finance departments.

d. Correct. Internal auditors are responsible for identifying inadequate controls.

Question 10

Q

In a well-developed management environment, the internal audit activity would:

a. Report the results of an audit engagement to line management as well as to senior management.
b. Conduct initial audits of new computer systems after they have begun operating.
c. Interface primarily with senior management, minimizing interactions with line managers who are the subjects of internal audit work.
d. Focus primarily on asset management and report results to the audit committee.

Answer

A

a)

a. Correct. In a well-developed management system, the internal audit activity is used to provide a more direct benefit to line operations by providing feedback to operating management as well as to senior management.

b. Incorrect. Emphasis should be placed on the audits of proposed products and systems. These early examinations could be used to determine the feasibility and/or desirability of changes before these changes are implemented.

c. Incorrect. The role of the internal auditor involves interfacing with management at the operating level as well as at the senior level.

d. Incorrect. Asset management would not be a primary focus of the internal audit activity.

Question 11

Q

A consulting activity appropriately performed by the internal audit activity is:

a. Designing systems of control.
b. Drafting procedures for systems of control.
c. Reviewing systems of control before implementation.
d. Installing systems of control.

Answer

A

c)

a. Incorrect. Designing systems is presumed to impair audit objectivity.

b. Incorrect. Drafting procedures for systems is presumed to impair independence.

c. Correct. Reviewing systems, even before implementation, is an activity appropriately performed by the internal audit activity and does not impair objectivity.

d. Incorrect. Installing systems of controls is presumed to impair independence.

Question 12

Q

A performance audit engagement typically involves:

a. Review of financial statement information, including the appropriateness of various accounting treatments.
b. Tests of compliance with policies, procedures, laws, and regulations.
c. Appraisal of the environment and comparison against established criteria.
d. Evaluation of organizational and departmental structures, including assessment of process flows.

Answer

A

c)

a. Incorrect. Financial audit engagements involve review of financial information.

b. Incorrect. Compliance audit engagements involve examining control procedures and their compliance.

c. Correct. Performance audit engagements involve review of performance against set criteria.

d. Incorrect. Operational audit engagements involve reviewing organizational and departmental structures.

Question 13

Q

Determination of cost savings is most likely to be an objective of:

a. Program audit engagements.
b. Financial audit engagements.
c. Compliance audit engagements.
d. Operational audit engagements.

Answer

A

d)

a. Incorrect. Program audit engagements address accomplishment of program objectives.

b. Incorrect. Financial auditing addresses accuracy of financial records.

c. Incorrect. Compliance auditing addresses compliance with requirements, including legal and regulatory requirements.

d. Correct. Operational auditing is most likely to address a determination of cost savings by focusing on economy and efficiency.

Question 14

Q

Senior management of an entity has requested that the internal audit activity provide ongoing internal control training for all managerial personnel. This is best addressed by:

a. A formal consulting engagement agreement.
b. An informal consulting engagement agreement.
c. A special consulting engagement agreement.
d. An emergency consulting engagement agreement.

Answer

A

a)

a. Correct. Such training should be planned and is continuous in nature. It should be subject to a consulting agreement that is formal and written to ensure that the needs and expectations of those that will be trained are recognized and satisfied.

b. Incorrect. This type of agreement applies more to routine tasks.

c. Incorrect. This type of agreement applies more to occasional, one-time special arrangements.

d. Incorrect. This type of agreement applies more to unplanned engagements.

Question 15

Q

An auditor is reviewing an organization’s plan for developing a performance scorecard. Which of the following potential performance measures should the auditor recommend excluding from the performance scorecard?

a. Product innovation.
b. Market share.
c. Customer satisfaction.
d. Employee development.

Answer

A

a)

a. Correct. Innovations in the production of goods or services do not typically lend themselves to ongoing performance measurement.

b. Incorrect. Key results in market share track changes to the organization’s competitive position.

c. Incorrect. Key results in customer satisfaction help predict future sales.

d. Incorrect. Key results in employee development help predict the ability to attract and retain good employees.

Question 16

Q

When assessing the risk associated with an activity, an internal auditor should:

a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.

Answer

A

b)

a. Incorrect. Determining how unacceptable risk should be managed is the role of management.

b. Correct. Assurance services involve the internal auditor’s objective assessment of management’s risk management activities and the degree to which they are effective.

c. Incorrect. Designing and updating the risk management process is the role of management.

d. Incorrect. Designing controls would impair the internal auditor’s independence.

Question 17

Q

An auditor, nearly finished with an engagement, discovers that the director of marketing has a gambling habit. The gambling issue is not directly related to the existing engagement and there is pressure to complete the current engagement. The auditor notes the problem and forwards the information to the CAE but performs no further follow-up. The auditor’s actions would:

a. Be in violation of The IIA’s Code of Ethics for withholding meaningful information.
b. Be in violation of the Standards because the auditor did not properly follow up on a red flag that might indicate the existence of fraud.
c. Not be in violation of either The IIA’s Code of Ethics or Standards.
d. Both a. and b.

Answer

A

c)

a. Incorrect. The auditor is not withholding information because the information has been forwarded to the CAE. The information may be useful in a subsequent engagement in the marketing area.

b. Incorrect. The auditor has documented a red flag that may be important in a subsequent engagement. This does not violate the Standards.

c. Correct. There is no violation of either The IIA’s Code of Ethics or the Standards. See answers “a” and “b.”

d. Incorrect. See answers “a” and “b.”

Question 18

Q

Which of the following would be permissible under The IIA’s Code of Ethics?

a. In response to a subpoena, an auditor appeared in a court of law and disclosed confidential, audit-related information that could potentially damage the auditor’s organization.
b. An auditor used audit-related information in a decision to buy stock issued by the employer corporation.
c. After praising an employee in a recent audit engagement communication, an auditor accepted a gift from the employee.
d. An auditor did not report significant observations about illegal activity to the board because management indicated that it would resolve the issue.

Answer

A

a)

a. Correct. Auditors must exhibit loyalty to the organization but must not be a party to any illegal activity. Thus, auditors must comply with legal subpoenas.

b. Incorrect. Rule of Conduct 3.2 prohibits auditors from using audit information for personal gain.

c. Incorrect. Rule of Conduct 2.2 prohibits auditors from accepting anything that might be presumed to impair the auditor’s professional judgment.

d. Incorrect. Rule of Conduct 1.3 prohibits auditors from knowingly being a party to any illegal or improper activity. Significant observations of illegal activity should be reported to the board.

Question 19

Q

An internal auditor who encounters an ethical dilemma not explicitly addressed by The IIA’s Code of Ethics should always:

a. Seek counsel from an independent attorney to determine the personal consequences of potential actions.
b. Take action consistent with the principles embodied in The IIA’s Code of Ethics.
c. Seek the counsel of the audit committee before deciding on an action.
d. Act consistently with the employing organization’s code of ethics, even if such action would not be consistent with The IIA’s Code of Ethics.

Answer

A

b)

a. Incorrect. The auditor must act consistently with the spirit embodied in The IIA’s Code of Ethics. It would not be practical to seek the advice of legal counsel for all ethical decisions. Ethics is a moral and professional concept, not just a legal concept.

b. Correct. This is consistent with the concepts embodied in The IIA’s Code of Ethics.

c. Incorrect. It would not be practical to seek the audit committee’s advice for all potential dilemmas. Further, the advice might not be consistent with the profession’s standards.

d. Incorrect. If the organization’s standards are not consistent with, or as high as, the profession’s standards, the professional internal auditor should abide by the standards of the profession.

Question 20

Q

Audit committees are most likely to participate in the approval of:

a. Audit staff promotions and salary increases.
b. The internal audit report observations and recommendations.
c. Audit work schedules.
d. The appointment of the CAE.

Answer

A

d)

a. Incorrect. The company’s CAE is responsible for staff promotions.

b. Incorrect. The company’s CAE is responsible for approving internal audit reports.

c. Incorrect. This is a part of the internal audit activity’s planning function.

d. Correct. The independence of the internal audit activity is enhanced when the audit committee participates in naming the CAE.

Question 21

Q

Organizational independence exists if the CAE reports <List> to some other organizational level than the CEO or similar head of the organization as long as the internal audit activity <List> without interference:</List></List>

List A
a. Administratively
b. Administratively
c. Functionally
d. Functionally

List B

a. controls the scope and performance of work and reporting of results.

b. approves the internal audit budget and risk-based internal audit plan.

c. controls the scope and performance of work and reporting of results.

d. approves the internal audit budget and risk-based internal audit plan.

Answer

A

a)

a. Correct. IIA Standard 1110 states that the CAE “must confirm to the board, at least annually, the organizational independence of the internal audit activity.” Organizational independence exists if the CAE: Reports functionally to the board, has direct and unrestricted access to the board, reports administratively to the CEO or a similar head of the organization, or reports administratively to some other organizational level so long as the internal audit activity controls the scope of work, performance of the work, and the reporting of results without interference.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Question 22

Q

The independence of the internal audit department may be impaired in which of the following situations?

a. The CAE reports functionally to the board of directors.
b. The internal audit department has unrestricted access to information, people, and records throughout the organization.
c. The CAE has an established reporting relationship with the audit committee.
d. The internal audit department has responsibility for the organization’s risk and compliance areas.

Answer

A

d)

a. Incorrect. Standard 1110 interpretation states: “Organizational independence is effectively achieved when the CAE reports functionally to the board.”

b. Incorrect.

c. Incorrect. According to IIA Practice Guide, Independence and Objectivity, direct and unrestricted access to the governing body allows the internal activity to be insulated from possible threats to independence.

d. Correct. The interpretation of Standard 1112 notes that organizational independence may be impaired or appear to be impaired if the CAE assumes roles/responsibilities outside of internal auditing. Standard 1112 states that if this occurs, safeguards must be in place to limit impairments to independence or objectivity.

Question 23

Q

To promote a positive image within an organization, a CAE planned to conduct assurance engagements that highlighted potential cost savings. Negative observations were to be omitted from the engagement’s final communications. Which action taken by the CAE would be considered a violation of the Standards?

I. The focus of the audit engagements was changed without modifying the charter or consulting the audit committee.
II. Negative observations were omitted from the engagement final communications.
III. Costs savings recommendations were highlighted in the engagement final communications.

a. I only.
b. I and II only.
c. I and III only.
d. II and III only.

Answer

A

b) I and II only

I. and II. Correct. The CAE dramatically changed the nature of the audit activity without consulting the audit committee or modifying the internal audit charter. Standard 1000 states that the purpose, authority, and responsibility of the internal audit activity must be formally defined in a charter. Standard 2400 requires that internal auditors communicate the engagement results. Standard 2420 states that communications must be accurate, objective, clear, concise, constructive, complete, and timely. The Interpretation further states that complete communications are lacking nothing that is essential to the target audience and include all significant and relevant information and observations to support recommendations and conclusions.

III.Incorrect. Highlighting potential costs savings is appropriate for an engagement final communication.

Question 24

Q

A scope limitation is a restriction placed upon the internal audit activity that precludes it from accomplishing its objectives and plans. When faced with a proposed scope limitation, the CAE should:

a. Refuse to perform the engagement until the scope limitation is removed.
b. Communicate the limitation and its potential effect, preferably in writing to the board.
c. Increase the frequency of engagements concerning the activity in question.
d. Assign more experienced personnel to the engagement.

Answer

A

b)

a. Incorrect. The engagement may be conducted under a scope limitation.

b. Correct. According to Standard 1130 - Impairment to Independence or Objectivity, impairments to organizational independence and individual objectivity may include scope limitations. The details of the impairment need to be disclosed, preferably in writing to the board.

c. Incorrect. A scope limitation does not necessarily require more frequent engagements.

d. Incorrect. A scope limitation does not necessarily require more experienced personnel.

Question 25

Q

The call center of an organization has requested that the internal audit department review procedures and controls during the implementation of a new process. The CAE should:

a. Not accept the engagement because recommending controls would impair future objectivity regarding this operation.
b. Not accept the engagement because internal audit activities are presumed to have expertise regarding accounting controls, not process controls.
c. Accept the engagement but indicate to management that, because recommending controls impairs independence, future engagements in the area will be impaired.
d. Accept the engagement because individual objectivity will not be impaired.

Answer

A

d)

a. Incorrect. According to PA 1120-1, recommending controls will not adversely affect the internal auditor’s objectivity. The auditor’s objectivity is considered impaired if the auditor designs, installs, drafts procedures for, or operates such systems.

b. Incorrect. The internal audit activity should be able to evaluate the adequacy and effectiveness of controls encompassing the organization’s governance, operations, and information systems (Standard 2120.A1).

c. Incorrect. See answer “a.” Independence is not impaired by making control recommendations.

d. Correct. Recommending standards of control for systems or reviewing procedures prior to implementation does not impair objectivity (PA 1120-1). Additionally, if the engagement is deemed to involve consulting services, objectivity is not required provided that any impairment thereof is disclosed to the client prior to acceptance of the engagement (Standard 1130.C2). See also IIA Practice Guide, Independence and Objectivity.

Question 26

Q

Which of the following actions would be a violation of auditor independence?

a. Continuing on an audit assignment at a division for which the auditor will soon be responsible as the result of a promotion.
b. Reducing the scope of an engagement due to budget restrictions.
c. Participating on a taskforce that recommends standards of control for a new distribution system.
d. Reviewing a purchasing agent’s contract drafts before their execution.

Answer

A

a)

a. Correct. An auditor who has been promoted to an operating department should not continue on an audit of that department. The CAE should reassign auditors if a conflict of interest or bias may be reasonably inferred.

b. Incorrect. Budget restrictions do not constitute a violation of an auditor’s independence.

c. Incorrect. An auditor may recommend standards of control for new systems. However, designing, installing, or operating such systems might impair objectivity.

d. Incorrect. An auditor may review contracts before their execution.

Question 27

Q

As part of a company-sponsored award program, an internal auditor was offered an award of significant monetary value by a division in recognition of the cost savings that resulted from the auditor’s recommendations. According to the International Professional Practices Framework, what is the most appropriate action for the auditor to take?

a. Accept the gift because the engagement is already concluded and the report issued.
b. Accept the award under the condition that any proceeds go to charity.
c. Inform audit management and ask for direction on whether to accept the gift.
d. Decline the gift and advise the division manager’s superior.

Answer

A

c)

a. Incorrect. Audit management should always be informed concerning any such offers.

b. Incorrect. Audit management should always be informed concerning any such offers.

c. Correct. Audit management should be consulted for guidance.

d. Incorrect. This could erode the audit activity’s relationship with the division in question. Audit management should first be informed and consulted for guidance.

Question 28

Q

A CIA, working as the director of purchasing, signs a contract to procure a large order from the supplier with the best price, quality, and performance. Shortly after signing the contract, the supplier presents the CIA with a gift of significant monetary value. Which of the following statements regarding the acceptance of the gift is correct?

a. Acceptance of the gift would be prohibited only if it were non-customary.
b. Acceptance of the gift would violate The IIA’s Code of Ethics and is prohibited for a CIA.
c. Because the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by the organization’s code of conduct.
d. Because the contract was signed before the gift was offered, acceptance of the gift would not violate either The IIA’s Code of Ethics or the organization’s code of conduct.

Answer

A

b)

a. Incorrect. Acceptance of the gift could easily be presumed to have impaired independence and thus would not be acceptable.

b. Correct. As long as an individual is a Certified Internal Auditor, he or she should be guided by the profession’s Code of Ethics in addition to the organization’s code of conduct. Rule of Conduct 2.2 of The IIA’s Code of Ethics would preclude such a gift because it could be presumed to have influenced the individual’s decision.

c. Incorrect. See answer “b.”

d. Incorrect. See answer “b.” Further, there is not sufficient information given to judge possible violations of the organization’s code of conduct. However, the action could easily be perceived as a kickback.

Question 29

Q

In which of the following situations would an auditor potentially lack objectivity?

a. An auditor reviews the procedures for a new electronic data interchange connection to a major customer before it is implemented.
b. A former purchasing assistant performs a review of internal controls over purchasing four months after being transferred to the internal audit activity.
c. An auditor recommends standards of control and performance measures for a contract with a service organization for the processing of payroll and employee benefits.
d. A payroll accounting employee assists an auditor in verifying the physical inventory of small motors.

Answer

A

b)

a. Incorrect. An internal auditor’s objectivity is not adversely affected when the auditor reviews procedures before they are implemented.

b. Correct. Standard 1130A.1 states that persons transferred to the internal audit activity should not be assigned to audit those activities that they previously performed until at least one year has elapsed.

c. Incorrect. An internal auditor’s objectivity is not adversely affected when the auditor recommends standards of control for systems before they are implemented.

d. Incorrect. Use of staff from other areas to assist the internal auditor does not impair objectivity, especially when the staff is from outside the area being audited.

Question 30

Q

An internal auditor assigned to audit a vendor’s compliance with product quality standards is the brother of the vendor’s controller. The auditor should:

a. Accept the assignment but avoid contact with the controller during fieldwork.
b. Accept the assignment but disclose the relationship in the engagement final communication.
c. Notify the vendor of the potential conflict of interest.
d. Notify the CAE of the potential conflict of interest.

Answer

A

d)

a. Incorrect. Even if the auditor avoided contact with the controller, there would still be the appearance of conflict of interest.

b. Incorrect. Situations of potential conflict of interest or bias should be avoided, not merely disclosed.

c. Incorrect. Conflicts of interest should be reported to the CAE, not the vendor or engagement client.

d. Correct. Implementation Guide 1130 – Impairment to Independence or Objectivity states that internal auditors should report to internal audit management any situations in which a conflict of interest or bias is present or may reasonably be inferred.

Question 31

Q

The CAE has assigned an internal auditor to perform a year-end engagement to evaluate payroll records. The internal auditor has contacted the director of compensation and has been refused access to necessary documents. To avoid this problem:

a. Access to records relevant to performance of engagements should be specified in the internal audit activity’s charter.
b. Internal audit should be required to report to the CEO of the organization.
c. By following the long-range planning process, access to all relevant records should be guaranteed.
d. Audit committee approval should be required for all scope limitations.

Answer

A

a)

a. Correct. The internal audit activity should have the support of management and the board in gaining cooperation from all engagement clients (PA 1110-1). Specific guidelines should be written in its charter authorizing access to records, personnel, and physical properties relevant to the performance of engagements (PA 1000-1).

b. Incorrect. The internal audit activity need not report to a specific individual in the organization, although reporting administratively to the CEO is desirable and recommended.

c. Incorrect. Following the long-rant planning process provides no guarantee of access.

d. Incorrect. The internal audit activity should inform the board of any scope limitations, but its approval is not required.

Question 32

Q

A written charter approved by the board that formally defines the internal audit activity’s purpose, authority, and responsibility enhances its:

a. Exercise of due professional care.
b. Proficiency.
c. Relationship with management.
d. Independence.

Answer

A

d)

a. Incorrect. Due professional care is an attribute of work performed.

b. Incorrect. Proficiency is an attribute of the knowledge, skills, and other competencies possessed by internal auditors.

c. Incorrect. The internal audit activity’s relationship with management is a function of professionalism and relates to a working relationship.

d. Correct. According to PA 1100-1, objectivity and organization status are a means of achieving independence. Therefore, the charter should establish the internal audit activities status within the organization, authorize access to information relevant to engagements, and define the scope of the internal audit activities (PA 1000-1).

Question 33

Q

To avoid creating conflict between the CEO and the audit committee, the CAE should:

a. Submit copies of all engagement communications to the CEO and audit committee.
b. Strengthen independence through organizational status.
c. Discuss all pending engagement communications with the CEO and the audit committee.
d. Request board establishment of policies covering the internal audit activity’s relationship with the audit committee.

Answer

A

d)

a. Incorrect. The CEO and audit committee most likely should receive summary reports.

b. Incorrect. Independence is not sufficient to avert conflict unless reporting relationships are well defined.

c. Incorrect. See answer “a.”

d. Correct. To avoid conflict between the CEO and the audit committee, the CAE should request that the board establish policies covering the internal audit activity’s relationships with the audit committee. The CAE should have regular communication with the board, audit committee, or other appropriate governing authority. Additionally, the board should approve a charter that defines the purpose, authority, and responsibility of the internal audit activity.

Question 34

Q

Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of engagements. Which of the following best promotes independence?

a. A policy that requires internal auditors to report to the CAE any situations in which a conflict of interest or bias on the part of the individual internal auditor is present or may reasonably be inferred.
b. A policy that prevents the internal audit activity from recommending standards of control for systems that it evaluates.
c. An organizational policy that allows engagements concerning sensitive operations to be outsourced.
d. An organizational policy that prevents personnel transfers from operating activities to the internal audit activity.

Answer

A

a)

a. Correct. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. Moreover, staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so. The CAE should periodically obtain from the internal audit staff information concerning potential conflicts of interest and bias, and internal auditors should report to the CAE any situations in which a conflict of interest or bias is present or may reasonably be inferred. The CAE should then reassign such auditors (PA 112-1 and PA 1130-1).

b. Incorrect. Internal audit may recommend standards of control for systems that it evaluates.

c. Incorrect. Outsourcing certain engagements does not promote the independence of the internal audit activity.

d. Incorrect. Transfers from operating activities to the internal audit activity usually are permitted. However, transferees should not be assigned to engagements concerning activities they previously performed until a reasonable period of time has elapsed.

Question 35

Q

According to the International Professional Practices Framework, internal auditors should possess which of the following skills?

I. Internal auditors should understand human relations and be skilled in dealing with people.
II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations from good business practices.
III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance, and IT.
IV. Internal auditors should be skilled in oral and written communication.

a. II only.
b. I and III only.
c. III and IV only.
d. I, II, and IV only.

Answer

A

d) I, II and IV only

I, II, IV. Correct. Internal auditors are expected to be able to recognize good business practices, understand human relations, and be skilled in oral and written communications.

III.Incorrect. Internal auditors are not expected to be experts in a wide variety of fields related to their audit responsibilities.

Question 36

Q

In selecting an instructional strategy for developing internal audit staff, a CAE should begin by reviewing:

a. Organizational objectives.
b. Learning content.
c. Learners’ readiness.
d. Budget constraints.

Answer

A

a)

a. Correct. Without objectives, there is no direction to achieve the strategy.

b. Incorrect. Without objective setting, content cannot be outlined.

c. Incorrect. Learners’ readiness should be considered after determining objectives.

d. Incorrect. Budget constraints should be considered later in the process.

Question 37

Q

When conducting a performance appraisal of an internal auditor who has been a below-average performer, it is not appropriate to:

a. Notify the internal auditor of the upcoming appraisal several days in advance.
b. Use objective, impartial language.
c. Use generalizations.
d. Document the appraisal.

Answer

A

c)

a. Incorrect. In a performance appraisal of a below-average performer, it is appropriate and advisable to notify the employee of the upcoming appraisal, use objective language, and document the appraisal.

b. Incorrect. See answer “a.”

c. Correct. It is not appropriate to use generalizations when giving a performance appraisal to a below-average performer. Rather, the evaluator must cite specific information and be prepared to support assertions with evidence.

d. Incorrect. See answer “a.”

Question 38

Q

A CAE for a very small internal audit department has just received a request from management to perform an audit of an extremely complex area in which the CAE and the department have no expertise. The nature of the audit engagement is within the scope of internal audit activities. Management has expressed a desire to have the engagement conducted in the very near future because of the high level of risk involved. Which of the following responses by the CAE would be in violation of the Standards?

a. Discuss with management the possibility of outsourcing the audit of this complex area.
b. Add an outside consultant to the audit staff to assist in the performance of the audit engagement.
c. Accept the audit engagement and begin immediately because it is a high-risk area.
d. Discuss the timeline of the audit engagement with management to determine if there is sufficient time to develop appropriate expertise.

Answer

A

c)

a. Incorrect. Outsourcing would be an appropriate response when auditors do not possess the needed background or skills and cannot develop such skills in a timely fashion.

b. Incorrect. Adding a consultant would be an appropriate response when auditors do not possess the needed background or skills and cannot develop such skills in a timely fashion.

c. Correct. Planning and executing the audit engagement without the appropriate background and skills would be in violation of Standard 1210. Standard 1210 requires that the internal audit department provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed. The auditors do not have such expertise.

d. Incorrect. Determining whether there is sufficient time and ability to develop such skills would be an appropriate response. Internal auditors should be committed to lifelong learning; thus, it would not be unreasonable to have them expand their knowledge and skillset.

Question 39

Q

The auditor-in-charge for a financial audit of a global organization has assigned specific tasks to team members and reserved for himself the responsibility of maintaining contact with the managers of financial departments in eight countries. In reviewing the workpapers of one auditor, the auditor-in-charge notes that some of the work is incomplete. The auditor explains that she is unfamiliar with the accounting practices and software systems used in this country and this has slowed her work considerably. How could the auditor-in-charge have managed this situation in a more efficient, effective manner?

a. Align auditor skills and knowledge with area needs before making assignments.
b. Allow more time in the schedule for the auditor to become more familiar with local practice and technology.
c. Work more closely with the audit client to secure more support for the assigned auditor.
d. Build enough slack into the schedule to deal with the types of problems that are likely to occur in a global project.

Answer

A

a)

a. Correct. The most efficient way to manage this situation is to avoid it through better planning. In this case, the knowledge and skills of audit team members should have been considered before making assignments. The auditor in question might have been assigned to a different country, or might have been teamed with an auditor who is more familiar with the country’s practices and technology. The other suggestions are not efficient solutions.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Question 40

Q

A CAE wants to build the strength of the function in the area of IT business continuity. The best way to accomplish this goal would be to:

a. Ask management to include internal audit in debrief sessions after an IT loss of service.
b. Provide consulting engagements on appropriate IT contingency plans.
c. Conduct a business impact analysis (BIA) for a test function.
d. Purchase software systems designed to assess IT risks.

Answer

A

a)

a. Correct. The best path mentioned is to request that internal auditors be included in debriefing sessions after incidents. This would allow the internal audit staff to learn more about the IT risks specific to the organization, the recovery needs for business processes, and the strengths and weaknesses of different contingency plans. The function cannot perform IT contingency planning audits without more expertise in this area and more knowledge about the organization’s needs and goals. A BIA would provide a greater sense of risks, but not necessarily of controls. Software systems are useful assessment tools but would not provide organizational business continuity knowledge on their own.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Question 41

Q

A CAE plans to make changes that may be perceived negatively by the audit staff. The best way to reduce resistance would be to:

a. Develop the new approach fully before presenting it to the audit staff.
b. Ask the CEO to approve the changes and have the CEO attend the departmental staff meeting when they are presented.
c. Approach the staff with the general idea and involve them in the development of the changes.
d. Get the internal audit activity’s clients to support the changes.

Answer

A

c)

a. Incorrect. Developing the plan and then presenting it to the audit staff would not help reduce their resistance to change.

b. Incorrect. Involving the CEO will not necessarily reduce the audit staff’s resistance to change.

c. Correct. Involving the staff in the change from the beginning will reduce their resistance to change.

d. Incorrect. Involving the internal audit activity’s clients will not necessarily reduce the audit staff’s resistance to change.

Question 42

Q

Of the following reasons for employees to resist a major change in organizational processes, which is least likely?

a. Threat of loss of jobs.
b. Required attendance at training classes.
c. Breakup of existing workgroups.
d. Imposition of new processes by senior management without prior discussion.

Answer

A

b)

a. Incorrect. Real or imagined loss of jobs is a common reason for employees to resist any change.

b. Correct. Employee training programs facilitate performing jobs in a new or different way.

c. Incorrect. Members of workgroups often exert peer pressure on one another to resist change, especially if social relationships are changed.

d. Incorrect. Lack of communication and discussion of the need for change threatens the status quo.

Question 43

Q

The internal audit activity has scheduled an engagement relating to a construction contract. One portion of this engagement will include comparing materials purchased with those specified in the engineering drawings. The internal audit activity does not have anyone on staff with sufficient expertise to complete this procedure. The CAE should:

a. Delete the engagement from the schedule.
b. Perform the entire engagement using current staff.
c. Engage an engineering consultant to perform the comparison.
d. Accept the contractor’s written representations.

Answer

A

c)

a. Incorrect. The engagement is within the scope of the internal audit activity.

b. Incorrect. Performing the engagement using current (unqualified) staff is inappropriate.

c. Correct. According to Standard 1210, auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities. Since the internal audit activity does not have anyone with the necessary expertise, the hiring of an engineering consultant would be appropriate.

d. Incorrect. Accepting the contractor’s representations without adequate testing is inappropriate.

Question 44

Q

What is the appropriate solution to resolve staff communication problems with engagement clients?

a. Provide staff with sufficient training to enhance communication skills.
b. Avoid unnecessary communication with engagement clients.
c. Discuss communication problems with staff auditors.
d. Meet with engagement clients to resolve communication problems.

Answer

A

a)

a. Correct. According to PA 1210-1, internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as engagement objectives, evaluations, conclusions, and recommendations.

b. Incorrect. The issue is the quality rather than the quantity of communication.

c. Incorrect. Communication problems should be resolved through effective training.

d. Incorrect. Meeting with engagement clients will not resolve problems caused by poor staff communication skills.

Question 45

Q

To ensure that due professional care has been taken at all times during an engagement, the internal auditor should always:

a. Ensure that all financial information related to the audit is included in the audit plan and examined for nonconformance or irregularities.
b. Ensure that all audit tests are fully documented.
c. Consider the possibility of nonconformance or irregularities at all times during an engagement.
d. Communicate any noncompliance or irregularity discovered during an engagement promptly to the audit committee.

Answer

A

c)

a. Incorrect. The automatic inclusion of financial information in an audit does not guarantee that due professional care has been achieved for the audit as a whole.

b. Incorrect. Keeping detailed working papers does not ensure that due professional care has been taken during the tests.

c. Correct. Considering the possibility of nonconformance or material irregularities at all times during an engagement is the only way of demonstrating that due professional care has been taken in an internal audit assignment, according to Implementation Guide 1220 – Due Professional Care.

d. Incorrect. Due professional care does not require that all instances of noncompliance or irregularity be reported to the audit committee.

Question 46

Q

An internal auditor has some suspicion, but no evidence, of potential misstatement of financial statements. The internal auditor has failed to exercise due professional care if (s)he:

a. Identified potential ways in which a misstatement could occur and ranked the items for investigation.
b. Informed the engagement manager of the suspicions and asked for advice on how to proceed.
c. Did not test for possible misstatement because the engagement work program had already been approved by engagement management.
d. Expanded the engagement work program, without the engagement client’s approval, to address the highest ranked ways in which a misstatement may have occurred.

Answer

A

c)

a. Incorrect. Ranking the ways in which a misstatement could occur and seeking advice are consistent with the due professional care standard.

b. Incorrect. See answer “a.”

c. Correct. Due professional care requires the exercise of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Because engagement work programs are expected to be modified to reflect changing circumstances, the internal auditor would fail to exercise due professional care if he or she did not investigate a suspected misstatement solely because the engagement work program had already been approved.

d. Incorrect. See answer “c.”

Question 47

Q

An internal auditor should exercise due professional care in performing assurance engagements. Due professional care includes:

a. Establishing direct communication between the CAE and the board of directors.
b. Evaluating established operating standards and determining whether those standards are acceptable and being met.
c. Accumulating sufficient information so that the internal auditor can give absolute assurance that irregularities do not exist
d. Establishing suitable criteria of education and experience for filling internal audit positions.

Answer

A

b)

a. Incorrect. Such communication promotes the independence of the internal audit activity rather than the performance of engagements with due professional care.

b. Correct. In the exercise of due professional care, an internal auditor should, among other things, consider the adequacy and effectiveness of risk management, control, and governance processes (Standard 1220. A1). Furthermore, adequate criteria are needed to evaluate controls. Thus, internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished (Standard 2120.A4). Internal auditors should evaluate the established operating targets and expectations and should determine whether those operating standards are acceptable and are being met (PA 2120.A4-1).

c. Incorrect. Assurance procedures alone, even when performed with due professional care, cannot guarantee that all significant risks will be identified (Standard 1220.A2).

d. Incorrect. Establishing suitable criteria of education and experience for filling internal audit positions pertains to proficiency, not due professional care.

Question 48

Q

Due professional care calls for:

a. Detailed review of all transactions related to a particular function.
b. Infallibility and extraordinary performance when the system of internal control is known to be weak.
c. Consideration of the possibility of material irregularities during every engagement.
d. Testing in sufficient detail to give absolute assurance that noncompliance does not exist.

Answer

A

c)

a. Incorrect. Detailed reviews of all transactions are not required.

b. Incorrect. Reasonable care and skill, not infallibility or extraordinary performance, are necessary.

c. Correct. Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the internal auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed reviews of all transactions. Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever an internal auditor undertakes an internal audit assignment (PA 1220-1).

d. Incorrect. Only reasonable, not absolute, assurance can be given.

Question 49

Q

A certified internal auditor performed an assurance engagement to review a department store’s cash function. Which of the following actions would be deemed lacking in due professional care?

a. Organizational records were reviewed to determine whether all employees who handle cash receipts and disbursements were bonded.
b. A flowchart of the entire cash function was developed, but only a sample of transactions was tested.
c. The final engagement communication included a well-supported recommendation for the reduction in staff, although it was known that such a reduction would adversely affect morale.
d. Because of a highly developed system of internal control over the cash function, the final engagement communication assured senior management that no irregularities existed.

Answer

A

d)

a. Incorrect. This review is a standard procedure.

b. Incorrect. Sampling is permissible. Detailed reviews of all transactions are often not required or feasible.

c. Incorrect. In exercising due professional care, internal auditors should be alert to inefficiency.

d. Correct. Internal auditors do not guarantee the absence of fraud. They are responsible for exercising due professional care, which includes evaluating the risk management, control, and governance processes that prevent or detect fraud and being alert to the significant risks that might affect objectives, operations, or resources (Standards 1220.A1 and 1220.A2). However, internal auditors cannot give absolute assurance that noncompliance or irregularities do not exist (PA 1220-1).

Question 50

Q

The internal audit activity has recently experienced the departure of two internal auditors who cannot be immediately replaced due to budget constraints. Which of the following is the least desirable option for efficiently completing future engagements, given this reduction in resources?

a. Using self-assessment questionnaires to address audit objectives.
b. Employing IT in audit planning, sampling, and documentation.
c. Eliminating consulting engagements from the engagement work schedule.
d. Filling vacancies with personnel from operating departments that are not being audited.

Answer

A

c)

a. Incorrect. Self-assessment questionnaires are a means of efficiently addressing the objectives of certain internal audits.

b. Incorrect. Use of technology is an appropriate means of achieving efficiencies in audit execution.

c. Correct. The audit schedule should only be reduced as a last resort once all other variable alternatives have been explored, including the request for additional resources.

d. Incorrect. Using operating personnel with internal audit interest and corporate experience is an appropriate way to enhance internal audit resources.

Question 51

Q

Internal auditors are responsible for continuing their education in order to maintain their proficiency. Which of the following is correct regarding the continuing education requirements of the practicing internal auditor?

a. Internal auditors are required to obtain 40 hours of continuing professional education each year and a minimum of 120 hours over a 3-year period.
b. Certified internal auditors (CIAs) have formal requirements that must be met in order to continue as CIAs.
c. Attendance as an officer or a committee member at formal IIA meetings does not meet the criteria of continuing professional development.
d. In-house programs meet continuing professional education requirements only if they have been approved by The IIA.

Answer

A

b)

a. Incorrect. The Standards do not state formal hour requirements for internal auditors. The intent of the Standards is to provide flexibility in meeting the requirements.

b. Correct. Internal auditors should enhance their knowledge, skills, and other competencies through CPE (Standard 1230). To maintain the CIA designation, the CIA must commit to a formal program of CPE and report to the Certification Department of The IIA.

c. Incorrect. Continuing education may be obtained by participation in professional societies.

d. Incorrect. Prior approval by The IIA is not necessary for CPE courses.

Question 52

Q

In most organizations, the rapidly expanding scope of internal audit responsibilities requires continual training. What is the main purpose of such a training program?

a. To comply with continuing education requirements of professional organizations.
b. To use slack periods in engagement scheduling.
c. To help individuals achieve personal career goals.
d. To achieve both individual and organizational goals.

Answer

A

d)

a. Incorrect. The CAE should establish a program for selecting and developing human resources, but compliance with continuing education requirements of professional organizations is not the primary purpose.

b. Incorrect. Training can be conducted during slack periods, but this is not the primary objective.

c. Incorrect. Both personal and IIA goals should be achieved.

d. Correct. By being informed and staying current, internal auditors are better prepared to reach their personal goals. In addition, internal audit responsibilities are more readily discharged by auditors having the required knowledge, skills, and other competencies.

Question 53

Q

According to the Standards, internal auditors are responsible for continuing their education in order to:

a. Satisfy the 40 hours per year of required continuing professional education.
b. Maintain their proficiency.
c. Practice internal auditing.
d. Qualify for membership in The IIA.

Answer

A

b)

a. Incorrect. Not specified in the Standards.

b. Correct. According to PA 1230-1.

c. Incorrect. CPE is not a requirement to practice internal auditing.

d. Incorrect. CPE is not a requirement for membership.

Question 54

Q

Which of the following activities are designed to provide feedback on the effectiveness of an internal audit activity?

I. Proper supervision.
II. Proper training.
III. Internal assessments.
IV. External assessments.

a. I, II, and III only.
b. I, II, and IV only.
c. I, III, and IV only.
d. II, III, and IV only.

Answer

A

c) I, III, and IV only

a. Correct. Quality assurance and improvement programs are designed to provide feedback on the effectiveness of an internal audit activity. A quality assurance and improvement program should include supervision, which provides day-to-day feedback.

b. Incorrect. Proper training is important, but it does not provide feedback.

c. Correct. A quality assurance and improvement program should include internal assessments.

d. Correct. A quality assurance and improvement program should include external assessments.

Question 55

Q

Which of the following is part of an internal audit activity’s quality assurance and improvement program, rather than being included as part of the CAE’s other responsibilities?

a. The CAE provides information about and access to internal audit workpapers to the external auditors to help them understand and determine the degree to which they may rely on the internal auditors’ work.
b. Management approves a formal charter establishing the purpose, authority, and responsibility of the internal audit activity.
c. Each individual internal auditor’s performance is appraised at least annually.
d. Supervision of an internal auditor’s work is performed throughout each audit engagement.

Answer

A

d)

a. Incorrect. This statement relates to the responsibility of the CAE to coordinate with external auditors (Standard 2050).

b. Incorrect. A CAE’s responsibility to seek approval of a charter that establishes authority, purpose, and responsibility (Standard 1000 and related Implementation Guide 1000 – Purpose, Authority, and Responsibility) is not part of a quality assurance and improvement program.

c. Incorrect. Individual performance appraisals are part of a CAE’s responsibility toward personnel management and development.

d. Correct. Supervision is one method of ongoing review, which is part of the internal assessment aspect of a quality assurance and improvement program (Standard 1311 Interpretation).

Question 56

Q

What is the first step in establishing an effective internal audit performance measurement process?

a. Define internal audit effectiveness.
b. Interview key internal and external stakeholders.
c. Align the internal audit process with performance measurement processes used throughout the organization.
d. Propose specific measures of effectiveness and efficiency.

Answer

A

a)

a. Correct. The first step is to define internal audit effectiveness, based on the Definition of Internal Auditing, the Code of Ethics, the Standards, existing charters, internal audit deliverables that the activity has agreed to produce, and internal consensus.
b. Incorrect. See answer “a.”
c. Incorrect. See answer “a.”
d. Incorrect. See answer “a.”

Question 57

Q

Ordinarily, those conducting internal quality program assessments should report to:

a. The board.
b. The CAE.
c. Senior management.
d. The external auditors.

Answer

A

b)

a. Incorrect. The CAE should periodically share the results of internal assessments with appropriate persons outside the internal audit activity, such as the board, senior management, and the external auditors.

b. Correct. An internal audit activity capable of formally conducting internal assessments of its quality program should establish a reporting structure conducive to maintaining appropriate credibility and objectivity. Ordinarily, those assigned responsibility for conducting ongoing and periodic internal reviews should report to the CAE while performing the reviews and should communicate their results directly to the CAE (PA 1311-1).

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Question 58

Q

According to the Standards, which of the following statements is correct regarding communication of quality assurance and improvement programs?

a. The CAE determines the form and content of results communicated without seeking input from senior management or the board.
b. The results of external assessments are communicated upon their completion.
c. The results of periodic internal assessments are communicated at least monthly.
d. The results of ongoing monitoring are communicated upon their completion.

Answer

A

b)

a. Incorrect. The form, content, and frequency of communicating results of quality assessment and improvement programs is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and the CAE, as contained in the internal audit charter.

b. Correct. According to Standard 1320, the results of external assessments should be communicated upon their completion.

c. Incorrect. The results of periodic internal assessments are communicated upon their completion.

d. Incorrect. The results of ongoing monitoring are communicated annually.

Question 59

Q

Internal auditors may report that their activities are conducted in accordance with the Standards only if:

a. They demonstrate compliance with the Standards.
b. An independent external assessment of the internal audit activity is conducted annually.
c. Senior management or the board is accountable for implementing a quality program.
d. External assessments of the internal audit activity are made by the external auditors.

Answer

A

a)

a. Correct. According to Standard 1330-1, internal auditors may use the statement only if assessment of the quality improvement program demonstrates that the internal audit activity is in compliance with the Standards.

b. Incorrect. An independent external assessment should be conducted at least once every five years (Standard 1330-1).

c. Incorrect. The CAE is responsible for implementing a quality program (PA 1310-1).

d. Incorrect. Quality assurance reviews should ordinarily not be conducted by the organization’s external audit firm, except when made under legislative mandate (PA 1312-1).

Question 60

Q

Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, instances may exist in which full compliance is not achieved. Which of the following situations would require disclosure to senior management and the board?

a. The internal audit activity does not comply with the Standards.
b. The internal auditors do not comply with the Code of Ethics.
c. The internal audit activity does not comply with the Standards, or the internal auditors do not comply with the Code of Ethics.
d. Noncompliance with the Standards or the Code of Ethics affects the overall operation of the internal audit activity.

Answer

A

d)

a. Incorrect. See answer “d.”

b. Incorrect. See answer “d.”

c. Incorrect. See answer “d.”

d. Correct. According to Standard 1340, when noncompliance affects the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.

Question 61

Q

The internal audit activity should contribute to the organization’s governance process by evaluating the processes through which:

I. Ethics and values are promoted.
II. Effective organizational performance management and accountability are ensured.
III. Risk and control information is communicated.
IV. Activities of the external and internal auditors and management are coordinated.

a. I only.
b. IV only.
c. II and III only.
d. I, II, III, and IV.

Answer

A

d) I, II, III, and IV

a. Correct. Evaluating whether ethics and values are promoted would contribute to corporate governance, according to Standard 2110.

b. Correct. Evaluating the effectiveness of organizational performance management and accountability would contribute to corporate governance, according to Standard 2110.

c. Correct. Evaluating how risk and control information is communicated would contribute to corporate governance, according to Standard 2110.

d. Correct. Evaluating the coordination of the external and internal auditors and management would contribute to corporate governance, according to Standard 2110.

Question 62

Q

An organization’s management perceives the need to make significant changes. Which of the following factors is management least likely to be able to change?

a. The organization’s members.
b. The organization’s structure.
c. The organization’s environment.
d. The organization’s technology.

Answer

A

c)

a. Incorrect. Management is able to change the organization’s members.

b. Incorrect. Management is able to change the organization’s structure.

c. Correct. Environment is often determined by external forces outside the direct control of the organization.

d. Incorrect. Management is able to change the organization’s technology.

Question 63

Q

All of the following are true statements as related to organizational governance except for:

a. Governance is a set of independent processes and structures within an organization.
b. Governance frameworks, models, and requirements vary according to organization type and jurisdiction.
c. Effective governance within an organization is impacted by factors such as its size, complexity, and stakeholder structure.
d. Governance structures are implemented by the board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives.

Answer

A

a)

a. Correct. According to the definition of Governance as stated in the IPPF Glossary: Governance is the combination of processes and structures.

b. Incorrect. This is a true statement according to the Implementation Guide for Standard 2110.

c. Incorrect. This is a true statement according to the Implementation Guide for Standard 2110.

d. Incorrect. This is a true statement according to the IPPF definition of Governance.

Question 64

Q

In which of the following situations is the internal audit activity most likely to deliver added value to its organization?

a. The board supports its verbal commitment to governance, risk management, and control with resources and direction.
b. Historically, internal audit has refrained from forming relationships with other functional areas.
c. The CAE has been with the organization less than one year but has significant knowledge of new, automated auditing techniques.
d. Senior and line management are primarily interested in confirming the strength of existing controls.

Answer

A

a)

a. Correct. For internal audit to add value to an organization, it must go beyond assessing present controls toward identifying root causes of problems and recommending solutions and changes. This will require support from the board and senior management in the form of example, resources, and direction. To add value, internal audit must have organizational knowledge and relationships. A new CAE would be less likely to have sufficient organizational and industry knowledge.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 65

A

a)

a. Correct. This is a cultural change because it involves a change in attitudes and mindset.

b. Incorrect. Product change is change in a product’s physical attributes and usefulness to customers.

c. Incorrect. There is no change to systems and structures here.

d. Incorrect. This is not an organizational change because it involves only quality assurance.

Answer 66

A

a) II only

I. Incorrect. The existence of a corporate code of ethics, by itself, does not ensure higher standards of ethical behavior. It must be complemented by follow-up policies and monitoring activities to ensure adherence to the code.

II. Correct. A formalized corporate code of ethics presents objective criteria by which actions can be evaluated, and would thus serve as criteria against which activities could be evaluated.

III. Incorrect. Standards that would influence individual actions can occur in places other than the corporate code of ethics. For example, there may be defined policies regarding purchasing activities that may serve the same purpose as a code of ethics. These policies also serve as criteria against which activities may be evaluated.

Answer 67

A

d)

a. Incorrect. Periodic review and acknowledgment would ensure employee knowledge and acceptance of the code, which are not the issue.

b. Incorrect. Employee involvement in development would encourage employee acceptance, which is not the issue.

c. Incorrect. Public knowledge might affect the behavior of some individuals but not to the same extent as the perceived likelihood of sanctions for wrongdoing.

d. Correct. Penalties for violations of a code of conduct should enhance its effectiveness. Some individuals will be deterred from misconduct if they expect it to be detected and punished.

Answer 68

A

d)

a. Incorrect. Making inquiries to these individuals are effective ways to learn about the applicable laws and regulations.

b. Incorrect. This is an effective way to learn about the applicable laws and regulations.

c. Incorrect. This is an effective way to learn about the applicable laws and regulations.

d. Correct. Discussing the matter with the audit committee would not be helpful since they are not likely to know the applicable laws and regulations. The audit committee’s oversight activities do not provide specific expertise needed to help the internal auditors understand the applicable laws and regulations.

Answer 69

A

a)

a. Correct. Mere adoption of a CSR framework is not sufficient; an organization’s processes must be integrated into the framework. Results should be reported both within and outside the organization to meet the needs of various stakeholders, including regulatory groups. Internal audit may be involved in auditing the organization’s CSR programs, as long as it was not involved in creating the programs.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 70

A

d)

a. Incorrect. Senior management has an oversight role in risk management.

b. Incorrect. The risk knowledge at the line level would be specific only to that area of the organization.

c. Incorrect. The CAE is not responsible for managing risk.

d. Correct. The chief risk officer is most effective when supported by a specific team with the necessary expertise and experience related to organizational risk.

Answer 71

A

c)

a. Incorrect. Risk management processes cannot totally guarantee achievement of objectives.

b. Incorrect. Involvement of internal auditors in establishing control activities would impair their independence and objectivity.

c. Correct. This option falls within the framework of risk management.

d. Incorrect. Enterprise risk management is concerned not with selecting the best risk response, but with selecting the risk response that falls within the enterprise’s risk appetite.

Answer 72

A

c)

a. Incorrect. This is not the best technique because it takes only a two-pronged approach to risk management (that is, event and impact).

b. Incorrect. This is not the best technique because it does not take a comprehensive approach to risk management.

c. Correct. This is the best response because it takes a comprehensive approach to risk management; it not only considers the event and the impact but also the causes.

d. Incorrect. This option again takes a two-pronged approach and talks about elimination of risks instead of mitigation of risks.

Answer 73

A

c)

a. Incorrect. This would seldom have a long-range impact.

b. Incorrect. This would rarely be a long-range concern.

c. Correct. This would be a long-range planning topic because it affects market positioning.

d. Incorrect. This is certainly a concern, but it has less long-range impact than product quality.

Answer 74

A

c)

a. Incorrect. Risk D would take precedence over risk A, as it has a higher probability of occurring despite the lower impact.

b. Incorrect. This is the opposite of the correct order.

c. Correct. This order ranks the risk by a combination of probability and impact.

d. Incorrect. Risk D should be rated higher than risk C, due to probability and impact.

Answer 75

A

c)

a. Incorrect. The impact of risk is its consequence.

b. Incorrect. Risk that is under control is managed risk.

c. Correct. Residual risk is that risk left over after all controls and risk management techniques have been applied.

d. Incorrect. The underlying risk is the absolute risk.

Answer 76

A

b)

a. Incorrect. Economic risk is the likelihood that economic mismanagement will cause changes in the country’s business environment that will hurt the profit and other goals of the company.

b. Correct. Political risk is the likelihood that political forces will cause changes in the country’s business environment that will hurt the profit and other goals of the company. Nationalism, expropriation, and terrorism are all examples of political risk.

c. Incorrect. Operational risk is uncertainty of nonfinancial events that may result in failure of the organization and related financial losses.

d. Incorrect. Environmental risk is the uncertainty and severity of the impact of potential environmental hazards.

Answer 77

A

a)

a. Correct. The types and amounts of insurance should be supported by periodic appraisals.

b. Incorrect. The determination of insurance coverage is not a function of the board of directors.

c. Incorrect. The consumer price index generally does not provide an appropriate adjustment factor for fixed assets.

d. Incorrect. Book values may not reflect the replacement or real value of an asset.

Answer 78

A

b)

a. Incorrect. Insuring is a risk management activity.

b. Correct. Hedging is the use of future contracts to limit risk exposure on exchange rates.

c. Incorrect. Short-selling refers to the sales of commodities or shares of stocks.

d. Incorrect. Factoring applies to discounting of accounts receivable.

Answer 79

A

d)

a. Incorrect. Diversifying risk is a frequent reason for a company to merge with or acquire another company.

b. Incorrect. Responding to government policy is a frequent reason for a company to merge with or acquire another company.

c. Incorrect. Reducing labor costs is a frequent reason for a company to merge with or acquire another company.

d. Correct. Increasing stock prices is not a frequent reason for a company to merge with or acquire another company because this effect could be achieved through other methods that directly benefit company performance.

Answer 80

A

a)

a. Correct. Objective setting is one of the components of the eight interrelated components of the COSO ERM Model. The other components include: Internal Environment, Event Identification, Risk Assessment, Risk Response, Control Activities, Information & Communication, and Monitoring.

b. Incorrect. This is one of the elements of the internal environment.

c. Incorrect. This is one of the elements of the internal environment.

d. Incorrect. This is one of the elements of the internal environment.

Answer 81

A

a)

a. Correct. According to IIA Position Paper, Three Lines of Defense in Effective Risk Management and Control, operational management is the first line of defense. Operation management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.

b. Incorrect. Senior management along with the governing bodies are the primary stakeholders served by the “lines.”

c. Incorrect. The risk management and compliance functions operate as the second line of defense. The responsibility of this line is to help build and/or monitor the first line of defense controls to ensure that the first line is properly designed, in place, and operating as intended.

d. Incorrect. The internal audit activity is the third line of defense providing comprehensive assurance to the governing body and senior management based on the highest level of independence and objectivity within the organization.

Answer 82

A

a)

a. Correct. According to IIA Position Paper, Three Lines of Defense in Effective Risk Management and Control, operating management (first line of defense) is responsible for maintaining effective internal controls.

b. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions.

c. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions.

d. Incorrect. The functions of the second line of defense may vary. This would be one of the appropriate functions.

Answer 83

A

c)

a. Incorrect. This is a purpose of audit planning.

b. Incorrect. Correcting control weaknesses is a function of management, not of the internal auditor.

c. Correct. This is the purpose stated in the Definition of Internal Auditing.

d. Incorrect. This is a basic objective from a financial accounting and auditing perspective, but it is not broad enough to cover the internal auditor’s entire purpose for review.

Answer 84

A

a)

a. Correct. Practice Advisory 2210.A1-1, Risk Assessment in Engagement Planning, states that, “Internal auditors consider management’s assessment of risks relevant to the activity under review. The internal auditor also considers the reliability of management’s assessment of risk…”

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 85

A

b)

a. Incorrect. According to Standard 2120 – Risk Management, this is one of the areas that internal audit would assess in determining the effectiveness of risk management processes.

b. Correct. According to Standard 2120, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 86

A

a)

a. Correct. Internal audit’s involvement in the organization’s risk management framework may range from non-involvement to the full involvement implied in managing and coordinating the risk management process. Even this role, however, does not allow internal audit to perform managerial responsibilities in this area, such as setting the organization’s risk appetite or implementation control strategies. Cost-effectiveness should be a major consideration in selecting controls.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 87

A

a)

a. Correct. Preventive controls are actions taken before the occurrence of transactions with the intent of stopping errors from occurring. Use of an approved vendor list is a control to prevent the use of unacceptable suppliers.

b. Incorrect. A detective control is a control that identifies errors after they have occurred.

c. Incorrect. Corrective controls correct the problems identified by detective controls.

d. Incorrect. Monitoring controls are designed to ensure the quality of the control system’s performance over time.

Answer 88

A

a)

a. Correct. Entity-level controls at the management-oversight level include IT general controls related to testing standards. These are not entity-level governance controls because those provide oversight at a higher level, such as setting a privacy policy. Testing standards are neither process-level nor transaction-level controls because testing standards can be applied to most if not all information systems in general, which is part of the definition of IT general controls.

b. Incorrect. See answer “a.”

c. Incorrect. See answer “a.”

d. Incorrect. See answer “a.”

Answer 89

A

d)

a. Incorrect. Physical controls limit access to an area and do not include passwords.

b. Incorrect. Edit controls test the validity of data.

c. Incorrect. Digital controls are examples of physical controls.

d. Correct. Passwords are a form of access controls because they limit access to computer systems and the information stored on them.

Answer 90

A

d)

a. Incorrect. Goods are seasonal and store space is limited. This constraint is consistent with maximizing revenue and profitability for the organization.

b. Incorrect. The product manager is evaluated based on sales and gross profit; thus, there is no conflict with performing both of these duties.

c. Incorrect. Evaluating the product managers on gross profit and budgeted sales attaches responsibility to the manager.

d. Correct. There is the possibility that goods could be diverted from the distribution center and not delivered to the appropriate retail store.

Answer 91

A

a) I only

I. Correct. The organization has two scarce resources to allocate: (a) its purchasing budget (constrained by financing ability), and (b) space available in retail stores. Thus, there is a need for a mechanism to allocate these two scarce resources to maximize the overall return to the organization. This is the proper mechanism.

II. Incorrect. This is a preventive control, not a detective control.

III. Incorrect. The gross profit evaluation is effective in evaluating the manager but does not address the two major constraints identified in statement I.

Brainscape's Knowledge GenomeTM

Level 1 - Essentials of Internal Auditing Flashcards

Brainscape's Knowledge Genome^TM